Issue reading packets from a pcap file. dpkt module. What gives?

6.1k views Asked by At

I am running the following test script to try to read packets from a sample .pcap file I have downloaded. It won't seem to run. I have all of the modules, but no examples seem to be running.

import socket
import dpkt
import sys
pcapReader = dpkt.pcap.Reader(file("test1.pcap", "rb"))
for ts, data in pcapReader:
    ether = dpkt.ethernet.Ethernet(data)
    if ether.type != dpkt.ethernet.ETH_TYPE_IP: raise
    ip = ether.data
    src = socket.inet_ntoa(ip.src)
    dst = socket.inet_ntoa(ip.dst)
    print "%s -> %s" % (src, dst)

For some reason, this is not being interpreted properly. When running it, I get

KeyError: 138

module body   in test.py at line 4
function __init__     in pcap.py at line 105
Program exited.

Why is this? What's wrong? Is there an issue with my installation? I'm using Python 2.6 on a mac

4

There are 4 answers

0
PSS On

Do


pcapReader = dpkt.pcap.Reader(open('test1.pcap'))

Instead of:


pcapReader = dpkt.pcap.Reader(file("test1.pcap", "rb"))

0
user405925 On

Line 105 of dpkt.pcap module is using the pcap file's link type to access a dictionary of link type mappings:

        self.dloff = dltoff[self.__fh.linktype]

The dltoff dictionary is defined at the top of the module and it does not contain the key 138, hence the exception you are seeing. According to tcpdump's link types page a value of 138 is the link type for LINKTYPE_APPLE_IP_OVER_IEEE1394. If this is not the link type you expect then the pacp file may be corrupt. Otherwise you could try updating the dltoff dictionary and add an entry for 138. According to its packet structure its header is 18 bytes long. So adding the following instructions after line 40 of dkpt/pcap.py should work:

        LINKTYPE_APPLE_IP_OVER_IEEE1394 = 138
        dltoff[LINKTYPE_APPLE_IP_OVER_IEEE1394 ] = 18
0
John Machin On

Well you seem to be short of assistance ... I don't know a pcap from a kneecap, so all I can do is try to help you help yourself. Suggestions:

(1) Have you had a look at line 105 of pcap.py? I guess that the "KeyError: 138" means that it is trying to access a dictionary, but the dictionary doesn't have 138 (or "138") as a key. What is the variable containing 138? A byte from a packet?

(2) Consider asking the author/maintainer of pcap.

(3) Consider providing a URL for pcap.

0
Richy.Guo On

I also encountered similar problems, but I was KEY ERROR 192.

I found that my dkpt/pcap.py is not complete and is a very old version.

So I uninstalled the current package

sudo apt-get remove python-dpkt

Use pip to intall the latest

pip install dpkt

And that finally solved the problem, good luck to you!