Reading PCAP file with scapy

Krystian picture Krystian · Mar 22, 2017 · Viewed 26.1k times · Source

I have about 10GB pcap data with IPv6 traffic to analyze infos stored in IPv6 header and other extension header. To do this I decided to use Scapy framework. I tried rdpcap function , but for such big files it is not recommended. It tries to load all file into memory and get stuck in my case. I found in the Net that in such situation sniff is recommended, my code look like:

def main():
   sniff(offline='traffic.pcap', prn=my_method,store=0)


def my_method(packet):
   packet.show()

In function called my_method I receive each packet separately and I can parse them, but.... When I call show function with is in-build framework method I got sth like this: result

When opened in wireshark I got properly looking packet: result2

Could you tell me how to parse this packets in scapy to get proper results?

EDIT: According to the discussion in comments I found a way to parse PCAP file with Python. In my opinion the easies way is to use pyshark framework:

import pyshark
pcap = pyshark.FileCapture(pcap_path) ### for reading PCAP file

It is possible to easily iterate read file with for loop

for pkt in pcap:
    #do what you want

For parsing IPv6 header following methods may be useful:

pkt['ipv6'].tclass            #Traffic class field
pkt['ipv6'].tclass_dscp       #Traffic class DSCP field
pkt['ipv6'].tclass_ecn        #Traffic class ECN field
pkt['ipv6'].flow              #Flow label field
pkt['ipv6'].plen              #Payload length field
pkt['ipv6'].nxt               #Next header field
pkt['ipv6'].hlim              #Hop limit field

Answer

coder picture coder · Sep 13, 2017

Update

The latest versions now support ipv6 parsing. So to parse an ipv6 ".pcap" file with scapy now it can be done like so:

from scapy.all import *

scapy_cap = rdpcap('file.pcap')
for packet in scapy_cap:
    print packet[IPv6].src

Now as I had commented back when this question was originally asked, for older scapy versions (that don't support ipv6 parsing):

  • pyshark can be used instead (pyshark is a tshark wrapper) like so:

import pyshark

shark_cap = pyshark.FileCapture('file.pcap')
for packet in shark_cap:
    print packet.ipv6.src
  • or even of course tshark (kind of the terminal version of wireshark):

$ tshark -r file.pcap -q -Tfields -e ipv6.src