8.4. steelscript.packets.query.pcap_query API

pcap_query provides a class to enable quick queryies over Ethernet packets in a PCAP file. The query is extensible with additional steelscript.packets.inetpkt.PKT based packet classes.

In order to be compatible with PcapQuery a PKT based class must be a layer 7 protocol and implement the query_info() and default_ports() classmethod methods and also implement the get_field_val(field_name) instance method. Adding support for PKT based classes at other levels would require submitting changes to Ethernet or IP classes. And that is something, for the record, that we encourage. Please see the steelscript.packets tutorial for info.

8.4.1. PcapQuery Class

class steelscript.packets.query.pcap_query.PcapQuery

Object that performs pcap_query. Supports adding additional packet classes. Also supports custom layer 7 port mapping.

__init__(pkt_classes, l7_ports)

Create a PcapQuery object.

Args:

pkt_classes (list):  A list of additional packet classes to be used. Each class must have a class function query_info() that returns a tuple of packet type and a tuple of supported field names. See the steelsript.packets tutorial for implementation details. l7_ports (dict):  A dictionary containing a map of port numbers (the keys) and packet classes (the values) to be used by layer 4 protocols like TCP and UDP to decode payload.

fields_supported()

Helper function that checks a list of field names to see if THIS instance of PcapQuery can service all of the fields. Used, for example, by steelscript.wireshark.pcap.PcapFile.query(). Determines if PcapQuery instance will be able to perform a particular query. If fields_supported returns 0 then steelscript.wireshark.pcap.PcapFile.query() will fall back on using tshark with its larger set of supported fields.

Args:

field_names (list):  Field names to be used by a follow up query.

Returns:

bool:1 if all fields are supported, 0 otherwise.

pcap_query()

Perform the actual pcap query. ONLY Ethernet packets are supported at this time.

Args:

file_handle (object):  The open PCAP file object to read data from. wshark_fields (list):  A list of the fields that the query should populate in the output data. starttime (double):  Start time of the query. endtime (double):  End time of the query rdf (0 or 1):Return data as Pandas Dataframe. Requires pandas be installed. as_datetime (0 or 1):  Cast all timestamps into datetime.datetime() objects. Slower that simply returning timestamps.

Returns:

list or pandas dataframe:  contains single entry for each matching packet in the pcap.