In Scapy/Kamene python, how do I find the global headers for a pcap file?

Question

So in C, while reading from a Pcap file, you can use the C libpcap library to get all this information related to the global headers:

typedef struct pcap_hdr_s {
        guint32 magic_number;   /* magic number */
        guint16 version_major;  /* major version number */
        guint16 version_minor;  /* minor version number */
        gint32  thiszone;       /* GMT to local correction */
        guint32 sigfigs;        /* accuracy of timestamps */
        guint32 snaplen;        /* max length of captured packets, in octets */
        guint32 network;        /* data link type */
} pcap_hdr_t;

So I've searched for a long time to no avail in how to find these variables in python libraries Scapy/Kamene.

Can somebody please show me sample code from the Scapy/Kamene that'll help me find all these variables or at least a way to find all these variables??

Ross Jacobs · Accepted Answer · 2020-04-01T02:13:03.097

1

This isn't possible in Scapy as of the time of this writing. You can still do this with python though by reading it as a struct of bytes:

import struct

LITTLE_ENDIAN = "<"
BIG_ENDIAN = ">"

with open("temp.pcap", "rb") as f:
    filebytes = f.read()
if filebytes[:2] == b"\xa1\xb2":
    endianness = BIG_ENDIAN
elif filebytes[:2] == b"\xd4\xc3":
    endianness = LITTLE_ENDIAN
# pcapng is a completely different filetype and has different headers
# It's magic number is also the same between big/little endian
elif filebytes[:2] == b"\n\r":
    raise ValueError("This capture is a pcapng file (expected pcap).")
else:
    raise ValueError("This capture is the wrong filetype (expected pcap.")

# Endianness is < or > and is handled by checking magic number.
pcap_headers = struct.unpack(endianness + "IHHIIII", filebytes[:24])
print(pcap_headers)
---
(2712847316, 2, 4, 0, 0, 524288, 1)

Here, we unpack with < for little-endian on my macos system (> for big-endian). H reads 4 bytes, while I reads 2 bytes. You can read more about format characters in the Python3 struct documentation. We can check the magic number easily:

>>> int(str("A1B2C3D4"), 16)
2712847316

It looks like this is indeed a pcap with the correct magic number. For magic number byte order shenanigans, take a look at this SO answer (there can be multiple correct pcap "magic numbers").

Thanks to @Cukic0d: scapy source code is a great place to look at parsing pcap magic numbers.

edited Apr 01 '20 at 02:13

answered Mar 30 '20 at 05:53

Ross Jacobs

2,962
1
17
27

This won't work if you bump into a pcap with custom endian set – Cukic0d Mar 30 '20 at 10:34
@Cukic0d Can you be more specific about what won’t work? There can be different magic numbers due to endianness and timestamp, but the struct unpacking (apart from < or >) will be the same. – Ross Jacobs Mar 30 '20 at 16:19
Well precisely what you said. but the < > choice matters a lot if you expect to get somewhat coherent results. see https://github.com/secdev/scapy/blob/a0a6936e71c4723c65ed229b9fde5d58e74f3015/scapy/utils.py#L1004 for instance – Cukic0d Mar 30 '20 at 20:41
1

@Cukic0d Thanks for the recommendations! I've added checks to the code and included your *very relevant* link. – Ross Jacobs Apr 01 '20 at 02:14
Good job. Note this entire thing will still... not work with pcapng, but that's not the point. Scapy parsed those data but does nothing with it. I'll PR a way to access them – Cukic0d Apr 01 '20 at 13:25
@Cukic0d Agreed that it doesn’t work for pcapng as the question asks about pcap header fields. – Ross Jacobs Apr 01 '20 at 16:12

In Scapy/Kamene python, how do I find the global headers for a pcap file?

1 Answers1