#!/usr/bin/env python # disable IPv6 error message import logging logging.getLogger("scapy.runtime").setLevel(logging.ERROR) from scapy.all import * logging.getLogger("scapy.runtime").setLevel(logging.WARN) from pprint import pprint import os # disable payload parsing (saves two seconds runtime^^) IP.payload_guess = [] flowset = {} fcount = 0 # V discards the wirelen... ( http://stackoverflow.com/questions/21752576/whole-packet-length-scapy ) #for p in PcapReader('ex22.pcap'): for pkt, (sec, usec, wirelen) in RawPcapReader('ex22.pcap'): p = Ether(pkt) if IP in p: src = p[IP].src dst = p[IP].dst #lenip = p[Ether].len lenip = p[IP].len if wirelen != 42: continue fcount = fcount + 1 # print ("Src: %s (ether), Dest: %s (ip)" % (src, dst)) if (src,dst) in flowset: i,o,l = flowset[(src,dst)] if wirelen in l: l[wirelen] = l[wirelen]+1 else: l[wirelen] = 1 flowset[(src,dst)] = (i+1,o,l) elif (dst,src) in flowset: i,o,l = flowset[(dst,src)] if wirelen in l: l[wirelen] = l[wirelen]+1 else: l[wirelen] = 1 flowset[(dst,src)] = (i,o+1,l) else: flowset[(src,dst)] = (1,0,{wirelen: 1}) print("fcount: %d" % fcount) largeflows = {} filecount = 0 for flow,counts in flowset.items(): if counts[0] > 200 or counts[1] > 200: largeflows[flow] = (counts[0],counts[1]) # extract each flow if counts[0] > 200: filecount = filecount + 1 filename = "large_flow_%02d.pcap" % filecount os.system('tshark -r ex22.pcap -w '+filename+' -F pcap "ip.src == '+flow[0]+' and ip.dst == '+flow[1]+' and frame.len == 42"') if counts[1] > 200: filecount = filecount + 1 filename = "large_flow_%02d.pcap" % filecount os.system('tshark -r ex22.pcap -w '+filename+' -F pcap "ip.src == '+flow[1]+' and ip.dst == '+flow[0]+' and frame.len == 42"') pprint(largeflows)