Parsing an IP address with dpkt
I am using dpkt to parse a pcap file, however I am confused as to how to extract the destination IP address. I am processing packets using eth = dpkt.ethernet.Ethernet(buf)
that returns an ethernet object that looks like this:
Ethernet(src='\x00\x1a\xa0kUf', dst='\x00\x13I\xae\x84,', data=IP(src='\xc0\xa8\n\n',
off=16384, dst='C\x17\x030', sum=25129, len=52, p=6, id=51105, data=TCP(seq=9632694,
off_x2=128, ack=3382015884, win=54, sum=65372, flags=17, dport=80, sport=56145)))
I am confused about two things.
- Should I capture the dst field in Ethernet or IP (Ethernet.data)?
- How can I turn these strange lines into ip addresses of the form xxxx, where x is an integer between 0 and 255?
I tried a solution like Convert "little endian" hex string for IP address in Python , but both dst fields sometimes contain data that apparently cannot be parsed to IP address, such _daQ
as (how _daQ is handled for address ?) or RT\x00\x125\x02
(what is RT?) or 33\x00\x01\x00\x03
(what is 33 at the beginning and why does it look like 5 bytes and not 4?)
source to share
- The field
eth.dst
will contain the destination MAC address (for example01:23:45:67:89:ab
), not the destination IP address. You need the ip.dst field. - Strings are byte strings, not ASCII (or otherwise) encoded readable character strings.
Try the following:
ip_hdr = eth.data
ip_hdr.dst # will contain your destination IP address in BINARY
# adapted from http://www.commercialventvac.com/dpkt.html#mozTocId303989
import socket
dst_ip_addr_str = socket.inet_ntoa(ip_hdr.dst)
source to share