Get IP addresses from PCAP file in scapy

optimization pcap scapy

reox · Nov 20, 2013 · Viewed 8.2k times · Source

Is there a smart and fast way to get all IP addresses from a PCAP file? I need only (destination address, source address) tuples.

Currently I'm using Scapy's rdpcap function like this:

from scapy.all import *
pcap = rdpcap('file.pcap')

ips = set([(p[IP].fields['src'], p[IP].fields['dst']) for p in pcap if p.haslayer(IP) == 1])

But it takes about two minutes on my machine to parse a 70MB PCAP file with 370 unique extracted entries...

Answer

The "best" way to do what I think (based on the code you provided, I suppose you want the couples (IP source address, IP destination address) rather than IP packets) you want is :

>>> set((p[IP].src, p[IP].dst) for p in PcapReader('file.pcap') if IP in p)

You don't waste memory with the whole PCAP file, the set object is built packet by packet.

If it's not fast enough, you can instruct Scapy not to dissect packets after the IP layer since you don't use the IP payload:

>>> IP.payload_guess = []

And then run the previous command.

Get IP addresses from PCAP file in scapy

Answer

Related questions