In [1]:
#!/usr/bin/env python
"""Alta3 Research | RZFeeser
   Any trace that is in *.pcapng must be first decoded to *.pcap
   this may be completed with the editcap utility. The editcap can be installed with tshark (sudo apt install tshark -y)

   editcap -F libpcap -T ether trace.pcapng trace.pcap
    
   The dpkt library is installed with:

   python3 -m pip install dpkt"""

# standard library
import datetime

# python3 -m pip install dpkt
import dpkt

def main():

    # open the trace in read mode, and as a binary file
    # as long as we are indenting the file remains open
    with open('SIP_REGISTER_wp.pcap', 'rb') as f:

        # opens the file object with dpkt and exposes it to
        # the python sub-library "pypcap"
        pcap = dpkt.pcap.Reader(f)

        pkt_no = 0
        # ts is a timestamp, and buf is "buffered raw data"
        # this buffered raw data isn't too usable right away
        for ts, buf in pcap:

            pkt_no += 1
            print(f'Packet Number - {pkt_no}')

            # display the timestamp in UTC format
            print(f'Timestamp: {datetime.datetime.utcfromtimestamp(ts)}')

            # unpack the ethernet frame (MAC ^Bsource and destination)
            eth = dpkt.ethernet.Ethernet(buf) # here we tell dpkt that this is an Ethernet capture (layer 2)
            print(f'MAC source      - {eth.src}')
            print(f'MAC Destination - {eth.dst}')

if __name__ == "__main__":
    main()


Packet Number - 1
Timestamp: 2020-10-19 02:53:51.186495
MAC source      - b'\x00\x0e\x08\xd9~$'
MAC Destination - b'\x00\x00\x00\x01\x00\x06'
Packet Number - 2
Timestamp: 2020-10-19 02:53:51.186691
MAC source      - b'\xb4\xb6v54i'
MAC Destination - b'\x00\x04\x00\x01\x00\x06'
Packet Number - 3
Timestamp: 2020-10-19 02:53:51.210669
MAC source      - b'\x00\x0e\x08\xd9~$'
MAC Destination - b'\x00\x00\x00\x01\x00\x06'
Packet Number - 4
Timestamp: 2020-10-19 02:53:51.210799
MAC source      - b'\xb4\xb6v54i'
MAC Destination - b'\x00\x04\x00\x01\x00\x06'


In [2]:
#!/usr/bin/env python
"""Alta3 Research | RZFeeser
   Any trace that is in *.pcapng must be first decoded to *.pcap
   this may be completed with the editcap utility. The editcap can be installed with tshark (sudo apt install tshark -y)

   editcap -F libpcap -T ether trace.pcapng trace.pcap
    
   The dpkt library is installed with:

   python3 -m pip install dpkt"""

# standard library
import datetime

# python3 -m pip install dpkt
import dpkt

# turn a hexadecimal address into a readable address
def mac_decode(old_mac):
    """returns a mac address decoded from hexadecimal
       this trick comes from the dpkt documentation"""
    return ':'.join('%02x' % dpkt.compat.compat_ord(b) for b in old_mac)

def main():

    # open the trace in read mode, and as a binary file
    # as long as we are indenting the file remains open
    with open('SIP_REGISTER_wp.pcap', 'rb') as f:

        # opens the file object with dpkt and exposes it to
        # the python sub-library "pypcap"
        pcap = dpkt.pcap.Reader(f)

        pkt_no = 0
        # ts is a timestamp, and buf is "buffered raw data"
        # this buffered raw data isn't too usable right away
        for ts, buf in pcap:

            pkt_no += 1
            print(f'Packet Number - {pkt_no}')

            # display teh timestamp in UTC format
            print(f'Timestamp: {datetime.datetime.utcfromtimestamp(ts)}')

            # unpack the ethernet frame (MAC source and destination)
            eth = dpkt.ethernet.Ethernet(buf) # here we tell dpkt that this is an Ethernet capture (layer 2)
            print(f'MAC source      - {mac_decode(eth.src)}')
            print(f'MAC Destination - {mac_decode(eth.dst)}')

if __name__ == "__main__":
    main()


Packet Number - 1
Timestamp: 2020-10-19 02:53:51.186495
MAC source      - 00:0e:08:d9:7e:24
MAC Destination - 00:00:00:01:00:06
Packet Number - 2
Timestamp: 2020-10-19 02:53:51.186691
MAC source      - b4:b6:76:35:34:69
MAC Destination - 00:04:00:01:00:06
Packet Number - 3
Timestamp: 2020-10-19 02:53:51.210669
MAC source      - 00:0e:08:d9:7e:24
MAC Destination - 00:00:00:01:00:06
Packet Number - 4
Timestamp: 2020-10-19 02:53:51.210799
MAC source      - b4:b6:76:35:34:69
MAC Destination - 00:04:00:01:00:06
