Issue reading packets from a pcap file. dpkt module. What gives?
I am running the following test script to try to read packets from a sample .pcap
file I have downloaded. It won't seem to run. I have all of the modules, but no examples seem to be running.
import socket
import dpkt
import sys
pcapReader = dpkt.pcap.Reader(file("test1.pcap", "rb"))
for ts, data in pcapReader:
ether = dpkt.ethernet.Ethernet(data)
if ether.type != dpkt.ethernet.ETH_TYPE_IP: raise
ip = ether.data
src 开发者_C百科= socket.inet_ntoa(ip.src)
dst = socket.inet_ntoa(ip.dst)
print "%s -> %s" % (src, dst)
For some reason, this is not being interpreted properly. When running it, I get
KeyError: 138
module body in test.py at line 4
function __init__ in pcap.py at line 105
Program exited.
Why is this? What's wrong? Is there an issue with my installation? I'm using Python 2.6 on a mac
Do
pcapReader = dpkt.pcap.Reader(open('test1.pcap'))
Instead of:
pcapReader = dpkt.pcap.Reader(file("test1.pcap", "rb"))
Line 105 of dpkt.pcap module is using the pcap file's link type to access a dictionary of link type mappings:
self.dloff = dltoff[self.__fh.linktype]
The dltoff dictionary is defined at the top of the module and it does not contain the key 138, hence the exception you are seeing. According to tcpdump's link types page a value of 138 is the link type for LINKTYPE_APPLE_IP_OVER_IEEE1394. If this is not the link type you expect then the pacp file may be corrupt. Otherwise you could try updating the dltoff dictionary and add an entry for 138. According to its packet structure its header is 18 bytes long. So adding the following instructions after line 40 of dkpt/pcap.py should work:
LINKTYPE_APPLE_IP_OVER_IEEE1394 = 138
dltoff[LINKTYPE_APPLE_IP_OVER_IEEE1394 ] = 18
Well you seem to be short of assistance ... I don't know a pcap from a kneecap, so all I can do is try to help you help yourself. Suggestions:
(1) Have you had a look at line 105 of pcap.py? I guess that the "KeyError: 138" means that it is trying to access a dictionary, but the dictionary doesn't have 138 (or "138") as a key. What is the variable containing 138? A byte from a packet?
(2) Consider asking the author/maintainer of pcap.
(3) Consider providing a URL for pcap.
I also encountered similar problems, but I was KEY ERROR 192.
I found that my dkpt/pcap.py
is not complete and is a very old version.
So I uninstalled the current package
sudo apt-get remove python-dpkt
Use pip to intall the latest
pip install dpkt
And that finally solved the problem, good luck to you!
精彩评论