Closed brightpinefield closed 2 years ago
Hi @brightpinefield so I just downloaded your example pcap (thanks for that... makes debugging easy).
In dpkt/examples.. there's a script called print_packets.py.. I just change the path/name of the pcap file and I got this output.. it looks like there's an Ethernet frame wrapped in an Ethernet frame.....the inner Ethernet frame then has an IP/TCP inside it.
> python print_packets.py
Timestamp: 2021-11-06 20:12:01.165416
Ethernet Frame: a4:7b:2c:21:93:9c 20:e0:9c:50:39:69 34887
Non IP Packet type not supported Ethernet
** Pretty print demo **
Ethernet(
dst=b' \xe0\x9cP9i', # 20:e0:9c:50:39:69
src=b'\xa4{,!\x93\x9c', # a4:7b:2c:21:93:9c
type=34887,
labels=[
(523475, 0, 254),
(523467, 0, 255),
],
mpls_labels=[
MPLSlabel(val=523475, ttl=254),
MPLSlabel(val=523467, s=1, ttl=255),
],
data=Ethernet(
dst=b'\x016\xd4\xb2z\x02', # 01:36:d4:b2:7a:02
src=b'\x17h\x81\x00\x04\xdb', # 17:68:81:00:04:db
type=2048,
data=IP(
v=4,
hl=5,
tos=0,
len=52,
id=0,
rf=0,
df=1,
mf=0,
offset=0,
ttl=63,
p=6, # TCP
sum=21762, # 0x5502
src=b'\xc0\xa8\x01d', # 192.168.1.100
dst=b'\xc0\xa8\x01e', # 192.168.1.101
opts=b'',
data=TCP(
sport=57469,
dport=443,
seq=3130810686,
ack=3204377710,
off=8,
flags=16, # ACK
win=41358,
sum=20594, # 0x5072
urp=0,
opts=b'\x01\x01\x08\n@0\xe9\x8al\x1b^\xa2',
) # TCP
) # IP
) # Ethernet
) # Ethernet
You can modify the dpkt/examples/print_packets.py
code like so to get the Ethernet frame within frame...
22 # Unpack the OUTER Ethernet frame (mac src/dst, ethertype)
23 eth_outer = dpkt.ethernet.Ethernet(buf)
24 print('Ethernet Frame: ', mac_to_str(eth_outer.src), mac_to_str(eth_outer.dst), eth_outer.type)
25
26 # Now get the INNER Ethernet frame (mac src/dst, ethertype)
27 eth = eth_outer.data
28 print('Ethernet Frame: ', mac_to_str(eth.src), mac_to_str(eth.dst), eth.type)
# Normal IP/TCP/whatever on 'eth'
ahhh thank you Brian. I was told that the pcaps we received were run through stripe to remove the MPLS encapsulation. I guess when it did that, it created a second ethernet frame. I guess I have to figure out a way to code around this. if anyone has some suggestions, I'd appreciate. thank you! <3
I think code snippet above might get you started.. closing the ticket for now.. if there's a follow up feel free to reopen.
Hi all,
I'm not sure if this is a bug or not, so I apologize if not. I recently received some pcaps with some MPLS data contained within the packets. I'm just trying to use a simple script to extract packets by IP and received this error:
Traceback (most recent call last): File "/Volumes/DATA/TESTCASE/extract_packets.py", line 6, in inet_to_str return socket.inet_ntop(socket.AF_INET, inet) ValueError: invalid length of packed IP address string
During handling of the above exception, another exception occurred:
Traceback (most recent call last): File "/Volumes/DATA/TESTCASE/extract_packets.py", line 96, in
main(input_folder, output_folder, ip_list, jmirror)
File "/Volumes/DATA/TESTCASE/extract_packets.py", line 82, in main
extract_packets_by_ip(file_path, ip_to_writer_dict, jmirror)
File "/Volumes/DATA/TESTCASE/extract_packets.py", line 52, in extract_packets_by_ip
srcip = inet_to_str(ip.src)
File "/Volumes/DATA/TESTCASE/extract_packets.py", line 8, in inet_to_str
return socket.inet_ntop(socket.AF_INET6, inet)
ValueError: invalid length of packed IP address string
Wireshark of course sees the IP addresses no problem:
I can only think that it might be the MPLS info or something that makes dpkt break when it tries to grab the IP info. Not sure though. If someone has run into this before and has a workaround or fix, please let me know. I've attached a packet example.
Also , is there a forum/discord where people are discussing DPKT project ? would be nice to have if not.
packet.pcap.zip