How to get TCP-Timestamp (TSval) using python

Question

I've searched in several places, but I didn't find a simple answer to this question - I have a .pcap file, generated using Wireshark, with several packets in it, and I wish to extract from each packet it's TCP-Timestamp (TSval). I've managed to open each packet using scapy

packets = rdpcap('pcap_file.pcap')
for packet in packets:
    print(packet.payload.id)

but I can't find the TSval of the packet (even though I can see the TSval field in the packet when I open it with Wireshark as shown in the picture below).

qouify · Accepted Answer · 2020-09-13T15:41:26.197

Packets can be accessed like dictionaries whose keys are protocols and values are payloads. For instance you can print the TCP payload in a packet like this:

if TCP in packet:
   packet[TCP].show()

Now to get the TSval of the payload you have to look in TCP options. Each TCP option is encoded by scapy as a couple (option name, option value). For the timestamp option, the option value is itself a couple (TSval, TSecr). So you can basically get what you want doing the following:

from scapy.all import TCP, rdpcap

packets = rdpcap('packets.pcapng')
for packet in packets:
    if TCP in packet:  #  ignore packets without TCP payload
        for opt, val in packet[TCP].options:  #  consider all TCP options
            if opt == 'Timestamp':
                TSval, TSecr = val  #  decode the value of the option
                print('TSval =', TSval)

They're not really dictionaries, they just partially act as such — Cukic0d, Sep 13 '20 at 15:01

How to get TCP-Timestamp (TSval) using python

1 Answers1