8.3. steelscript.packets.core.pcap API¶
The pcap module defines the PCAP and PCAPNG decoders and a PCAP Writer class
8.3.1. PCAPReader Class¶
-
class
steelscript.packets.core.pcap.PCAPReader¶ -
__init__(file_handle, pk_format=pktypes.array_data)¶ Create a PCAPReader instance. PCAPReader is a pcap and pcapng reader object. From the file data it will determine what type of PCAP file is being read and initialize a decoder instance to handle that format.
Notes about use:
Each call to next() will return a tuple of 3 elements if data is still present in the file. The three elements are the timestamp of the packet, the packet data, and the Network Layer of the packet. Network Layer 1 is Ethernet.
PCAPReader is implemented as an iterator. So packets can be proceeded by calling ‘for timestamp, pkt, net_layer in pcap_reader:’
- Args:
file_handle (object): file handle object of the pcap file. Open for read. pk_format (1 or 2): This determines what type of data is returned for every call to next(). Default (2) is to return the packet data as an array.array of bytes. If 1 is specified then the packet data will be returned as a bytes string.
-
close()¶ Close the underlying file object. Better done by using a PCAPReader in a context manager.
-
next¶
-
pkts()¶ Generates a list object containing all the packets in a pcap file. Should only be used for very small pcap files.
- Returns:
list: containing byte strings or array.array of bytes depending on the value of pk_format.
-
8.3.2. PCAPWriter Class¶
-
class
steelscript.packets.core.pcap.PCAPWriter¶ Object for writing PCAP (libpcap format) files.
-
__init__(file_handle, snap_len=1500, net_layer=1)¶ Creates a pcap writer. Requires a file opened for write.
- Args:
file_handle (object): File handle opened for write.
snap_len (uint16_t): Length of each packet to capture in bytes. Set to 65535 by tcpdump when -s0 is used.
net_layer(uint16_t): link-layer header type. 1 is the value for Ethernet.For other supported values see:
-
close()¶ Close the underlying file object.
-
writepkt()¶ Write the bytes of a single packet to an open pcap file.
- Args:
pkt (bytes): Packet data in network order byte string ts (double): Timestamp to mark this packet header with. If the value 0.00 is used then writepkt() will fill in the current time.
-