In [None]:
# https://charlesreid1.com/wiki/Scapy/Pcap_Reader

## Read Pcap File

In [2]:
from scapy.all import *

In [3]:
a  = rdpcap("UbuntuBFVale.pcapng")

### Now we should be able to see the number of packets: 

In [4]:
n_pkts = len(a)
n_pkts

161332

## Analyzing a Packet

### Start by analyzing a single packet: 

In [5]:
pkt = a[1]

## Packets Methods

### Getting an individual packet returns an object of type

In [6]:
type(pkt)

scapy.layers.inet.IP

### Start by checking out what functions are available for an individual packet: 

In [7]:
dir(pkt)

['__all_slots__',
 '__bool__',
 '__bytes__',
 '__class__',
 '__contains__',
 '__deepcopy__',
 '__delattr__',
 '__delitem__',
 '__dict__',
 '__dir__',
 '__div__',
 '__doc__',
 '__eq__',
 '__format__',
 '__ge__',
 '__getattr__',
 '__getattribute__',
 '__getitem__',
 '__getstate__',
 '__gt__',
 '__hash__',
 '__init__',
 '__init_subclass__',
 '__iter__',
 '__iterlen__',
 '__le__',
 '__len__',
 '__lt__',
 '__module__',
 '__mul__',
 '__ne__',
 '__new__',
 '__nonzero__',
 '__rdiv__',
 '__reduce__',
 '__reduce_ex__',
 '__repr__',
 '__rmul__',
 '__rtruediv__',
 '__setattr__',
 '__setitem__',
 '__setstate__',
 '__sizeof__',
 '__slots__',
 '__str__',
 '__subclasshook__',
 '__truediv__',
 '__weakref__',
 '_answered',
 '_defrag_pos',
 '_do_summary',
 '_name',
 '_overload_fields',
 '_pkt',
 '_resolve_alias',
 '_show_or_dump',
 '_superdir',
 '_tmp_dissect_pos',
 '_ttl',
 '_unpickle',
 'add_payload',
 'add_underlayer',
 'aliastypes',
 'answers',
 'build',
 'build_done',
 'build_padding',
 'build_ps',


In [8]:
pkt.fieldtype

{'version': <Field (IP,IPerror,_IPv46).version>,
 'ihl': <Field (IP,IPerror,_IPv46).ihl>,
 'tos': <Field (IP,IPerror,_IPv46).tos>,
 'len': <Field (IP,IPerror,_IPv46).len>,
 'id': <Field (IP,IPerror,_IPv46).id>,
 'flags': <Field (IP,IPerror,_IPv46).flags>,
 'frag': <Field (IP,IPerror,_IPv46).frag>,
 'ttl': <Field (IP,IPerror,_IPv46).ttl>,
 'proto': <Field (IP,IPerror,_IPv46).proto>,
 'chksum': <Field (IP,IPerror,_IPv46).chksum>,
 'src': <scapy.fields.Emph at 0x1f4d31cdee8>,
 'dst': <scapy.fields.Emph at 0x1f4d31cdfd8>,
 'options': <Field (IP,IPerror,_IPv46).options>}

## Printing a packet

In [9]:
### A string dump of the packet is not very useful: 
str(pkt)

"b'E\\x00\\x00<#\\x0f@\\x00@\\x06C\\x9e\\n\\x00\\x08\\x03\\xc0\\xa8\\x01d\\x97\\xd8\\x00\\x16\\xa0\\x97\\x15>\\x00\\x00\\x00\\x00\\xa0\\x02\\xfa\\xf0\\xcc\\x80\\x00\\x00\\x02\\x04\\x05\\xb4\\x04\\x02\\x08\\n\\x18/F\\x8c\\x00\\x00\\x00\\x00\\x01\\x03\\x03\\x07'"

In [10]:
# But a hex dump is starting to look a little bit better: 
hexdump(pkt)

0000  45 00 00 3C 23 0F 40 00 40 06 43 9E 0A 00 08 03  E..<#.@.@.C.....
0010  C0 A8 01 64 97 D8 00 16 A0 97 15 3E 00 00 00 00  ...d.......>....
0020  A0 02 FA F0 CC 80 00 00 02 04 05 B4 04 02 08 0A  ................
0030  18 2F 46 8C 00 00 00 00 01 03 03 07              ./F.........


In [11]:
#Each of these pieces of data represents a different part of the packet header, which includes information about the source,
# destination, timestamp, channel, and so on. Use the show method for an individual packet to show the full description:
pkt.show()

###[ IP ]### 
  version   = 4
  ihl       = 5
  tos       = 0x0
  len       = 60
  id        = 8975
  flags     = DF
  frag      = 0
  ttl       = 64
  proto     = tcp
  chksum    = 0x439e
  src       = 10.0.8.3
  dst       = 192.168.1.100
  \options   \
###[ TCP ]### 
     sport     = 38872
     dport     = ssh
     seq       = 2694255934
     ack       = 0
     dataofs   = 10
     reserved  = 0
     flags     = S
     window    = 64240
     chksum    = 0xcc80
     urgptr    = 0
     options   = [('MSS', 1460), ('SAckOK', b''), ('Timestamp', (405751436, 0)), ('NOP', None), ('WScale', 7)]



## Finding Packets by Type

In [12]:
# To get most of the information about a packet, you can use the fields attribute, 
# which is a dictionary containing key-value pairs. One of these is "subtype" - 
# which corresponds to the Frame Type/Subtype table here:
# http://www.willhackforsushi.com/papers/80211_Pocket_Reference_Guide.pdf
# If you loop over each packet and print out its subtype, you'll see all the values are the values found in the table. 

In [13]:
pkt.time

1581070118.766376

In [14]:
pktTime=datetime.fromtimestamp(pkt.time)
#Then convert to a format we like
time = pktTime.strftime("%Y-%m-%d %H:%M:%S.%f")
time

'2020-02-07 11:08:38.766376'

In [15]:
pkt['TCP'].fields

{'sport': 38872,
 'dport': 22,
 'seq': 2694255934,
 'ack': 0,
 'dataofs': 10,
 'reserved': 0,
 'flags': <Flag 2 (S)>,
 'window': 64240,
 'chksum': 52352,
 'urgptr': 0,
 'options': [('MSS', 1460),
  ('SAckOK', b''),
  ('Timestamp', (405751436, 0)),
  ('NOP', None),
  ('WScale', 7)]}

In [16]:
pkt_list=[]

for i in range(100):
    src = a[i].fields['src']
    dst = a[i].fields['dst'] 
    pkt_bytes = len(a[i]) 
    proto = a[i].fields['proto']
    sport = a[i]['TCP'].fields['sport']
    dport = a[i]['TCP'].fields['dport']
    seq = a[i]['TCP'].fields['seq']
    ack = a[i]['TCP'].fields['ack']
    dataofs = a[i]['TCP'].fields['dataofs']
    flags = a[i]['TCP'].fields['flags']
    window = a[i]['TCP'].fields['window']
    time = a[i].time
    
    
    
    pkt_list.append({'src' : src, 'dst' : dst, 'pkt_bytes' : pkt_bytes, 'proto' : proto, 'sport' : sport, \
                     'dport' : dport, 'seq' : seq , 'ack' : ack, 'dataofs' : dataofs , 'flags' : flags, \
                    'window' : window, 'time' : time})

In [17]:
import pandas as pd

In [18]:
df= pd.DataFrame(pkt_list)
df.head(20)

Unnamed: 0,src,dst,pkt_bytes,proto,sport,dport,seq,ack,dataofs,flags,window,time
0,10.0.8.3,192.168.1.100,60,6,38870,22,1249072137,0,10,S,64240,1581070000.0
1,10.0.8.3,192.168.1.100,60,6,38872,22,2694255934,0,10,S,64240,1581070000.0
2,10.0.8.3,192.168.1.100,60,6,38874,22,4100354971,0,10,S,64240,1581070000.0
3,192.168.1.100,10.0.8.3,60,6,22,38870,3793705070,1249072138,10,SA,65160,1581070000.0
4,10.0.8.3,192.168.1.100,52,6,38870,22,1249072138,3793705071,8,A,502,1581070000.0
5,10.0.8.3,192.168.1.100,74,6,38870,22,1249072138,3793705071,8,PA,502,1581070000.0
6,192.168.1.100,10.0.8.3,60,6,22,38872,2379432080,2694255935,10,SA,65160,1581070000.0
7,10.0.8.3,192.168.1.100,52,6,38872,22,2694255935,2379432081,8,A,502,1581070000.0
8,10.0.8.3,192.168.1.100,74,6,38872,22,2694255935,2379432081,8,PA,502,1581070000.0
9,192.168.1.100,10.0.8.3,60,6,22,38874,1517526696,4100354972,10,SA,65160,1581070000.0


In [19]:
df2 = df.groupby(['src' , 'dst', 'dport' , 'sport']).agg( 
    tot_bytes=pd.NamedAgg(column='pkt_bytes', aggfunc=sum), 
    max_time=pd.NamedAgg(column='time', aggfunc=max,), 
    min_time=pd.NamedAgg(column='time', aggfunc=min))

df2["duration"] = df2["max_time"] - df2["min_time"]

In [20]:
df2.head()

Unnamed: 0_level_0,Unnamed: 1_level_0,Unnamed: 2_level_0,Unnamed: 3_level_0,tot_bytes,max_time,min_time,duration
src,dst,dport,sport,Unnamed: 4_level_1,Unnamed: 5_level_1,Unnamed: 6_level_1,Unnamed: 7_level_1
10.0.8.3,192.168.1.100,22,38870,2002,1581070000.0,1581070000.0,2.718633
10.0.8.3,192.168.1.100,22,38872,2002,1581070000.0,1581070000.0,2.718084
10.0.8.3,192.168.1.100,22,38874,1918,1581070000.0,1581070000.0,0.170647
10.0.8.3,192.168.1.100,22,38876,1918,1581070000.0,1581070000.0,0.133663
192.168.1.100,10.0.8.3,38870,22,2297,1581070000.0,1581070000.0,2.697663


In [21]:
df2.reset_index(inplace=True)

In [22]:
df2.head()

Unnamed: 0,src,dst,dport,sport,tot_bytes,max_time,min_time,duration
0,10.0.8.3,192.168.1.100,22,38870,2002,1581070000.0,1581070000.0,2.718633
1,10.0.8.3,192.168.1.100,22,38872,2002,1581070000.0,1581070000.0,2.718084
2,10.0.8.3,192.168.1.100,22,38874,1918,1581070000.0,1581070000.0,0.170647
3,10.0.8.3,192.168.1.100,22,38876,1918,1581070000.0,1581070000.0,0.133663
4,192.168.1.100,10.0.8.3,38870,22,2297,1581070000.0,1581070000.0,2.697663


In [23]:
df2.drop(['max_time', 'min_time'], axis=1, inplace=True)

In [24]:
df2.head()

Unnamed: 0,src,dst,dport,sport,tot_bytes,duration
0,10.0.8.3,192.168.1.100,22,38870,2002,2.718633
1,10.0.8.3,192.168.1.100,22,38872,2002,2.718084
2,10.0.8.3,192.168.1.100,22,38874,1918,0.170647
3,10.0.8.3,192.168.1.100,22,38876,1918,0.133663
4,192.168.1.100,10.0.8.3,38870,22,2297,2.697663


## Bytes over time (plot)

In [25]:
import plotly
from datetime import datetime

In [26]:
#Lists to hold packet info
pktBytes=[]
pktTimes=[]

#Read each packet and append to the lists.
for p in a:
    if IP in p:
        try:
            pktBytes.append(p[IP].len)
            pktTime=datetime.fromtimestamp(p.time)
            pktTimes.append(pktTime.strftime("%Y-%m-%d %H:%M:%S.%f"))
        except:
            pass

#This converts list to series
bytes = pd.Series(pktBytes).astype(int)

#Convert the timestamp list to a pd date_time
times = pd.to_datetime(pd.Series(pktTimes).astype(str), errors='coerce')

#Create the dataframe
d = pd.DataFrame({"Bytes": bytes, "Times":times})

#set the date from a range to an timestamp
d = d.set_index('Times')

#Create a new dataframe of 2 second sums to pass to plotly
d2=d.resample('2S').sum()

#Create the graph
plotly.offline.plot({"data":[plotly.graph_objs.Scatter(x=d2.index, y=d2['Bytes'])],\
                     "layout":plotly.graph_objs.Layout(title="Bytes over Time ", xaxis=dict(title="Time"),\
                                                       yaxis=dict(title="Bytes"))})


'temp-plot.html'

In [None]:
# https://github.com/joemcmanus/packetexaminer

In [36]:
 url = "https://github.com/joemcmanus/packetexaminer.git"