dpkt_pcap_reader_ethernet_ip_packet_decoder.py

1import dpkt
2import datetime
3
4def print_pcap(pcap_file):
5    """
6    Prints out information about each packet in a pcap
7    """
8    with open(pcap_file, 'rb') as f:
9        pcap = dpkt.pcap.Reader(f)
10
11        # For each packet in the pcap process the contents
12        for timestamp, buf in pcap:
13
14            # Print out the timestamp in UTC
15            print('Timestamp: ', str(datetime.datetime.utcfromtimestamp(timestamp)))
16
17            # Unpack the Ethernet frame (extracting the wrapper layer and the payload)
18            eth = dpkt.ethernet.Ethernet(buf)
19            print('Ethernet Frame: ', eth.src.hex(), eth.dst.hex(), eth.type)
20
21            # Make sure the Ethernet data contains an IP packet
22            if not isinstance(eth.data, dpkt.ip.IP):
23                print('Non IP Packet type not supported %s\n' % eth.data.__class__.__name__)
24                continue
25
26            # Now unpack the data within the Ethernet frame (the IP packet)
27            # Pulling out src, dst, length, fragment info, TTL, and Protocol
28            ip = eth.data
29
30            # Pull out fragment information (flags and offset all packed into off field)
31            do_not_fragment = bool(ip.off & dpkt.ip.IP_DF)
32            more_fragments = bool(ip.off & dpkt.ip.IP_MF)
33            fragment_offset = ip.off & dpkt.ip.IP_OFFMASK
34
35            # Print out the info
36            print('IP: %s -> %s   (len=%d ttl=%d DF=%d MF=%d offset=%d)\n' % \
37                  (ip.src, ip.dst, ip.len, ip.ttl, do_not_fragment, more_fragments, fragment_offset))
38
39if __name__ == '__main__':
40    # This code assumes you have a file named 'test.pcap' in your directory
41    # print_pcap('test.pcap')
42    pass