Skip to content

Instantly share code, notes, and snippets.

@NotAwful

NotAwful/pcapread.py

Last active April 24, 2017 15:56
Show Gist options
  • Star 0 You must be signed in to star a gist
  • Fork 0 You must be signed in to fork a gist
  • Save NotAwful/e3d741cb4029667610352e61165349d0 to your computer and use it in GitHub Desktop.
Save NotAwful/e3d741cb4029667610352e61165349d0 to your computer and use it in GitHub Desktop.
Download ZIP
#> python pcapread.py mypcap.pcap /full/path/to/GetoLite2-City.mmdb
Raw
pcapread.py
#> python pcapread.py mypcap.pcap /full/path/to/GetoLite2-City.mmdb
import sys
import dpkt
import socket
import datetime
import geoip2.database
from dpkt.compat import compat_ord
def geoip(ipaddr):
db = geoip2.database.Reader(sys.argv[2])
try:
iprecord = db.city(ipaddr)
return ("%s, %s" % (iprecord.city.name, iprecord.country.name))
except:
return "Unknown"
def mac_addr(address):
return ':'.join('%02x' % compat_ord(b) for b in address)
def packet_read(pcap):
for ts, buf in pcap:
print 'Timestamp: ', str(datetime.datetime.utcfromtimestamp(ts))
eth = dpkt.ethernet.Ethernet(buf)
print ('Ethernet: %s -> %s' % (mac_addr(eth.src), mac_addr(eth.dst)))
if not isinstance(eth.data, dpkt.ip.IP):
print "Not an IP Packet"
print
continue
ip = eth.data
tcp = ip.data
src = socket.inet_ntop(socket.AF_INET, ip.src)
dst = socket.inet_ntop(socket.AF_INET, ip.dst)
print('IP: %s:%s -> %s:%s' % (src, tcp.sport, dst, tcp.dport))
print ("%s -> %s" % (geoip(src), geoip(dst)))
print
def main():
f = open(sys.argv[1])
pcap = dpkt.pcap.Reader(f)
packet_read(pcap)
f.close()
print "Printing test IPs 66.96.160.132"
print geoip('66.96.160.132')
main()
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment