2

Python dpkt can parse Wireshark/pcap files and show packet data successfully:

>>> for ts, pkt in pcap:
    eth = dpkt.ethernet.Ethernet(pkt)
    type(eth.data)

<class 'dpkt.ip.IP'>
<class 'dpkt.ip.IP'>

But when I tried to parse the tcpdump file I got the following result:

>>> for ts, pkt in pcap:
    eth = dpkt.ethernet.Ethernet(pkt)
    type(eth.data)

<type 'str'>
<type 'str'>
<type 'str'>

From Python IDE print you can see that type(eth.data) is 'str' instead of class 'dpkt.ip.IP'.
Does anyone know what is root cause and how to make the dpkt work for tcpdump captures?

Alex P.
  • 30,437
  • 17
  • 118
  • 169
boeingdream
  • 143
  • 6
  • what's your exact `tcpdump` command? are you using `-w`? – Alex P. Jul 28 '15 at 00:49
  • What gets printed if you try to read the file with tcpdump and sent the standard output of tcpdump to /dev/null? –  Jul 28 '15 at 04:58
  • @AlexP. yes, I use tcpdump like `tcpdump -i any -w file_name.pcap` – boeingdream Jul 28 '15 at 06:54
  • try adding `-s 65535` to the command line – Alex P. Jul 28 '15 at 06:59
  • @GuyHarris, in original code if I replace `type(eth.data)` with `eth.data`, I get _Call-ID: 818Q1FGVYR\nCSeq: 1 INVITE\nContent-Length: 0\n\nPQ\xb6U\xc6%\x03\x00\xf8\x03\x00\x00\xf8\x03\x00\x00\x00\x06\x00\x01\x00\x06\x8c`Oy\xe4\x01\x00\x00\x08\x00E\x00\x03\xe8\x00\x00@\x00>\x11\nB\n\x02\r\x82\n\x01\r?\x13\xc4\x13\xbd\x03\xd4\x05\x8bSIP/2.0 415 Unsupported Media Type\n_ if I replace it with `print eth.data`, I got Call-ID: 818Q1FGVYR CSeq: 1 INVITE Content-Length: 0 PQᄊUÆ% – boeingdream Jul 28 '15 at 07:02
  • @AlexP. the -s parameter just specifies the snaplen, I don't think it helps on my issue. Anyway I tried. No, it doesn't help. – boeingdream Jul 29 '15 at 11:02
  • 1
    I also have this problem. @boeingdream: did you find a solution? Did you switch from library and if yes which one? – robert Jan 26 '16 at 18:43

1 Answers1

1

Sorry about the time you waited for this. I hope you were able to find the answer in less than 4 years.

First of all, I should mention, that there are some packets in the net that ethernet layer is the last layer in it. And because of that you should check that before you go deeper in the packet.

For exampel:

    #Check the if there is an ip layer
    if ether.type == dpkt.ethernet.ETH_TYPE_IP:
        #read the ip layer
        ip = ether.data

I am not sure if this is the problem in your case. If you were using the same packets that as ip layer for sure it will be the same ofter you well check is. But, I hope I will help some how.

Have a Great Day!

And Good luck.

BallisticTomato
  • 113
  • 8
AName
  • 88
  • 5