search

warjiang / dpkt

Automatically exported from code.google.com/p/dpkt
Other
0 stars 0 forks source link

incorrect parsing of pcap using tutorial #98

Closed GoogleCodeExporter closed 9 years ago

GoogleCodeExporter commented 9 years ago 
running basic example 
(http://jon.oberheide.org/blog/2008/10/15/dpkt-tutorial-2-parsing-a-pcap-file/)

What steps will reproduce the problem?
1. dpkt.pcap.Reader(open('small.pcap'))
2. for ts, buf in pcap:
      print ts, len(buf)
3. for ts in pcap:
      print ts
      print '\n\n'

What is the expected output? What do you see instead?
   For 2) I expect 6 packets with correct length
   For 3) I expect a dump of these packets  

What version of the product are you using? On what operating system?
python 2.7, dpkt 1.7. winxp64

Please provide any additional information below.
** see attached small.pcap **
IDLE output:

f.close()
>>> f = open('small.pcap')
>>> pcap = dpkt.pcap.Reader(f)
>>> for ts, buf in pcap:
    print ts, len(buf)

1257564308.83 74
1257564308.83 1314
301989889.0 501
>>> for ts in pcap:
    print ts
    print '\n\n'

(1257564308.831935, 
'\x00"u`7\x98\x00!jnZ\x9e\x08\x00E\x00\x00<\x87\x9c\x00\x00\x80\x11-\xbe\xc0\xa8
\x02\x05\xc0\xa8\x02\x01\xdeO\x005\x00(\x95\xfdw\x1d\x01\x00\x00\x01\x00\x00\x00
\x00\x00\x00\x03www\x06google\x03com\x00\x00\x01\x00\x01')

(1257564308.832856, 
'\x00"u`7\x98\x00!jnZ\x9e\x08\x00E\x00\x05\x14\x87\x9f@\x00\x80\x06\xc1F\xc0\xa8
\x02\x05@\xe9\xa9g\x05\xef\x00P4\x9b)\xc5J\x89\xf4\x15P\x10\xfe0\xf4\x12\x00\x00
GET /ig HTTP/1.1\nHost: www.google.com\nUser-Agent: Mozilla/5.0 (Windows; U; 
Windows NT 5.1; en-US; rv:1.9.1.4) Gecko/20091016 Firefox/3.5.4 (.NET CLR 
3.5.30729)\nAccept: 
text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8\nAccept-Language
: en-us,en;q=0.5\nAccept-Encoding: gzip,deflate\nAccept-Charset: 
ISO-8859-1,utf-8;q=0.7,*;q=0.7\nKeep-Alive: 300\nConnection: 
keep-alive\nCookie: 
IGTP=LI=1:TP=H4sIAAAAAAAAAONgkJjbfuMai8ICEOlVzKEgwazA4MEYsbh18nmWAoZNjLHcAg0Xe1m
kQrjsM0pKCqz09cvLy_XS8_PTc1L1kvNz9TPT9XPzU0pzUov1K_NLS0qTUuMzIdL6ZUYwIb2K3ByB70z
aRlzFqYlFyRkhqUW5Vgw6PAcYGbxCgJYyAS1lRlhqB7XUlEuXoKUpiSWpJZm5ECt6GAN6GMGminJwSjA
qMGgxeLDAzAUJK3OIAIUZDRg9WCNu7p0BsY6bW6DjaTeLFJNGLdRFkkAXMWrZGloZKxhZKSG5ITkvD-y
AgsSikrzUomJ9qFeB4vEl-QXFJflFmanFekXFxUpAO9gjPjz5fgFidQA4oLsYmVLzJjEylRavYGTazLi
DkfUAI-8KVo4tjL8YeTgYhFg88nNTlRgMWLqYgWomMQNVX2a-wfwfBhivMD9i5uNiKy4wMjA3FQCbiRC
wEPg4c-N1FgAnVxYu1gEAAA:LM=1257000177; 
PREF=ID=a7bc40a4c52f9f8e:U=121cc5ce7d72364f:TM=1256417243:LM=1256417243:GM=1:S=V
9IwSc81krCxBxCX; 
NID=28=WzEdhqkdZL4Yt4x7yr1pyvOuHft5TyzM8bGI3SrV7_zVUtk8m37VzcV5yvEk1TSHLQki10MtU
31_q7EURAiJv6_LUgY-qmLACa4K_S0mSuNjSm0g3psS30cn4eb19v3_; 
SID=DQAAAIgAAAAPpOBzTIZ1H9JlJl2owiy3Y8kpwWvBBTZeEZ9xZS7BFoJ3Vd0OXHeqf5l5qNalGKue
k0Fajb9kR76Pk_PWEG4xm6a3S-qhrp\x94\xe8\xf4J\x80\xb5\x0c\x00\x12')

(301989889.000001, 
'nZ\x9e\x08\x00E\x00\x01\x04\x87\xa0@\x00\x80\x06\xc5U\xc0\xa8\x02\x05@\xe9\xa9g
\x05\xef\x00P4\x9b.\xb1J\x89\xf4\x15P\x18\xfe04\x8d\x00\x00iYE7knIv3ObzszsflsrPD
hZgmVstXHv7i8I5fn7B1GtQSZITVNgl9MaVRBRTMPRBucQHNF2e3id4varIWgkUZ67Elznmmy4NQ; 
HSID=A2eJgOSPEdKT85c8b; TZ=300\nIf-Modified-Since: Sat, 07 Nov 2009 03:20:06 
GMT\nIf-None-Match: 
15245993542772299237\n\n\x94\xe8\xf4J1\x17\r\x00\xbe\x00\x00\x00\xbe\x00\x00\x00
\x00!jnZ\x9e\x00"u`7\x98\x08\x00E\x00\x00\xb0\x00\x00@\x00@\x11\xb4\xe6\xc0\xa8\
x02\x01\xc0\xa8\x02\x05\x005\xdeO\x00\x9c\xf3\xb8w\x1d\x81\x80\x00\x01\x00\x07\x
00\x00\x00\x00\x03www\x06google\x03com\x00\x00\x01\x00\x01\xc0\x0c\x00\x05\x00\x
01\x00\x00"Y\x00\x08\x03www\x01l\xc0\x10\xc0,\x00\x01\x00\x01\x00\x00\x00s\x00\x
04@\xe9\xa9j\xc0,\x00\x01\x00\x01\x00\x00\x00s\x00\x04@\xe9\xa9i\xc0,\x00\x01\x0
0\x01\x00\x00\x00s\x00\x04@\xe9\xa9\x93\xc0,\x00\x01\x00\x01\x00\x00\x00s\x00\x0
4@\xe9\xa9g\xc0,\x00\x01\x00\x01\x00\x00\x00s\x00\x04@\xe9\xa9h\xc0,\x00\x01\x00
\x01\x00\x00\x00s\x00\x04@\xe9\xa9c\x94\xe8\xf4J\x07+\r\x006\x00\x00\x006\x00\x0
0\x00\x00!jnZ\x9e\x00"u`7\x98\x08\x00E\x00\x00(')

** Several bytes not read from file.  Looks like the pcap length fields get 
screwed up at the third packet.

Back to my home rolled solution... for now at least.
Jerry

Original issue reported on code.google.com by SoCg...@gmail.com on 18 Oct 2012 at 1:58

Attachments:

GoogleCodeExporter commented 9 years ago 
OK, you must open file binary mode.

Test follow code.

f = open('small.pcap','rb')
pcap = dpkt.pcap.Reader(f)
for ts, buf in pcap:
    print ts, len(buf)

Original comment by ruy.su...@gmail.com on 13 Nov 2012 at 1:10

GoogleCodeExporter commented 9 years ago 
When opening a binary file on Windows, always use open() with 'rb'.

Original comment by kbandla@in2void.com on 25 Dec 2014 at 7:05