在 Scapy 中读取 pcap 文件的一部分

Question

I've been trying to figure out a way to read a part of a pcap-file using scapy.

Ex: I have a pcap-file with 1000 rows.

Question: Is it possible to read this in 10 pieces, ie read 100 rows sequentially?

The scenario is:

I'm reading multiple pcap files and comparing packets between them. In order to compare packets, I use index and call a specific packet as pkt = packets_from_pcap_file_7[idx] . To use index I need to read the pcap-files with rdpcap(FILENAME.pcap) . However, this function will read the entire pcap-file and cause a MemoryError.

Since I want to compare specific packets from different files, I find it hard to use RawPcapReader(FILENAME.pcap) where I can just iterate through one specific packet at the time as:

packets = RawPcapReader(FILENAME.pcap)
for pkt in packets:
    pkt.doThings

I will post a very slow solution to the problem we're I have to iterate through the entire pcap-file for every packet and iterate to a specified index:

def get_packet(idx):
    packets = RawPcapReader("FILENAME.pcap")
    counter = 0
    for pkt in packets:
        if counter == idx:
            return pkt
        counter += 1

I could split the packets in the linux terminal but since this will be used for others as well, I would like the scripts to do all the job. I think there is a much simpler solution to this, which I've been unable to find. Thanks in advance.

Answer 1

You could probably open all the files without reading them, then iterate through the packets. Something like

files = ["a.pcap", "b.pcap", ......]
fds = [RawPcapReader(x) for x in files]
while True:
    try:
        # get the next packets of all files 
        pkts = [next(x) for x in fds]
        # do something with them
    except EOFError:
        # file has ended
        break
for f in fds:
    f.close()