scapy timestamp measurement for outgoing packets

2
votes

Is there any way to measure timestamp for outgoing packets sent via scapy? How to present those time stamps in normalized value such as timestamps in wireshark.

I can send a simple stream of packets via

packet=IP(src="192.168.0.254", dst="192.168.0.2")/TCP(sport=35021, dport=35021)
pkt=sniff(filter="host 192.168.0.254")

While I am sniffing from another terminal,

pkt=sniff(filter="host 192.168.0.254")
for p in pkt:
    print p[TCP].time

gives me following time values

1505733059.335
1505733059.336
1505733059.336
1505733059.336
1505733059.337
1505733059.337
1505733059.338
1505733059.338
1505733059.338
1505733059.339

As far as I can say these are the values when packet was sent, right? How to change these values to normalized values such as in wireshark?

1
pythonpython-2.7timestampscapy
This is a very broad and general question, the way you stated it. Have you searched for any tutorials? Have you written any code? Please show some effort.Maciej Jureczko
Description and code is added. I hope now you can have the complete idea. If anything else is necessary to answer the question then just let me know.Kashif Ahmad

1 Answers

5
votes

The time attribute of a sniffed packed actually denotes the time the packet was received, rather than the time it was sent. In fact, even the time Wireshark associates with a sniffed packet is the time it was received, as detailed in the official wiki.

There is no straight forward way of extracting the time a sniffed packet was sent. One can try measuring the network latency and extrapolating the send time based on that, but the accuracy of this approach is questionable. Another option is to extract the send time on the sending machine and transfer it somehow to the sniffing machine, either in-band if a controllable ad hoc protocol is in use or out-of-band otherwise, but both methods seem rather inelegant and are only feasible if the sending machine may be manipulated.

The values stored in the time attribute are equivalent to the return value of the time.time() function, which is the time in seconds since the epoch, i.e., the point where the time starts and is platform dependent.

These value may be converted into a more common time format (i.e. year, month, day, hour, etc…) in UTC by passing them to the time.gmtime() function or in local time by passing them to the time.localtime() function. In both cases a struct_time object is returned, from which the components of the calendar date may be accessed as attributes. Passing on the returned struct_time object to the time.asctime() function converts it to a human readable string format, though better control of the human readable output is possible via the time.strftime() function.

Python 3.4.3 (default, Nov 17 2016, 01:08:31) 
[GCC 4.8.4] on linux
Type "help", "copyright", "credits" or "license" for more information.

>>> import time
>>>
>>> timestamp = time.time()
>>> print(timestamp)
1505806452.8678658
>>>
>>> local_time = time.localtime(timestamp)
>>> print(local_time)
time.struct_time(tm_year=2017, tm_mon=9, tm_mday=19, tm_hour=10, tm_min=34, tm_sec=12, tm_wday=1, tm_yday=262, tm_isdst=1)
>>>
>>> human_time = time.asctime(local_time)
>>> print(human_time)
Tue Sep 19 10:34:12 2017
>>> 
>>> my_human_time = time.strftime('%A, %d/%m/%y, %I:%M:%S %p', local_time)
>>> print(my_human_time)
Tuesday, 19/09/17, 10:34:12 AM
>>>