Data analysis of wireshark data (pcap)

Asked 1 years ago, Updated 1 years ago, 100 views

I was thinking of analyzing and extracting wireless mark data (pcap) in python3, and I was able to confirm that I can list out UDP src, dsc and port in the script below. In addition to this, how do I specify (code) to get the value (yellow) like the one in the attachment? *I am not particular about the script below, so I look forward to hearing from you
Value you want to get

#-*-coding:utf-8-*-

import dpkt, socket
import string
import binascii
import sys

# main function
defmain(filename):
    pcr=dpkt.pcap.Reader(open(filename, 'rb')))
    # Number of packets
    packet_count = 0

    # packet processing
    forts, bufin pcr:
        packet_count + = 1
        try:
            eth=dpkt.ethernet.Ethernet(buf)
        except:
            continue

        # For IP data:
        if type(eth.data) == dpkt.ip.IP:
            ip=eth.data
            ipheader (ip)
            # TCP data
            if type(ip.data) == dpkt.tcp.TCP:
                tcp = ip.data
                # Payload is not 0
                iflen(tcp.data)!=0:
                    thex = binascii.b2a_hex(tcp.data)
                    payload (thex)
            # UDP data
            elif type (ip.data) == dpkt.udp.UDP:
                udp = ip.data
                # Payload is not 0
                iflen(udp.data)!=0:
                    uhex=binascii.b2a_hex(udp.data)
                    payload(uhex)
            # ICMP data
            elif type (ip.data) == dpkt.icmp.ICMP:
                icmp = ip.data
                # Payload is not 0
                iflen(icmp.data)!=0:
                    ihex=binascii.hexlify(str(icmp.data))
                    payload (ihex [8:])

    print("End of process:", packet_count)

# IP header processing
def ipheader(header):
    # Header Processing
    src=socket.inet_ntoa(header.src)
    dst=socket.inet_ntoa(header.dst)
    if type(header.data) == dpkt.udp.UDP:
        print("UDP%s:%s=>%s:%s(len:%s)"%(src,header.data.sport,dst,header.data.dport,len(header.data.data)))

# payload
def payload (thex):
    # Payload Processing
    return

/////////////////_/
Additional
It's not a smart method, but based on current know-how...
For now
in "wireshark→json data (save)→python analysis" We decided to address the immediate challenge
Both BACpypes and tshark would like to deepen their understanding and use it as a future method

python3 wireshark

2022-09-30 17:46

2 Answers

The wireshark ships with the CLI version of tshark.
If you add the -V option, the analysis results of the packet (similar to wireshark) will be output, so you can also extract the field value you want (using regular expressions, etc.).

 [Example command to load and display PCAP files]
tshark-r PCAP file-V

What do you think?

2022-09-30 17:46

Can the dpkt library interpret BACnet packets?

Protocols that the library does not support must interpret the contents of the payload according to the protocol.

2022-09-30 17:46

If you have any answers or tips

Popular Tags
python x 4647
android x 1593
java x 1494
javascript x 1427
c x 927
c++ x 878
ruby-on-rails x 696
php x 692
python3 x 685
html x 656
Popular Questions

550 Scrap text information after the "View More" button when searching in the Yahoo! News search window

641 When building Fast API+Uvicorn environment with PyInstaller, console=False results in an error

539 rails db:create error: Could not find mysql2-0.5.4 in any of the sources

537 Unable to install versioned in Google Colab

605 /usr/bin/google-chrome:symbol lookup error:/usr/bin/google-chrome: undefined symbol:gbm_bo_get_modifier

© 2024 OneMinuteCode. All rights reserved.