On 2018-04-05, supsw...@gmail.com <supsw...@gmail.com> wrote: > Hi, > > I am using dpkt python package to parse .pcap file and I am able to do > successfully. > > My requirement is to filter some of the traffic from the big .pcap > file and to export the result to another file. > > I don't know how to do this.
The easiest way is to use tcpdump on the command line. Let's say you've got a huge file (huge.pcap), and all you want to see is TCP traffic to/from 10.0.0.104: tcpdump -r huge.pcap -w output.pcap tcp and host 10.0.0.104 If you insist on doing it in Python, then use can use pylibpcap to read/parse the file. https://sourceforge.net/projects/pylibpcap/files/pylibpcap/ When reading the file, you can use the normal capture filters that you use with tcpdump. Once you've read the packet, you can apply your own logic if you want. I don't recall ever trying to install it on windows. It requires the pcap library, which is available for Windows. I don't recall that it has methods to write a file, so you may have to roll that bit yourself. If you want to write something from scratch, here's the file format: https://wiki.wireshark.org/Development/LibpcapFileFormat You should be able to use ctypes to directly access the winpcap library if you want to: https://www.winpcap.org/ -- Grant Edwards grant.b.edwards Yow! ! Up ahead! It's a at DONUT HUT!! gmail.com -- https://mail.python.org/mailman/listinfo/python-list
