How to use the dpkt.ip function in dpkt
To help you get started, we’ve selected a few dpkt examples, based on popular ways it is used in public projects.
Secure your code as it's written. Use Snyk Code to scan source code in minutes - no build needed - and fix issues immediately.
corelight / community-id-spec / community-id.py View on Github 
pkt[UDP].sport, pkt[UDP].dport)
return PacketKey(daddr, saddr, dpkt.ip.IP_PROTO_UDP,
pkt[UDP].dport, pkt[UDP].sport)
if SCTP in pkt:
if is_lt(saddr, daddr, pkt[SCTP].sport, pkt[SCTP].dport):
return PacketKey(saddr, daddr, dpkt.ip.IP_PROTO_SCTP,
pkt[SCTP].sport, pkt[SCTP].dport)
return PacketKey(daddr, saddr, dpkt.ip.IP_PROTO_SCTP,
pkt[SCTP].dport, pkt[SCTP].sport)
if ICMP in pkt:
port1, port2, is_one_way = ICMPHelper.packet_get_v4_port_equivalents(pkt)
if is_one_way or is_lt(saddr, daddr, port1, port2):
return PacketKey(saddr, daddr, dpkt.ip.IP_PROTO_ICMP, port1, port2)
return PacketKey(daddr, saddr, dpkt.ip.IP_PROTO_ICMP, port2, port1)
if ICMP6 in pkt:
port1, port2, is_one_way = ICMPHelper.packet_get_v6_port_equivalents(pkt)
if is_one_way or is_lt(saddr, daddr, port1, port2):
return PacketKey(saddr, daddr, dpkt.ip.IP_PROTO_ICMP6, port1, port2)
return PacketKey(daddr, saddr, dpkt.ip.IP_PROTO_ICMP6, port2, port1)
if IP in pkt:
if is_lt(saddr, daddr):
return PacketKey(saddr, daddr, pkt[IP].p)
return PacketKey(daddr, saddr, pkt[IP].p)
if IP6 in pkt:
if is_lt(pkt[IP6].src, pkt[IP6].dst):
return PacketKey(pkt[IP6].src, pkt[IP6].dst, pkt[IP].nxt)
return PacketKey(pkt[IP6].dst, pkt[IP6].src, pkt[IP].nxt)except ValueError:
log.error("Unable to read PCAP file at path \"%s\". File is "
"corrupted or wrong format." % self.filepath)
return self.results
offset = file.tell()
first_ts = None
for ts, buf in pcap:
if not first_ts:
first_ts = ts
try:
ip = iplayer_from_raw(buf, pcap.datalink())
connection = {}
if isinstance(ip, dpkt.ip.IP):
connection["src"] = socket.inet_ntoa(ip.src)
connection["dst"] = socket.inet_ntoa(ip.dst)
elif isinstance(ip, dpkt.ip6.IP6):
connection["src"] = socket.inet_ntop(socket.AF_INET6,
ip.src)
connection["dst"] = socket.inet_ntop(socket.AF_INET6,
ip.dst)
else:
offset = file.tell()
continue
self._add_hosts(connection)
if ip.p == dpkt.ip.IP_PROTO_TCP:
tcp = ip.data
if not isinstance(tcp, dpkt.tcp.TCP):self.count += 1
data = payload.get_data()
# spawn IP packet
try:
pkt = ip.IP(data)
except Exception, e:
log.warning("unsupported Layer 3 protocol or broken IP packet dropped: %s" % e)
payload.set_verdict(nfqueue.NF_DROP)
return
if pkt.p == dpkt.ip.IP_PROTO_TCP:
ret = self.tcp.handle(pkt)
payload.set_verdict(ret[1])
self.nodata_count += ret[0]
elif pkt.p == dpkt.ip.IP_PROTO_UDP:
ret = self.udp.handle(pkt)
payload.set_verdict(ret[1])
self.nodata_count += ret[0]
elif pkt.p == dpkt.ip.IP_PROTO_ICMP:
frame = pkt.data
if frame.type == dpkt.icmp.ICMP_ECHO:
log.info("ICMP ECHO %s" % inet_ntoa(pkt.dst))
return
elif frame.type == dpkt.icmp.ICMP_ECHOREPLY:
log.info("ICMP REPLY from %s" % inet_ntoa(pkt.src))
return
else:
return
else:
log.warning("unsupported protocol %s recieved (ignored)" % pkt.p)
returnlogger.debug("Starting packet capture")
for ts, pkt in pc:
# Start analyzing our packet
eth_packet = dpkt.ethernet.Ethernet(pkt)
# We only care about ethernet frames
if eth_packet.type != dpkt.ethernet.ETH_TYPE_IP:
continue
ip_packet = eth_packet.data
# UDP packet from the IP we are listening too?
if ip_packet.src == sensor_ip_int and ip_packet.p == dpkt.ip.IP_PROTO_UDP:
self.return_values['data_received'] += len(eth_packet)
total_packets += 1
self.return_values['total'] = total_packets
# Update the last packet id
if last_id is None:
last_id = ip_packet.id
# packet id be incremental, if it's not, we lost packets
elif ip_packet.id > last_id+1:
dropped = ip_packet.id - last_id - 1
dropped_packets += dropped
total_packets += droppeddef flowtuple_from_raw(raw, linktype=1):
"""Parse a packet from a pcap just enough to gain a flow description tuple"""
ip = iplayer_from_raw(raw, linktype)
if isinstance(ip, dpkt.ip.IP):
sip, dip = socket.inet_ntoa(ip.src), socket.inet_ntoa(ip.dst)
proto = ip.p
l3 = ip.data
if proto == dpkt.ip.IP_PROTO_TCP and isinstance(l3, dpkt.tcp.TCP):
sport, dport = l3.sport, l3.dport
elif proto == dpkt.ip.IP_PROTO_UDP and isinstance(l3, dpkt.udp.UDP):
sport, dport = l3.sport, l3.dport
else:
sport, dport = 0, 0
else:
sip, dip, proto = 0, 0, -1
sport, dport = 0, 0def load_engine_pkts(fspec):
pkts = []
frame_count = 1
with open(fspec, "rb") as f:
first_ts = None
for ts, frame in dpkt.pcap.Reader(f):
if first_ts is None:
first_ts = ts
eth = dpkt.ethernet.Ethernet(frame)
if eth.type != dpkt.ethernet.ETH_TYPE_IP:
# Skip non-IP frames
continue
ip = eth.data
if ip.p != dpkt.ip.IP_PROTO_UDP:
# Skip non-UDP frames
continue
udp = ip.data
if udp.data[:7] != pycozmo.protocol_declaration.FRAME_ID:
# Skip non-Cozmo frames
continue
frame = pycozmo.Frame.from_bytes(udp.data)
if frame.type not in [pycozmo.protocol_declaration.FrameType.ENGINE]:
# Skip non-engine frames
continue
for pkt in frame.pkts:
if pkt.PACKET_ID not in [pycozmo.protocol_declaration.PacketType.ACTION,
pycozmo.protocol_declaration.PacketType.UNKNOWN_0A]:
continue
pkts.append(pkt)
frame_count += 1packet_cntr += 1
eth = dpkt.ethernet.Ethernet(buf)
# Also, this changes a little bit with IPv6. To tell the difference between IPv4 and IPv6, you have to look
# at the ethertype field, which is given by http://www.iana.org/assignments/ethernet-numbers. IPv4 is 0x800 or 2048
# and IPv6 is 0x86DD or 34525
# This is simplistic - IPv4 packets can be fragmented. Also, this only works for IPv4. IPv6 has a different Ethertype
# Part of the genius of dpkt is that if you have an ethernet packet with an IPv4 payload, you get an dpkt.ip object, but if you
# have an ethernet packet with an IPv6 payload, then you get an dpkt.ip6 object, which has different fields names.
# Note how similar IPv4 and IPv6 are.
if eth.type == dpkt.ethernet.ETH_TYPE_IP :
ip = eth.data
if ip.v != 4 :
raise ValueError, "In packet %d, the ether type is IPv4 but the IP version number is %d not 4" % (
packet_cntr, ip.v )
# Deal with IP fragmentation here
if ip.p == dpkt.ip.IP_PROTO_TCP :
tcp = ip.data
else :
# Some other protocol than TCP, such as UDP. See http://www.iana.org/assignments/protocol-numbers/protocol-numbers.xml.
print "packet %d is IPv6 but not TCP. Orotocol field is %d" % (packet_cntr, ip.p )
continue
elif eth.type == dpkt.ethernet.ETH_TYPE_IP6 :
ip = eth.data
if ip.v != 6 :
raise ValueError, "In packet %d, the ether type is IPv6 but the IP version number is %d not 6" % (
packet_cntr, ip6.v )
# IPv6 packets don't fragment
if ip.nxt == dpkt.ip.IP_PROTO_TCP : # The ip6.nxt field in IPv6 is similar to the IPv4 ip.p field
tcp = ip.data
else :
# Some other protocol than TCP, such as UDP. See http://www.iana.org/assignments/protocol-numbers/protocol-numbers.xml.
print "packet %d is IPv6 but not TCP. Next header field is %d" % (packet_cntr, ip.nxt )def _filter_packets(source):
for timestamp, raw in source:
eth = dpkt.ethernet.Ethernet(raw)
ip = eth.data
if not isinstance(ip, dpkt.ip.IP):
continue
seg = ip.data
if isinstance(seg, (dpkt.tcp.TCP, dpkt.udp.UDP)):
yield timestamp, ip, segdef rawHandler(self, pktlen, pkt, ts, **kwargs):
'''takes ethernet data and determines if it contains IP or IP6.
defragments IPv4
if 6to4, unencaps the IPv6
If IP/IP6, hands off to IPDecoder via IPHandler()'''
try:
# if this is an IPv4 packet, defragment, decode and hand it off
if type(pkt.data) == dpkt.ip.IP:
if self.defrag:
# return packet if whole, None if more frags needed
pkt = self.ipdefrag(pkt.data)
else:
pkt = pkt.data # get the layer 3 packet
if pkt: # do we have a whole IP packet?
if self.decode6to4 and pkt.p == dpkt.ip.IP_PROTO_IP6:
pass # fall thru to ip6 decode
elif not self.v6only: # if we are decoding ip4
sip, dip = socket.inet_ntoa(
pkt.src), socket.inet_ntoa(pkt.dst)
# try to decode ports
try:
sport, dport = pkt.data.sport, pkt.data.dport
except: # no ports in this layer-4 protocol
sport, dport = None, None
# generate int forms of src/dest ips
sipint, dipint = struct.unpack(
'!L', pkt.src)[0], struct.unpack('!L', pkt.dst)[0]
# call IPHandler with extra data
self.IPHandler(((sip, sport), (dip, dport)), pkt, ts,
pkttype=dpkt.ethernet.ETH_TYPE_IP,
proto=self.IP_PROTO_MAP.get(def pcap_parser(fname):
f = open(fname, "rb")
pcap = dpkt.pcap.Reader(f)
index = 0
for _, buf in pcap:
index = index + 1
eth = dpkt.ethernet.Ethernet(buf)
if eth.type == dpkt.ethernet.ETH_TYPE_IP or eth.type == dpkt.ethernet.ETH_TYPE_IP6:
ip = eth.data
if eth.type == dpkt.ethernet.ETH_TYPE_IP and ip.p != dpkt.ip.IP_PROTO_UDP:
continue
if eth.type == dpkt.ethernet.ETH_TYPE_IP6 and ip.nxt != dpkt.ip.IP_PROTO_UDP:
continue
ip_headers = ip.pack_hdr()
source_geoip = ip_headers[-8:-4]
udp = ip.data
data = udp.data
if udp.dport != 3222: # is this GLBP traffic?
continue
if ord(data[0]) != 1: # GLBP version
continue
if len(data) < 40: # XXX rough estimate ;)
continuedpkt
fast, simple packet creation / parsing, with definitions for the basic TCP/IP protocols
