We will be using the
dpkt library to analyse the network traffic.
dpkt is a python module for fast, simple packet creation/parsing, with definition for the basic TCP/IP protocols. In order to use
dpkt you first need to install it.
sudo pip install dpkt
Note: You can omit
sudo from the above command, if you are logged in as root user.
In this lesson we will extract the source IP and destination IP addressess for the packets on the network using python code, from our
.pcap file, in which we saved the Workshire traffic data. After saving your captured pcap file at some location(say Desktop). Run the following code:
#!usr/bin/env python # this code prints Source and Destination IP from the given 'pcap' file import dpkt import socket def printPcap(pcap): for (ts,buf) in pcap: try: eth = dpkt.ethernet.Ethernet(buf) ip = eth.data # read the source IP in src src = socket.inet_ntoa(ip.src) # read the destination IP in dst dst = socket.inet_ntoa(ip.dst) # Print the source and destination IP print 'Source: ' +src+ ' Destination: ' +dst except: pass def main(): # Open pcap file for reading f = open('/home/codeplay/Desktop/first.pcap') #pass the file argument to the pcap.Reader function pcap = dpkt.pcap.Reader(f) printPcap(pcap) if __name__ == '__main__': main()
In the above code, in the method
buf are timestamp and buffer respectively. You might have noticed socket methods
inet_aton converts a 32-bit packed IPv4 address(a string of four characters in length) to its standard dotted-quad string representation(for example, 22.214.171.124).