dpkt_pcap_file_reader_with_ethernet_ip_packet_parsing.py

1import dpkt
2import datetime
3
4def print_packets(pcap):
5    """Prints out information about each packet in a pcap
6
7       Args:
8           pcap: dpkt pcap reader object (dpkt.pcap.Reader)
9    """
10    # For each packet in the pcap process the binary data (eth_data)
11    for timestamp, buf in pcap:
12
13        # Print out the timestamp in UTC
14        print('Timestamp: ', str(datetime.datetime.utcfromtimestamp(timestamp)))
15
16        # Unpack the Ethernet frame (mac src/dst, ethertype)
17        eth = dpkt.ethernet.Ethernet(buf)
18        print('Ethernet Frame: ', eth.src.hex(':'), eth.dst.hex(':'), eth.type)
19
20        # Make sure the Ethernet data contains an IP packet
21        if not isinstance(eth.data, dpkt.ip.IP):
22            print('Non IP Packet type not supported %s\n' % eth.data.__class__.__name__)
23            continue
24
25        # Now unpack the data within the Ethernet frame (the IP packet)
26        # Pulling out src, dst, length, fragment info, TTL, and Protocol
27        ip = eth.data
28
29        # Pull out fragment information (flags and offset all packed into off field)
30        do_not_fragment = bool(ip.off & dpkt.ip.IP_DF)
31        more_fragments = bool(ip.off & dpkt.ip.IP_MF)
32        fragment_offset = ip.off & dpkt.ip.IP_OFFMASK
33
34        # Print out the info
35        print('IP: %s -> %s   (len=%d ttl=%d DF=%d MF=%d offset=%d)\n' % \
36              (ip.src.hex(':'), ip.dst.hex(':'), ip.len, ip.ttl, do_not_fragment, more_fragments, fragment_offset))
37
38def test():
39    """Open up a test pcap file and print out the packets"""
40    with open('test.pcap', 'rb') as f:
41        pcap = dpkt.pcap.Reader(f)
42        print_packets(pcap)
43
44if __name__ == '__main__':
45    test()