pcapy
pcapy copied to clipboard
helpsystems
nanosecond timestamp precision and packet trailers in pcapy.dumper
Hi,
I'm new to GitHub so I apologize if this is not the correct place to ask questions. I am not sure if this this is an issue, or my own ignorance, but I am using pcapy to read a live bytestream and record it to a .pcap file. doing so was fairly easy with the documentation i found on the web, but when i view the pcap in wireshark I have two issues:
-
the header timestamp is in microsecond precision only. if i capture from the same interface using tcpdump with "--time-stamp-precision nano", i see the header timestamps in nanoseconds.
-
The headers and payloads look fine in my pcap, but each message also has an 8 byte packet trailer which i do not see. if I use tcpdump with -K (this may not be necessary but checksum is what i suspect is why pcapy doesnt read it), each message will include the packet trailer.
because special arguments are needed to get the output i want with tcpdump, I suspect that libpcap needs to be told to turn these features on. Does pcapy support either request?
FWIW, here is a stripped down sample of what my code is doing. it is a bit more complicated else i would be using tcpdump to create the captures:
#first, i'm opening the bytestream, passing the desired interface from cli arguments: cap = pcapy.open_live(interface, 65536, 1, 0) #i want to write every UDP message in this packet capture, so i do the following: while True: (header, packet) = cap.next() ethernet = dpkt.ethernet.Ethernet(packet)
if ethernet.type == dpkt.ethernet.ETH_TYPE_IP:
ip = ethernet.data
if ip.p == dpkt.ip.IP_PROTO_UDP:
udp = ip.data
#there's some processing that goes on in the middle, but i am not manipulating the output.
dumper = cap.dump_open(path + filename +'.pcap')
dumper.dump(header,packet)
I read that someone edited the source to enable at least the nanosecond precision, however as it is from 2014 I assume they never made a pull request or shared their code contribution:
https://stackoverflow.com/questions/21764341/pcap-nanoseconds-python
I'd appreciate any help you can give me, and happy to help where i can with diagnosis
update: i ran a tcpdump capture with and without -K. both displayed the trailer, so -K makes no difference.
deep in the documentation for dpkt i found an example that had an additional argument "nano" in their Writer function. replacing the pcapy dumper with the dpkt writer resolves my issue with the timestamps in the header being reported only in microseconds. What this tells me, is that the reading of the binary data with the pcapy.open_live() does not need to be looked at; it is only the dumper that needs an extra argument.
example working function in dpkt:
dumper = dpkt.pcap.Writer(open(path + filename)+'.pcap', 'wb+'),nano=True) dumper.writepkt(ethernet)
