mjuarezm/parse_pcap.py

## parse_pcap.py
import sys
import subprocess
import pandas as pd
from StringIO import StringIO


OPTIONS = [
    'tcp.desegment_tcp_streams:FALSE',
    'ssl.desegment_ssl_records:FALSE',
    'ssl.desegment_ssl_application_data:FALSE',
]
TSHARK_CMD = 'tshark -r {filepath} -E header=y -E separator=; -n -T fields {fields} {options}'
FIELDS = [
          # Frame
          'frame.number',
          'frame.time',
          'frame.time_delta',

          # IP
          'ip.src',
          'ip.dst',
          'ip.proto',
          'ip.len',
          'ip.hdr_len',

          # UDP
          'udp.srcport',
          'udp.dstport',
          'udp.length',

          # UDP wireshark analysis
          'udp.stream',

          # TCP
          'tcp.srcport',
          'tcp.dstport',
          'tcp.seq',
          'tcp.flags.ack',
          'tcp.flags.syn',
          'tcp.flags.fin',
          'tcp.len',
          'tcp.hdr_len',

          # TCP wireshark analysis
          'tcp.stream',
          'tcp.analysis',
          'tcp.analysis.retransmission',

          # DNS
          'dns.qry.name',
          'dns.cname',
          'dns.a',

          # TLS
          'ssl.handshake.extensions_server_name',
          'ssl.handshake.ciphersuite',
          'ssl.handshake.length',
          'ssl.heartbeat_message',
          'ssl.record.content_type',
          'ssl.record.length',

          # wireshark columns
          '_ws.col.Protocol',
         ]

# format fields
FIELD_LABEL = ' -e '
FIELDS_FORMATTED = FIELD_LABEL
FIELDS_FORMATTED += FIELD_LABEL.join(FIELDS)

# format options
OPTION_LABEL = ' -o'
OPTIONS_FORMATTED = OPTION_LABEL
OPTIONS_FORMATTED += OPTION_LABEL.join(OPTIONS)


def process_packets(pcap_fpath):
    tshark_cmd = TSHARK_CMD.format(filepath=pcap_fpath,
                                   fields=FIELDS_FORMATTED,
                                   options=OPTIONS_FORMATTED)
    tshark_out = subprocess.check_output(tshark_cmd.split())
    df = pd.read_csv(StringIO(tshark_out), sep=';')
    return df


if __name__ == "__main__":
    df = process_packets(sys.argv[1])
    print df
	import sys
	import subprocess
	import pandas as pd
	from StringIO import StringIO


	OPTIONS = [
	'tcp.desegment_tcp_streams:FALSE',
	'ssl.desegment_ssl_records:FALSE',
	'ssl.desegment_ssl_application_data:FALSE',
	]
	TSHARK_CMD = 'tshark -r {filepath} -E header=y -E separator=; -n -T fields {fields} {options}'
	FIELDS = [
	# Frame
	'frame.number',
	'frame.time',
	'frame.time_delta',

	# IP
	'ip.src',
	'ip.dst',
	'ip.proto',
	'ip.len',
	'ip.hdr_len',

	# UDP
	'udp.srcport',
	'udp.dstport',
	'udp.length',

	# UDP wireshark analysis
	'udp.stream',

	# TCP
	'tcp.srcport',
	'tcp.dstport',
	'tcp.seq',
	'tcp.flags.ack',
	'tcp.flags.syn',
	'tcp.flags.fin',
	'tcp.len',
	'tcp.hdr_len',

	# TCP wireshark analysis
	'tcp.stream',
	'tcp.analysis',
	'tcp.analysis.retransmission',

	# DNS
	'dns.qry.name',
	'dns.cname',
	'dns.a',

	# TLS
	'ssl.handshake.extensions_server_name',
	'ssl.handshake.ciphersuite',
	'ssl.handshake.length',
	'ssl.heartbeat_message',
	'ssl.record.content_type',
	'ssl.record.length',

	# wireshark columns
	'_ws.col.Protocol',
	]

	# format fields
	FIELD_LABEL = ' -e '
	FIELDS_FORMATTED = FIELD_LABEL
	FIELDS_FORMATTED += FIELD_LABEL.join(FIELDS)

	# format options
	OPTION_LABEL = ' -o'
	OPTIONS_FORMATTED = OPTION_LABEL
	OPTIONS_FORMATTED += OPTION_LABEL.join(OPTIONS)


	def process_packets(pcap_fpath):
	tshark_cmd = TSHARK_CMD.format(filepath=pcap_fpath,
	fields=FIELDS_FORMATTED,
	options=OPTIONS_FORMATTED)
	tshark_out = subprocess.check_output(tshark_cmd.split())
	df = pd.read_csv(StringIO(tshark_out), sep=';')
	return df


	if __name__ == "__main__":
	df = process_packets(sys.argv[1])
	print df