11

I have about 10GB pcap data with IPv6 traffic to analyze infos stored in IPv6 header and other extension header. To do this I decided to use Scapy framework. I tried rdpcap function , but for such big files it is not recommended. It tries to load all file into memory and get stuck in my case. I found in the Net that in such situation sniff is recommended, my code look like:

def main():
   sniff(offline='traffic.pcap', prn=my_method,store=0)


def my_method(packet):
   packet.show()

In function called my_method I receive each packet separately and I can parse them, but.... When I call show function with is in-build framework method I got sth like this: result

When opened in wireshark I got properly looking packet: result2

Could you tell me how to parse this packets in scapy to get proper results?

EDIT: According to the discussion in comments I found a way to parse PCAP file with Python. In my opinion the easies way is to use pyshark framework:

import pyshark
pcap = pyshark.FileCapture(pcap_path) ### for reading PCAP file

It is possible to easily iterate read file with for loop

for pkt in pcap:
    #do what you want

For parsing IPv6 header following methods may be useful:

pkt['ipv6'].tclass            #Traffic class field
pkt['ipv6'].tclass_dscp       #Traffic class DSCP field
pkt['ipv6'].tclass_ecn        #Traffic class ECN field
pkt['ipv6'].flow              #Flow label field
pkt['ipv6'].plen              #Payload length field
pkt['ipv6'].nxt               #Next header field
pkt['ipv6'].hlim              #Hop limit field
Krystian
  • 405
  • 2
  • 4
  • 14
  • @coder I understand that wireshark shows packet in a different way and I'm okey with that. But look on src ip address and how it is parsed by scapy - as far as I know it's not okey, but maybe I'm not right. – Krystian Mar 23 '17 at 20:50
  • oh, yes you are right - I missed the **ipv6** part. – coder Mar 23 '17 at 22:27
  • 1
    I opened bug issue on scapy github page (https://github.com/secdev/scapy/issues/579). @coder you mentioned that using wireshark will be more efficient. My goal is to take every value of header and do some statistics job - is wireshark able to performe this type of activity? – Krystian Mar 24 '17 at 08:33
  • As far as I know there are scripts and tools related to Wireshark that help do this kind of job, such as `capinfos` and `tshark` but I haven't used them much in the past. - but I think they can be used to do statistical analysis. You can find them here: https://wiki.wireshark.org/Tools – coder Mar 24 '17 at 14:02
  • For example you could dump all `source ips` with the command: `tshark -T fields -e ip.src -r your_file.pcap`, or by changing `ip.src` to `ip.dst` you could parse dst ips (it is very similar to scapy). There also many other fields to try (like: frame.time, dns.qry.name, tcp.port and many other `wireshark fields`) – coder Mar 24 '17 at 14:12
  • @coder Thanks a lot for your help. I will look carefully on tshark :) – Krystian Mar 24 '17 at 15:53
  • I forgot also to mention that there is also a python tshark wrapper (**pyshark**) here: https://github.com/KimiNewt/pyshark – coder Mar 24 '17 at 17:00
  • 3
    For example you could do: `import pyshark`, `cap = pyshark.FileCapture('v6.pcap')`, and then `for packet in cap: print packet.ipv6.src` – coder Mar 24 '17 at 17:19

2 Answers2

12

Update

The latest versions now support ipv6 parsing. So to parse an ipv6 ".pcap" file with scapy now it can be done like so:

from scapy.all import *

scapy_cap = rdpcap('file.pcap')
for packet in scapy_cap:
    print packet[IPv6].src

Now as I had commented back when this question was originally asked, for older scapy versions (that don't support ipv6 parsing):

  • pyshark can be used instead (pyshark is a tshark wrapper) like so:
import pyshark

shark_cap = pyshark.FileCapture('file.pcap')
for packet in shark_cap:
    print packet.ipv6.src
  • or even of course tshark (kind of the terminal version of wireshark):
$ tshark -r file.pcap -q -Tfields -e ipv6.src
coder
  • 12,832
  • 5
  • 39
  • 53
2

If you want to keep using scapy and read the file Iteratively I'd recommend you to give it a shot to PcapReader()

It would do the same you tried to do with pyshark but in Scapy

from scapy.all import *

for packet in PcapReader('file.pcap')
    try:
        print(packet[IPv6].src)
    except:
        pass

I'd recommend wrapping this around just as a failsafe if you have any packet that does not have an IPv6 address.

andrewdotn
  • 32,721
  • 10
  • 101
  • 130
pablora
  • 506
  • 1
  • 7
  • 18
  • I have a pcap file I run the above code with IPv6, IPv4 for both types it didn't print anything. – umair mehmood Nov 25 '21 at 17:02
  • @umairmehmood have you checked you have any IPv6 packet? I've downloaded a file from https://packetlife.net/captures/protocol/ipv6/ and this is running: In [1]: from scapy.all import * In [2]: pcap_file = '/tmp/lispmn_IPv6-RLOC.pcapng.cap' In [3]: for packet in PcapReader(pcap_file): ...: try: ...: print(packet[IPv6].src) ...: except: ...: pass ...: 2607:f2c0:f00f:b001::face:b00c 2607:f2c0:f00f:b001::face:b00c 2607:f2c0:f00f:b001::face:b00c 2607:f2c0:f00f:b001::face:b00c 2607:f2c0:f00f:b001::face:b00c 2607:f2c0:f00f:b001::face:b00c – pablora Nov 30 '21 at 00:54