0
votes

I like to read a pcap file through scapy and use a filter of source address,destination address and length of the packet above or equal to 400,

After matching those packets, i would like to remove the first 16 bytes and then extract the remaining bytes sequentially.

file=rdpcap(pcap)
    for pkt in file:
        if pkt[0].src=='198.18.32.1' and pkt[0].dst=='198.18.50.97':
1
So, do it? (My sarcasm is trying to hint that this question as no question. It only has a statement of what you want to accomplish)Torxed
pkt[0].src doesn't have the ip address which im looking for,but when i open wireshark i can see packets with the intended source and destination address.Awin
What does pkt[0].src give you? and what is the expected result (seen from wireshark)?Torxed
It gives a lot of other addresses but not the specified address,pcap file has lot of other connection tooAwin

1 Answers

1
votes

This is more than normal. pkt[0] does not really mean anything...

When doing pkt.src, you’ll get the Ethernet address (of the first layer), which is no IP address. You would need pkt[IP].src to get the IP address