kamene
kamene copied to clipboard
phaethon
Faild to read pcap file using PcapReader
Hi! In case when I try to read pcap file on Centos7 or Ubuntu host I got an error: WARNING: RawPcapReader: unknown LL type [1]/[0x1]. Using Raw packets Traceback (most recent call last): File "/usr/lib/python3.4/site-packages/scapy/utils.py", line 829, in read_packet p = self.reader.LLclsi TypeError: 'NoneType' object is not callable
During handling of the above exception, another exception occurred:
Traceback (most recent call last):
File "
with PcapReader('/home/alex/pcaps/1512559393.pcap') as in_pcap: ... for pkt in in_pcap: ... ip = pkt.getlayer(1)
Any idea what is the issue there?
Thanks in advance.
Sorry, I've found the issue.
I need to use from scapy.all import PcapReader instead of from scapy.utils import PcapReader.
It's strange but, I think some modules do not initialized in this case.
Issue from original scapy
So, I'm closing the issue.
Today with the most recent version this issue is still present. The import is removed by the IDE but seems to be needed.
Can we reopen this? The solution isn't really a solution at all, it's just a workaround. This seems more like a bug to me.
sys.version_info(major=3, minor=8, micro=10, releaselevel='final', serial=0)
Running the latest version of Kamene installed via pip (0.32 I believe)
I have tested on the latest version from github with python 3.8, and I cannot repeat your issue. Of course, there is a difference that I use from kamene.all import PcapReader Otherwise, I can successfully execute the code from the comment at the beginning of the issue.
Just tested using version from pip, too. At least on Linux, python 3.8.10, cannot repeat.
>>> import sys
>>> print(sys.version)
3.8.10 (default, Sep 28 2021, 16:10:42)
[GCC 9.3.0]
>>> from kamene.utils import PcapReader
>>> with PcapReader('nb6-http.pcap') as pcap:
... for pkt in pcap:
... print(pkt)
...
WARNING: RawPcapReader: unknown LL type [1]/[0x1]. Using Raw packets
Traceback (most recent call last):
File "/home/user/.local/lib/python3.8/site-packages/kamene/utils.py", line 829, in read_packet
p = self.reader.LLcls[i](s)
TypeError: 'NoneType' object is not callable
During handling of the above exception, another exception occurred:
Traceback (most recent call last):
File "<stdin>", line 2, in <module>
File "/home/user/.local/lib/python3.8/site-packages/kamene/utils.py", line 817, in __next__
pkt = self.read_packet()
File "/home/user/.local/lib/python3.8/site-packages/kamene/utils.py", line 835, in read_packet
p = conf.raw_layer(s)
TypeError: 'NoneType' object is not callable
... however importing from all works fine:
>>> from kamene.all import PcapReader
WARNING: No route found for IPv6 destination :: (no default route?). This affects only IPv6
>>> with PcapReader('nb6-http.pcap') as pcap:
... for pkt in pcap:
... print(pkt)
... break
...
WARNING: Unless called manually, this could indicate deprecated use. Should be changed to bytes(self)
b'\x00\x173a\x00\x00\xe0\xa1\xd7\x18\xc2s\x88d\x11\x00;\x1a\x00K\x00!E\x00\x00Id?@\x00@\x11\xd5n_\x88\xf2cm\x00B\n\x92\x9f\x005\x005\xe6\x93\x00\x02\x01\x00\x00\x01\x00\x00\x00\x00\x00\x00\x04ncdn\x06nb6dsl\x07neufbox\x04neuf\x02fr\x00\x00\x1c\x00\x01'
For all typical use cases you should use from kamene.all import PcapReader. Is there any reason why you want to import from util?
So I understand that there's a workaround, but my point is that it's just a workaround and not a solution.
I'm new to kamene and just had a quick look through the code before trying it. I reasonably assumed that if the same thing is available in multiple modules then it shouldn't matter where I import it from, and that it would be more pythonic to import it from where it is defined (explicit is better than implicit).
I had to go looking through GitHub issues to figure out why my code didn't work; maybe other new users would not do this and just give up.
So I would flip the question around: why does kamene allow PcapReader to be imported from multiple places if some of them don't work? To give expected behaviour, either all of the available import options should be fixed or the broken ones should be removed.
Basically, for any standard usage you import all from kamene.all. You need many modules to handle packet parsing and importing from all provides this automatically. To parse an IP packet you need IP layer, etc. Modules are not as standalone as one could wish, but fixing it would basically mean rewriting everything. I agree that some warning in some situations might help, but it is not a priority. If you feel this should be added to the documentation - please, propose fixes.
You can start with basic examples in ReadMe and in doc. Once you get the design idea, it is pretty straight forward.
Also, built in help in the shell is handy. Use ls() to get list of commands and lsc() to get information on specific layers.
btw, PcapReader is by itself for a more advanced usage (e.g. reading large count of packets). rdpcap() is iterating through .pcap file and creating a list of packets. It might be enough for many of your usecases.
Adding some color here -- I run some tests on pcap files using Python in both Linux and Windows. I noticed WARNING: PcapReader: unknown LL type [1]/[0x1] with from scapy.utils import * when running a test on Linux, but the same exact script running on Windows doesn't return this result.
