使用 DPKT python 检查数据包是否包含 Ethe.net 层或原始 IP 数据包

Question

I have a some pcap files that I need to extract some information from, those packets are mixed, some are Raw IP and others contains ethe.net frames.

I need to conditionally check for the type of packet before parsing as the packets with ethe.net frames could be parsed with:

for ts, buf in pkts:
    if buf contains_ethernet:
        eth = dpkt.ethernet.Ethernet(buf)
        if eth.type == dpkt.ethernet.ETH_TYPE_IP:
            ip = eth.data
        else:
            continue
    else:
        ip = dpkt.ip.IP(buf)

How can I define the contains_ethe.net as a boolean or a condition?

Answer 1

The pcap header file defines the link type of the capture (Ethe.net, Raw IP, ...)

Before processing the packet, you shoud use datalink() of your dpkt.pcap.Reader() object to get the link type of your pcap file. According to your script example:

if <<dpkt.pcap.Reader>>.datalink() == LINKTYPE_ETHE.NET: ## Process Ethe.net frame elif <<dpkt.pcap.Reader>>.datalink() == LINKTYPE_RAW: ## Processs Raw IP datagram else: ## Other link types

Here is the list of link types: http://www.tcpdump.org/linktypes.html

With values LINKTYPE_ETHE.NET for Ethe.net and LINKTYPE_RAW for Raw IP