packet.pktt (3) - Linux Manuals
packet.pktt: Packet trace module
NAMEpacket.pktt - Packet trace module
The Packet trace module is a python module that takes a trace file created by tcpdump and unpacks the contents of each packet. You can decode one packet at a time, or do a search for specific packets. The main difference between these modules and other tools used to decode trace files is that you can use this module to completely automate your tests.
How does it work? It opens the trace file and reads one record at a time keeping track where each record starts. This way, very large trace files can be opened without having to wait for the file to load and avoid loading the whole file into memory.
Packet layers supported:
Methods defined here: --------------------- __init__(self, pktt)
class Pktt(baseobj.BaseObj, packet.unpack.Unpack)
Packet trace object Usage: from packet.pktt import Pktt x = Pktt("/traces/tracefile.cap") # Iterate over all packets found in the trace file for pkt in x: print pkt Methods defined here: --------------------- __contains__(self, expr) Implement membership test operator. Return true if expr matches a packet in the trace file, false otherwise. The packet is also stored in the object attribute pkt. Examples: # Find the next READ request if ("NFS.argop == 25" in x): print x.pkt.nfs See match() method for more information __del__(self) Destructor Gracefully close the tcpdump trace file if it is opened. __getitem__(self, index) Get the packet from the trace file given by the index or raise IndexError. The packet is also stored in the object attribute pkt. Examples: pkt = x[index] __init__(self, tfile, live=False, state=True) Constructor Initialize object's private data, note that this will not check the file for existence nor will open the file to verify if it is a valid tcpdump file. The tcpdump trace file will be opened the first time a packet is retrieved.
- Name of tcpdump trace file or a list of trace file names (little or big endian format)
- If set to True, methods will not return if encountered <EOF>, they will keep on trying until more data is available in the file. This is useful when running tcpdump in parallel, especially when tcpdump is run with the '-C' option, in which case when <EOF> is encountered the next trace file created by tcpdump will be opened and the object will be re-initialized, all private data referencing the previous file is lost.
- String of expressions to be evaluated
- The match fails if packet index hits this limit
- Rewind to index where matching started if match fails
- Match RPC replies of previously matched calls as well
- Examples: # Find the packet with both the ACK and SYN TCP flags set to 1 pkt = x.match("TCP.flags.ACK == 1 and TCP.flags.SYN == 1") # Find the next NFS EXCHANGE_ID request pkt = x.match("NFS.argop == 42") # Find the next NFS EXCHANGE_ID or CREATE_SESSION request pkt = x.match("NFS.argop in [42,43]") # Find the next NFS OPEN request or reply pkt = x.match("NFS.op == 18") # Find all packets coming from subnet 192.168.1.0/24 using # a regular expression while x.match(r"IP.src == re('192.168.1.*')"): print x.pkt.tcp # Find packet having a GETATTR asking for FATTR4_FS_LAYOUT_TYPES(bit 62) pkt_call = x.match("NFS.attr_request & 0x4000000000000000L != 0") if pkt_call: # Find GETATTR reply xid = pkt_call.rpc.xid # Find reply where the number 62 is in the array NFS.attributes pkt_reply = x.match("RPC.xid == %d and 62 in NFS.attributes" % xid) # Find the next WRITE request pkt = x.match("NFS.argop == 38") if pkt: print pkt.nfs # Same as above, but using membership test operator instead if ("NFS.argop == 38" in x): print x.pkt.nfs See also: match_ethernet(), match_ip(), match_tcp(), match_rpc(), match_nfs()
BUGSNo known bugs.
AUTHORJorge Mora (mora [at] netapp.com)