Question
I need to split a PCAP file in two different files: the first one should include all (and only) the packets directed to the application layer of the ISO/OSI model, while the second one includes all the other ones.
I'm using Scapy to apply the filter:
https://stackoverflow.com/questions/13988927
italiano
english
français
española
中国
日本の
العربية
Deutsch
한국어
Português
Russianpkts = PcapReader(infile)
applayerpkts = (pkt for pkt in pkts if pkt.haslayer(Raw))
lowlayerspkts = (pkt for pkt in pkts if not pkt.haslayer(Raw))
wrpcap(applayerfilename, applayerpkts)
wrpcap(lowlayersfilename, lowlayerspkts)
using pkt.haslayer(Raw) method, since that layer should be included only on packets directed to the application layer.
What's the problem? I've noticed that the sum of applayerfilename + lowlayersfilename (in file size) is different (lower) from the file size of infile.
The reported method is also computationally expensive (and I've got a list of PCAP of ~1.5GB each one), since infile is parsed twice.
I'd prefer to apply a different filter, parsing one time the input PCAP.
I could use the PcapReader class and manually parsing the PCAP, but I don't know how to generate a PCAP to pass to the wrpcap(...) method.
Edit: I've also tried with this solution:
pkts = PcapReader(infile)
app_pkts = []
low_pkts = []
for p in pkts:
if p.haslayer(Raw):
app_pkts.append(p)
else:
low_pkts.append(p)
wrpcap(applayerfilename, app_pkts)
wrpcap(lowlayersfilename, low_pkts)
but it doesn't work, since it consumes too much memory because of the size of my input PCAP...
Does an append_to_pcap(filename, packet) like function exists (wrpcap(...) function doesn't work as an append)?
No correct solution
OTHER TIPS
I've (at least apparently) solved in this way:
pkts = PcapReader(infile)
app_writer = PcapWriter(applayerfilename, append=True)
low_writer = PcapWriter(lowlayersfilename, append=True)
for p in pkts:
if p.haslayer(Raw):
app_writer.write(p)
else:
low_writer.write(p)
app_writer.close()
low_writer.close()
