search

kbandla / dpkt

fast, simple packet creation / parsing, with definitions for the basic TCP/IP protocols
Other
1.1k stars 271 forks source link

creating flow #413

Closed sai0495 closed 6 years ago

sai0495 commented 6 years ago

i want to create a flow like {source ip, destination ip , source port, destination port , protocal name} i am new to python and i tried a lot i have written a code like this how to modify this to get such output with any pcap file ignoring arp packets if they come along .

import dpkt
from dpkt.ip import IP
from pprint import pprint
#from dpkt.arp import ARP
import socket
f=open('smallFlows.pcap','rb')
pcap= dpkt.pcap.Reader(f)
for ts, buf in (pcap):
    eth= dpkt.ethernet.Ethernet(buf) 
    ip= eth.data
    if ip.p == 6:#dpkt.ip.IP_PROTO_TCP:
        tcp =ip.data
        src = socket.inet_ntoa(ip.src)
        dst = socket.inet_ntoa(ip.dst)
        sport = tcp.sport
        dport = tcp.dport
        print ("protocol tcp The source ip , destination ip, sport , dport ", src, dst,sport,dport)
        continue

    if ip.p == 17: #dpkt.ip.IP_PROTO_UDP: # Check for UDP packets
        udp=ip.data 

        src1 = socket.inet_ntoa(ip.src)
        dst1 = socket.inet_ntoa(ip.dst)
        sport1 = udp.sport
        dport1 = udp.dport
        print (" protocol udp The source  ip , destination ip, sport , dport ", src1, dst1,sport1,dport1)

f.close()
brifordwylie commented 6 years ago

@naveensaimuthyala so a good place to start might be looking at some of the examples in: https://github.com/kbandla/dpkt/tree/master/examples

Also there's a bit of documentation of those at: https://dpkt.readthedocs.io/en/latest/examples.html

After looking through those... feel free to ask follow up questions.

sai0495 commented 6 years ago

I understood how to read data from pcap file but i tried to implement but i am not able to ignore arp packets can you help me in modifying above code

brifordwylie commented 6 years ago

@naveensaimuthyala so you actually looked at the examples? you ran them on your pcap? In particular those example files are a much better way of using dpkt then the code you have.

Your code makes an incorrect assumption about what's in the ethernet frame

ip = eth.data

The ethernet frame MIGHT have an IP packet in it.. but if it's ARP or ICMP or a bunch of other stuff it won't.

The right way to make sure you have an IP packet is clearly shown in the examples (please go through them). Since ARP packets are not IP packets you can simply filter them out with the following line of code (in the examples)

# Make sure the Ethernet data contains an IP packet
 if not isinstance(eth.data, dpkt.ip.IP):
    print('Non IP Packet type not supported %s\n' % eth.data.__class__.__name__)
   continue

This will filter out all packets that are not IP packets (including ARP) if for some reason you just wanted to filter out ARP packets you could do something like this....

# Ignore ARP packets
if isinstance(eth.data, dpkt.arp.ARP):
   print('Ignoring ARP packet %s\n' % eth.data.__class__.__name__)
   continue

Again, if after studying the examples in the link above.. running them.. trying them on your pcaps.. etc.. if you have a specific question about dpkt.. happy to try to answer.

brifordwylie commented 6 years ago

Okay, closing this since I assume it's resolved.

sai0495 commented 6 years ago

Yes thanks for help that he suggested me correct way of doing it Thank you

On Sun, Apr 29, 2018 at 11:47 PM Brian Wylie notifications@github.com wrote:

Okay, closing this since I assume it's resolved.

— You are receiving this because you were mentioned. Reply to this email directly, view it on GitHub https://github.com/kbandla/dpkt/issues/413#issuecomment-385308462, or mute the thread https://github.com/notifications/unsubscribe-auth/Ael6R4axNY72EbYhCigjc4F1j5KHrNAoks5ttolIgaJpZM4TnTUp .