1

I would like to extract date time from PCAP files only for ARP packets and would like to save as csv/txt. i did uses below code for extract time. print command is working fine with time. but when its save at csv file its only one date and one time (example 14:59:58) save in to csv file. can any one suggest for modify the codes for extract ARP times from pcap and save to csv CORRECTLY. Thank you.

with open("../data/" + filename + ".pcap", 'rb') as f: pcap = dpkt.pcap.Reader(f)

    requests = []
    replies = []

    for ts, buf in pcap:

        eth = dpkt.ethernet.Ethernet(buf)
        # If the packet is not arp

        if eth.type != 2054:
            continue
        try:
            arp = eth.arp
        except Exception as e:
            continue

        src = dpkt.socket.inet_ntoa(arp.spa)
        tgt = dpkt.socket.inet_ntoa(arp.tpa)

        if arp.op == 2:
            count_duplication(replies, src, tgt)

        elif arp.op == 1:
            count_duplication(requests, src, tgt)


        packet_time = datetime.datetime.utcfromtimestamp(ts).strftime("%m/%d/%Y, %H:%M:%S")

        print (packet_time)

  save_packets(sorted(requests, key=lambda x: -x[2]), '../tmp/count-requests-xyz' + '.csv', packet_time)

# Save Packets

def save_packets(packets,filename,tcp,ts, degree_sorted): with open(filename, 'w') as f: for packet in packets: data = '' for item in packet: data = data + str(item) + ',' f.write(data + tcp + datetime.datetime.utcfromtimestamp(ts).strftime("%m/%d/%Y, %H:%M:%S") + degree_sorted + '\n')

delwar.naist
  • 51
  • 1
  • 12
  • 1
    Explain the desired csv structure. Do you know how to find ARP only packets? – balderman Apr 14 '19 at 13:50
  • CSV files will contain src_ip,dst_ip, number of packets, time................and yes i know how to extract ARP only packets, I already extracted as per required features. – delwar.naist Apr 14 '19 at 14:06

1 Answers1

0
import socket
import datetime
import dpkt


def _inet_to_str(inet):
    try:
        return socket.inet_ntop(socket.AF_INET, inet)
    except ValueError:
        return socket.inet_ntop(socket.AF_INET6, inet)


def arp(pcap_path):
    def _is_arp(packet):
        return True

    with open(pcap_path, 'rb') as f:
        pcap = dpkt.pcap.Reader(f)
        for ts, buf in pcap:
            eth = dpkt.ethernet.Ethernet(buf)
            if not isinstance(eth.data, dpkt.ip.IP):
                continue

            if not _is_arp(eth):
                continue
            ip = eth.data
            # write to file instead of printing
            print('{},{},{}'.format(_inet_to_str(ip.src), _inet_to_str(ip.dst),
                                    datetime.datetime.utcfromtimestamp(ts).strftime("%m/%d/%Y, %H:%M:%S")))
balderman
  • 22,927
  • 7
  • 34
  • 52
  • hi, Thank for your code. but can you kindly check my code and advise. for ts, buf in pcap: eth = dpkt.ethernet.Ethernet(buf) # If the packet is not arp if eth.type != 2054: continue try: arp = eth.arp except Exception as e: continue src = dpkt.socket.inet_ntoa(arp.spa) tgt = dpkt.socket.inet_ntoa(arp.tpa) if arp.op == 2: count_duplication(replies, src, tgt) elif arp.op == 1: count_duplication(requests, src, tgt) – delwar.naist Apr 14 '19 at 14:20
  • The code you have posted is partial. Please share the current output and the desired output. (samples only) – balderman Apr 14 '19 at 14:24
  • packet_time = datetime.datetime.utcfromtimestamp(ts).strftime("%m/%d/%Y, %H:%M:%S") print (packet_time) – delwar.naist Apr 14 '19 at 14:26
  • Is the code in this post is all the code you have. Share the code (or a sample of the code that can run) so we can run it against a pcap file. – balderman Apr 14 '19 at 14:29
  • Modify `f.write(data + tcp + timestamp + degree_sorted + '\n')` to `f.write(data + tcp + datetime.datetime.utcfromtimestamp(ts).strftime("%m/%d/%Y, %H:%M:%S") + degree_sorted + '\n')` – balderman Apr 14 '19 at 14:31
  • The problem was that you dont format the timestamp inside the loop. – balderman Apr 14 '19 at 14:32
  • can you let me know. how to share the full codes. i cant share here because of system not accept more characters. – delwar.naist Apr 14 '19 at 14:33
  • You can edit your original post (I think..). Anyway - it looks like the issue is solved. See my comment above. – balderman Apr 14 '19 at 14:34
  • got the error. "TypeError: an integer is required (got type str)" – delwar.naist Apr 14 '19 at 14:38
  • Add more information. Which line of code throws this error? – balderman Apr 14 '19 at 14:42
  • pls check the details code. i have edited the questions code. – delwar.naist Apr 14 '19 at 14:44
  • I have posted working code. All you need to do is call the `arp` function. – balderman Apr 14 '19 at 15:03