Python+scapy grasping package and parsing

1. Introduction

Recently has been used to do traffic analysis, today the scapy part to do a summary.
Python's scapy library can easily grab packets and parsing packages, helpless data, limited official examples, the Great God blog is rarely mentioned, after some attempts, summed up the following several usage so that everyone later use.

2. Usage examples

2. Installation
   As a beginner, the first concern is how to install, My computer system is fedora, recommended to use Linux. Recommended download Pip, Direct: (Of course, under the SU permission)
   pip install scapy
   
4. Enter the scapy in the terminal, if the following form is installed:
   
6. Grab Bag
   from scapy.all import *
dpkt = sniff(iface = "wlp7s0", count = 100)
   
   Sniff () is a scapy built-in function, with many parameters,
   
   Here does not explain, the Iface parameter is the network card information, that is, eth0 and so on, I here is Wlp7s0, the count parameter is the number of crawled connections, here is 100, and the filter parameter is filtering and so on.
8. Save As Pcap format
   wrpcap("demo.pcap", dpkt)
   The PCAP format is more general, and you can save the captured package as Pcap.
   
   DPKT is the flow of the above crawl

10. To view more information:
    
    You can see that there are 94 TCP packets, 4 UDP packets, and two other types of packages.
    Similar to the list type in Python, you can use subscript access, such as Python to write a for loop to iterate through each connection. Length can be calculated using Len
    
    Note that this dpkt is not a list type, nor a string type, so if you want to do string processing, convert it to a string type,
    
    Scapy the powerful place is that you can view each field information in the fields, first we look at the fields that it has:
    
    You can use LS () to see the supported protocol types, and there are a number of specific things to look at:
    

    
    There is even hardware information:
    
    There are many, you can go to see for yourself, no drawings.
    Once you know that it has those fields, you can call it:
    Give an example, for example, a fourth connection dpkt[3]
    
    Its structure is very clear, the first is the ether layer, then the IP layer, and then the TCP layer, accessed by the access to the individual field information.
    Note that not all connections are these layers, ether are all, but the UDP connection is definitely not the TCP layer, but instead of the UDP layer, the ARP packet must have no IP layer, there is no TCP layer, if the ARP connection using DPKT[I][IP] will be reported Wrong, because it does not have an IP layer. Python can be used when using the ether type to determine whether it is an IP packet, using IP proto to determine when TCP or UDP.
    The packets in the access package can use the Dpkt[i][raw].load field, (assuming that i + 1 packets have message information), similarly, if there is no message information, there is no Raw this layer, there is no load this field. For example here:
    
    The sixth connection does not have raw data, access error, seventh has raw data, can get message information.

12. Using offline Packets:
    pcap = sniff(offline = "xx/xx.pcap")
14. In continuous update

Python+scapy capture and parsing