packet.pktt (3) - Linux Man Pages

packet.pktt: Packet trace module

NAME

packet.pktt - Packet trace module

DESCRIPTION

The Packet trace module is a python module that takes a trace file created by tcpdump and unpacks the contents of each packet. You can decode one packet at a time, or do a search for specific packets. The main difference between these modules and other tools used to decode trace files is that you can use this module to completely automate your tests.

How does it work? It opens the trace file and reads one record at a time keeping track where each record starts. This way, very large trace files can be opened without having to wait for the file to load and avoid loading the whole file into memory.

Packet layers supported:
 - ETHERNET II (RFC 894)
 - IP layer (supports IPv4 and IPv6)
 - UDP layer
 - TCP layer
 - RPC layer
 - NFS v4.0
 - NFS v4.1 including pNFS file layouts
 - NFS v4.2
 - PORTMAP v2
 - MOUNT v3
 - NLM v4

CLASSES

class Header(baseobj.BaseObj)

Methods defined here:
---------------------

__init__(self, pktt)

class Pktt(baseobj.BaseObj, packet.unpack.Unpack)

Packet trace object

Usage:
    from packet.pktt import Pktt

    x = Pktt("/traces/tracefile.cap")

    # Iterate over all packets found in the trace file
    for pkt in x:
        print pkt


Methods defined here:
---------------------

__contains__(self, expr)
Implement membership test operator.
Return true if expr matches a packet in the trace file,
false otherwise.

The packet is also stored in the object attribute pkt.

Examples:
    # Find the next READ request
    if ("NFS.argop == 25" in x):
        print x.pkt.nfs

See match() method for more information

__del__(self)
Destructor

Gracefully close the tcpdump trace file if it is opened.

__getitem__(self, index)
Get the packet from the trace file given by the index
or raise IndexError.

The packet is also stored in the object attribute pkt.

Examples:
    pkt = x[index]

__init__(self, tfile, live=False, state=True)
Constructor

Initialize object's private data, note that this will not check the
file for existence nor will open the file to verify if it is a valid
tcpdump file. The tcpdump trace file will be opened the first time a
packet is retrieved.

tracefile:
Name of tcpdump trace file or a list of trace file names (little or big endian format)
live:
If set to True, methods will not return if encountered <EOF>, they will keep on trying until more data is available in the file. This is useful when running tcpdump in parallel, especially when tcpdump is run with the '-C' option, in which case when <EOF> is encountered the next trace file created by tcpdump will be opened and the object will be re-initialized, all private data referencing the previous file is lost.
__iter__(self) Make this object iterable. clear_xid_list(self) Clear list of outstanding xids match(self, expr, maxindex=None, rewind=True, reply=False) Return the packet that matches the given expression, also the packet index points to the next packet after the matched packet. Returns None if packet is not found and the packet index points to the packet at the beginning of the search.
expr:
String of expressions to be evaluated
maxindex:
The match fails if packet index hits this limit
rewind:
Rewind to index where matching started if match fails
reply:
Match RPC replies of previously matched calls as well
Examples: # Find the packet with both the ACK and SYN TCP flags set to 1 pkt = x.match("TCP.flags.ACK == 1 and TCP.flags.SYN == 1") # Find the next NFS EXCHANGE_ID request pkt = x.match("NFS.argop == 42") # Find the next NFS EXCHANGE_ID or CREATE_SESSION request pkt = x.match("NFS.argop in [42,43]") # Find the next NFS OPEN request or reply pkt = x.match("NFS.op == 18") # Find all packets coming from subnet 192.168.1.0/24 using # a regular expression while x.match(r"IP.src == re('192.168.1.*')"): print x.pkt.tcp # Find packet having a GETATTR asking for FATTR4_FS_LAYOUT_TYPES(bit 62) pkt_call = x.match("NFS.attr_request & 0x4000000000000000L != 0") if pkt_call: # Find GETATTR reply xid = pkt_call.rpc.xid # Find reply where the number 62 is in the array NFS.attributes pkt_reply = x.match("RPC.xid == %d and 62 in NFS.attributes" % xid) # Find the next WRITE request pkt = x.match("NFS.argop == 38") if pkt: print pkt.nfs # Same as above, but using membership test operator instead if ("NFS.argop == 38" in x): print x.pkt.nfs See also: match_ethernet(), match_ip(), match_tcp(), match_rpc(), match_nfs()
match_nfs(self, uargs) Match NFS values on current packet. In NFSv4, there is a single compound procedure with multiple operations, matching becomes a little bit tricky in order to make the matching expression easy to use. The NFS object's name space gets converted into a flat name space for the sole purpose of matching. In other words, all operation objects in array are treated as being part of the NFS object's top level attributes. Consider the following NFS object: nfsobj = COMPOUND4res( status=NFS4_OK, tag='NFSv4_tag', array = [ nfs_resop4( resop=OP_SEQUENCE, opsequence=SEQUENCE4res( status=NFS4_OK, resok=SEQUENCE4resok( sessionid='sessionid', sequenceid=29, slotid=0, highest_slotid=179, target_highest_slotid=179, status_flags=0, ), ), ), nfs_resop4( resop=OP_PUTFH, opputfh = PUTFH4res( status=NFS4_OK, ), ), ... ] ), The result for operation PUTFH is the second in the list: putfh = nfsobj.array[1] From this putfh object the status operation can be accessed as: status = putfh.opputfh.status or simply as (this is how the NFS object works): status = putfh.status In this example, the following match expression 'NFS.status == 0' could match the top level status of the compound (nfsobj.status) or the putfh status (nfsobj.array[1].status) The following match expression 'NFS.sequenceid == 25' will also match this packet as well, even though the actual expression should be 'nfsobj.array[0].opsequence.resok.sequenceid == 25' or simply 'nfsobj.array[0].sequenceid == 25'. This approach makes the match expressions simpler at the expense of having some ambiguities on where the actual matched occurred. If a match is desired on a specific operation, a more qualified name can be given. In the above example, in order to match the status of the PUTFH operation the match expression 'NFS.opputfh.status == 0' can be used. On the other hand, consider a compound having multiple PUTFH results the above match expression will always match the first occurrence of PUTFH where the status is 0. There is no way to tell the match engine to match the second or Nth occurrence of an operation. next(self) Get the next packet from the trace file or raise StopIteration. The packet is also stored in the object attribute pkt. Examples: # Iterate over all packets found in the trace file using # the iterable properties of the object for pkt in x: print pkt # Iterate over all packets found in the trace file using it # as a method and using the object variable as the packet # Must use the try statement to catch StopIteration exception try: while (x.next()): print x.pkt except StopIteration: pass # Iterate over all packets found in the trace file using it # as a method and using the return value as the packet # Must use the try statement to catch StopIteration exception while True: try: print x.next() except StopIteration: break NOTE: Supports only single active iteration rewind(self, index=0) Rewind the trace file by setting the file pointer to the start of the given packet index. Returns False if unable to rewind the file, e.g., when the given index is greater than the maximum number of packets processed so far. Static methods defined here: ---------------------------- escape(data) Escape special characters. Examples: # Call as an instance escaped_data = x.escape(data) # Call as a class escaped_data = Pktt.escape(data) ip_tcp_dst_expr(ipaddr, port) Return a match expression to find a packet going to ipaddr:port. Examples: # Call as an instance expr = x.ip_tcp_dst_expr('192.168.1.50', 2049) # Call as a class expr = Pktt.ip_tcp_dst_expr('192.168.1.50', 2049) # Returns "IP.dst == '192.168.1.50' and TCP.dst_port == 2049" # Expression ready for x.match() pkt = x.match(expr) ip_tcp_src_expr(ipaddr, port) Return a match expression to find a packet coming from ipaddr:port. Examples: # Call as an instance expr = x.ip_tcp_src_expr('192.168.1.50', 2049) # Call as a class expr = Pktt.ip_tcp_src_expr('192.168.1.50', 2049) # Returns "IP.src == '192.168.1.50' and TCP.src_port == 2049" # Expression ready for x.match() pkt = x.match(expr)

BUGS

No known bugs.

AUTHOR

Jorge Mora (mora [at] netapp.com)