Hi,
I'm new to GitHub so I apologize if this is not the correct place to ask questions. I am not sure if this this is an issue, or my own ignorance, but I am using pcapy to read a live bytestream and record it to a .pcap file. doing so was fairly easy with the documentation i found on the web, but when i view the pcap in wireshark I have two issues:
-
the header timestamp is in microsecond precision only. if i capture from the same interface using tcpdump with "--time-stamp-precision nano", i see the header timestamps in nanoseconds.
-
The headers and payloads look fine in my pcap, but each message also has an 8 byte packet trailer which i do not see. if I use tcpdump with -K (this may not be necessary but checksum is what i suspect is why pcapy doesnt read it), each message will include the packet trailer.
because special arguments are needed to get the output i want with tcpdump, I suspect that libpcap needs to be told to turn these features on. Does pcapy support either request?
FWIW, here is a stripped down sample of what my code is doing. it is a bit more complicated else i would be using tcpdump to create the captures:
#first, i'm opening the bytestream, passing the desired interface from cli arguments:
cap = pcapy.open_live(interface, 65536, 1, 0)
#i want to write every UDP message in this packet capture, so i do the following:
while True:
(header, packet) = cap.next()
ethernet = dpkt.ethernet.Ethernet(packet)
if ethernet.type == dpkt.ethernet.ETH_TYPE_IP:
ip = ethernet.data
if ip.p == dpkt.ip.IP_PROTO_UDP:
udp = ip.data
#there's some processing that goes on in the middle, but i am not manipulating the output.
dumper = cap.dump_open(path + filename +'.pcap')
dumper.dump(header,packet)
I read that someone edited the source to enable at least the nanosecond precision, however as it is from 2014 I assume they never made a pull request or shared their code contribution:
https://stackoverflow.com/questions/21764341/pcap-nanoseconds-python
I'd appreciate any help you can give me, and happy to help where i can with diagnosis
Hi,
I'm new to GitHub so I apologize if this is not the correct place to ask questions. I am not sure if this this is an issue, or my own ignorance, but I am using pcapy to read a live bytestream and record it to a .pcap file. doing so was fairly easy with the documentation i found on the web, but when i view the pcap in wireshark I have two issues:
the header timestamp is in microsecond precision only. if i capture from the same interface using tcpdump with "--time-stamp-precision nano", i see the header timestamps in nanoseconds.
The headers and payloads look fine in my pcap, but each message also has an 8 byte packet trailer which i do not see. if I use tcpdump with -K (this may not be necessary but checksum is what i suspect is why pcapy doesnt read it), each message will include the packet trailer.
because special arguments are needed to get the output i want with tcpdump, I suspect that libpcap needs to be told to turn these features on. Does pcapy support either request?
FWIW, here is a stripped down sample of what my code is doing. it is a bit more complicated else i would be using tcpdump to create the captures:
#first, i'm opening the bytestream, passing the desired interface from cli arguments:
cap = pcapy.open_live(interface, 65536, 1, 0)
#i want to write every UDP message in this packet capture, so i do the following:
while True:
(header, packet) = cap.next()
ethernet = dpkt.ethernet.Ethernet(packet)
#there's some processing that goes on in the middle, but i am not manipulating the output.
dumper = cap.dump_open(path + filename +'.pcap')
dumper.dump(header,packet)
I read that someone edited the source to enable at least the nanosecond precision, however as it is from 2014 I assume they never made a pull request or shared their code contribution:
https://stackoverflow.com/questions/21764341/pcap-nanoseconds-python
I'd appreciate any help you can give me, and happy to help where i can with diagnosis