7

With Scapy, when I create a packet and write it to a pcap file, it sets the timestamp of the packet to the current time.

This is my current usage. 1335494712.991895 being the time I created the packet:

>>> a = Ether()/IP(src='1.1.1.1',dst='2.2.2.2')/TCP(sport=1337,dport=31337)
>>> wrpcap('single-tcp-packet.pcap', a)

# tcpdump -tt -r single-tcp-packet.pcap
reading from file single-tcp-packet.pcap, link-type EN10MB (Ethernet)
1335494712.991895 IP 1.1.1.1.menandmice-dns > arennes-651-1-107-2.w2-2.abo.wanadoo.fr.31337: Flags [S], seq 0, win 8192, length 0

How can I specify my own timestamp per packet?

I have seen timestamp mentioned in the docs for setting the TCP timestamp, but it doesn't seem to make a difference to the actual pcap timestamp.

gak
  • 32,061
  • 28
  • 119
  • 154

1 Answers1

12

Ah! Found it.

Simply:

>>> a.time = 1234567890
>>> wrpcap('single-tcp-packet.pcap', a)

# tcpdump -tt -r single-tcp-packet.pcap
reading from file single-tcp-packet.pcap, link-type EN10MB (Ethernet)
1234567890.000000 IP 1.1.1.1.menandmice-dns > arennes-651-1-107-2.w2-2.abo.wanadoo.fr.31337: Flags [S], seq 0, win 8192, length 0
gak
  • 32,061
  • 28
  • 119
  • 154
  • 2
    Gerald, if you would like to maybe see a human readable version of that time stamp in scapy I use this after from datetime import datetime print datetime.fromtimestamp(pkt.time).strftime('%Y-%m-$d %H:%M:%S').split(' ')[1] – dc5553 Apr 27 '12 at 08:13
  • 1
    @dc5553 this no longer works these days. Just a heads up. 'EDecimal' object cannot be interpreted as an integer – Ethan Z Apr 23 '22 at 01:41