How to use the dpkt.ethernet function in dpkt

To help you get started, we’ve selected a few dpkt examples, based on popular ways it is used in public projects.

Secure your code as it's written. Use Snyk Code to scan source code in minutes - no build needed - and fix issues immediately.

github bestephe / loom / exps / tc-test / results_scripts / get_tenant_tput_ts.py View on Github external
def get_flowid(pkt):
    try:
        eth = dpkt.ethernet.Ethernet(pkt) 
        if eth.type != dpkt.ethernet.ETH_TYPE_IP:
           return None
        ip = eth.data
        if ip.p != dpkt.ip.IP_PROTO_TCP and ip.p != dpkt.ip.IP_PROTO_UDP: 
            return None
        tcp = ip.data

        flowid = {'sip': socket.inet_ntoa(ip.src), 'sport': tcp.sport,
                  'dip': socket.inet_ntoa(ip.dst), 'dport': tcp.dport}

        return flowid
    except:
        return None
github log2timeline / plaso / plaso / parsers / pcap.py View on Github external
binascii.hexlify(ether.dst), '8021Q packet')
      stream_object.protocol_data = '8021Q packet'

    elif ether.type == dpkt.ethernet.ETH_TYPE_IPX:
      stream_object = Stream(
          packet_values, ether.data, binascii.hexlify(ether.src),
          binascii.hexlify(ether.dst), 'IPX')
      stream_object.protocol_data = 'IPX'

    elif ether.type == dpkt.ethernet.ETH_TYPE_PPP:
      stream_object = Stream(
          packet_values, ether.data, binascii.hexlify(ether.src),
          binascii.hexlify(ether.dst), 'PPP')
      stream_object.protocol_data = 'PPP'

    elif ether.type == dpkt.ethernet.ETH_TYPE_MPLS:
      stream_object = Stream(
          packet_values, ether.data, binascii.hexlify(ether.src),
          binascii.hexlify(ether.dst), 'MPLS')
      stream_object.protocol_data = 'MPLS'

    elif ether.type == dpkt.ethernet.ETH_TYPE_MPLS_MCAST:
      stream_object = Stream(
          packet_values, ether.data, binascii.hexlify(ether.src),
          binascii.hexlify(ether.dst), 'MPLS')
      stream_object.protocol_data = 'MPLS MCAST'

    elif ether.type == dpkt.ethernet.ETH_TYPE_PPPoE_DISC:
      stream_object = Stream(
          packet_values, ether.data, binascii.hexlify(ether.src),
          binascii.hexlify(ether.dst), 'PPOE')
      stream_object.protocol_data = 'PPoE Disc packet'
github mike01 / pypacker / dpkt / llc.py View on Github external
def _unpack_data(self, buf):
		if self.type == ethernet.ETH_TYPE_8021Q:
			self.tag, self.type = struct.unpack('>HH', buf[:4])
			buf = buf[4:]
		elif self.type == ethernet.ETH_TYPE_MPLS or \
			 self.type == ethernet.ETH_TYPE_MPLS_MCAST:
			# XXX - skip labels
			for i in range(24):
				if struct.unpack('>I', buf[i:i+4])[0] & 0x0100: # MPLS_STACK_BOTTOM
					break
			self.type = ethernet.ETH_TYPE_IP
			buf = buf[(i + 1) * 4:]
		try:
			self.data = self._typesw[self.type](buf)
			setattr(self, self.data.__class__.__name__.lower(), self.data)
		except (KeyError, dpkt.UnpackError):
			self.data = buf
github kakaroto / SWProxy / SWParser.py View on Github external
def parse_pcap(filename):
    streams = dict() # Connections with current buffer
    with open(filename, "rb") as f:
        pcap = dpkt.pcap.Reader(f)
        for ts, buf in pcap:
            eth = dpkt.ethernet.Ethernet(buf)
            if eth.type != dpkt.ethernet.ETH_TYPE_IP:
                continue
            ip = eth.data
            if not isinstance(ip, dpkt.ip.IP):
                try:
                    ip = dpkt.ip.IP(ip)
                except:
                    continue
            if ip.p != dpkt.ip.IP_PROTO_TCP:
                continue
            tcp = ip.data

            if not isinstance(tcp, dpkt.tcp.TCP):
                try:
                    tcp = dpkt.tcp.TCP(tcp)
                except:
                    continue
github USArmyResearchLab / Dshell / decoders / misc / writer.py View on Github external
def IPHandler(self, addr, ip, ts, pkttype=None, **kw):
        self.decodedbytes += len(ip.data)
        self.count += 1
        # if we are passed in IP data vs layer-2 frames, we need to encapsulate
        # them
        self.dump(dpkt.ethernet.Ethernet(data=str(ip), pkttype=type), ts=ts)
github achinkulshrestha / CrimeCheck / crimecheck.py View on Github external
def gather_statistics(cap,serverAddr):
    counters = defaultdict(int)
    known_extensions = set()
    count_extensions = set()
    pkt_count = 0
    for ts, buf in cap:
        pkt_count += 1
        eth = dpkt.ethernet.Ethernet(buf)
        #print 'pkt: %d' % (pkt_count)
        if not isinstance(eth.data, dpkt.ip.IP):
            continue
        ip = eth.data
        if not isinstance(ip.data, dpkt.tcp.TCP):
            continue

        # TODO: consider doing TCP streams, so multi-packet things can be parsed right... "meh"
        tcp = ip.data
        if tcp.dport != 443 and tcp.sport != 443:
            continue
        if socket.gethostbyname(serverAddr) != socket.inet_ntoa(ip.src):
            continue
        
        if len(tcp.data) <= 0:
            continue
github John-Lin / malware / malware / decoder.py View on Github external
def _tcp_iterator(pc):
    for ts, pkt in pc:
        try:
            eth = dpkt.ethernet.Ethernet(pkt)
        except dpkt.dpkt.NeedData:
            continue

        if eth.type == dpkt.ethernet.ETH_TYPE_IP:
            ip = eth.data
            if ip.p == dpkt.ip.IP_PROTO_TCP:
                tcp = ip.data
                yield (ip.src, tcp.sport, ip.dst, tcp.dport, tcp.data)
            else:
                pass
                # Not TCP packets
        else:
            pass
            # Not ether packets
    return
github jeffsilverm / dpkt_doc / decode_tcp_iterator.py View on Github external
def decode_tcp(pcap):
    """This function decodes a packet capture file f and breaks it up into tcp connections"""
    print "counter\tsrc prt\tdst prt\tflags"
    packet_cntr = 0
    connection_table = {}   # the keys of the table are the connection ID strings: source IP,
                            # source port, destination IP, destination port.  The values are a tuple which is the
                            # sequence number and a string which is the assembled stream

    for ts, buf in pcap:
        packet_cntr += 1
        eth = dpkt.ethernet.Ethernet(buf)
# Also, this changes a little bit with IPv6.  To tell the difference between IPv4 and IPv6, you have to look
# at the ethertype field, which is given by http://www.iana.org/assignments/ethernet-numbers.  IPv4 is 0x800 or 2048
# and IPv6 is 0x86DD or 34525
# This is simplistic - IPv4 packets can be fragmented.  Also, this only works for IPv4.  IPv6 has a different Ethertype    
        if eth.type == dpkt.ethernet.ETH_TYPE_IP :
            ip = eth.data
            if ip.v != 4 :
                raise ValueError, "In packet %d, the ether type is IPv4 but the IP version number is %d not 4" % (
                    packet_cntr, ip.v )
           # Deal with IP fragmentation here
        elif eth.type == dpkt.ethernet.ETH_TYPE_IP6 :
            ip = eth.data
            if ip.v != 6 :
                raise ValueError, "In packet %d, the ether type is IPv6 but the IP version number is %d not 6" % (
                    packet_cntr, ip.v )
            # IPv6 packets don't fragment            
        else :
            print "packet %d is neither IPv4 nor IPv6" % packet_cntr
            continue    # Not going to deal with anything other than IP
        if ip.p == dpkt.ip.IP_PROTO_TCP :
            tcp = ip.data
github ervanalb / lens / src / ethernet.py View on Github external
    @gen.coroutine
    def on_read(self, src, header, data):
        try:
            pkt = dpkt.ethernet.Ethernet(data)
        except dpkt.NeedData:
            yield self.passthru(src, header, data)
            return
        header = {
            "eth_dst": self.pretty_mac(pkt.dst),
            "eth_src": self.pretty_mac(pkt.src),
            "eth_type": pkt.type,
        }
        self.seen_macs[src].add(header["eth_src"])
        yield self.bubble(src, header, pkt.data)
github John-Lin / malware / malware / utils.py View on Github external
def tcp_stream(pcapfile):
    connection = {}
    frame_counter = 0
    for ts, buf in dpkt.pcap.Reader(open(pcapfile)):
        frame_counter += 1
        try:
            eth = dpkt.ethernet.Ethernet(buf)
        except:
            continue
        ip = eth.data
        if eth.type != dpkt.ethernet.ETH_TYPE_IP:
            continue
        if ip.p != dpkt.ip.IP_PROTO_TCP:
            continue
        tcp = ip.data
        if tcp.data == '':
            continue

        tuple_key = (ip.src, tcp.sport, ip.dst, tcp.dport)
        reverse_key = (ip.dst, tcp.dport, ip.src, tcp.sport)

        if (tuple_key and reverse_key) not in connection.keys():
            connection.setdefault(tuple_key, {tcp.seq: tcp.data})
        else:
            connection[reverse_key][tcp.seq] = tcp.data

    return connection