Analyzing Networking Traffic using dpkt library

We will be using the dpkt library to analyse the network traffic. dpkt is a python module for fast, simple packet creation/parsing, with definition for the basic TCP/IP protocols. In order to use dpkt you first need to install it.

Intalling dpkt module

sudo pip install dpkt

Note: You can omit sudo from the above command, if you are logged in as root user.

In this lesson we will extract the source IP and destination IP addressess for the packets on the network using python code, from our .pcap file, in which we saved the Workshire traffic data. After saving your captured pcap file at some location(say Desktop). Run the following code:

#!usr/bin/env python
# this code prints Source and Destination IP from the given 'pcap' file

import dpkt
import socket

def printPcap(pcap):
	for (ts,buf) in pcap:
		try:
			eth = dpkt.ethernet.Ethernet(buf)
			ip = eth.data
			# read the source IP in src
			src = socket.inet_ntoa(ip.src)
			# read the destination IP in dst
			dst = socket.inet_ntoa(ip.dst)

			# Print the source and destination IP
			print 'Source: ' +src+ ' Destination: '  +dst

		except:
			pass

def main():
	# Open pcap file for reading
	f = open('/home/codeplay/Desktop/first.pcap')
	#pass the file argument to the pcap.Reader function
	pcap = dpkt.pcap.Reader(f)
	printPcap(pcap)

if __name__ == '__main__':
	main()

In the above code, in the method printPcap(), ts and buf are timestamp and buffer respectively. You might have noticed socket methods inet_ntoa and inet_aton. inet_aton converts a 32-bit packed IPv4 address(a string of four characters in length) to its standard dotted-quad string representation(for example, 123.45.67.89).

Output: