Search code examples
pythonpcap

How to read .cap files other than Pyshark that is faster than Scapy's rdpcap ()?


I have been looking for a way to get 802.11 Packets from a .cap file into an Array. So far I have found:

  • Scapy: which is kind of nice, documentation available, but too slow, when I try to open a file with size > 40 Mb, I just keeps hanging on until it consumes all my Ram (all 16 gigs of it) at which point my pc just blocks and I have to reboot it

  • Pyshark: doesn't have any of Scapy's problems, but documentation is too scarce, I can't find a way to handle and get attributes for 802.11 Packets

So I was thinking maybe there are better solutions out there, or maybe someone does have some experience with pyshark?

from scapy.all import *
import pyshark
from collections import defaultdict
import sys
import math
import numpy as np
counter=0
Stats = np.zeros((14))
filename='cap.cap'

a = rdpcap(filename)
print len(a)
for p in a:
        pkt = p.payload
        #Management packets
        if p.haslayer(Dot11) and p.type == 0:
                ipcounter = ipcounter +1
                Stats[p.subtype] = Stats[p.subtype] + 1

print Stats

Note: when I launch the program with a 10 Mega bytes input (for instance) it takes about 20 seconds or so, but it does work, I wonder why is that, why is it so different from pyshark and what kind of computations is it doing?


Solution

  • You can patch scapy file named utils.py so that it won't load everything into memory

    change :

    def read_all(self,count=-1):
        """return a list of all packets in the pcap file
        """
        res=[]
        while count != 0:
            count -= 1
            p = self.read_packet()
            if p is None:
                break
            res.append(p)
        return res
    

    to

    def read_all(self,count=-1):
        """return an iterable of all packets in the pcap file
        """
        while count != 0:
            count -= 1
            p = self.read_packet()
            if p is None:
                break
            yield p
        return
    

    credit goes to : http://comments.gmane.org/gmane.comp.security.scapy.general/4462

    But link is now dead