Issue reading packets from a pcap file. dpkt module. What gives?

Question

Issue reading packets from a pcap file. dpkt module. What gives?

6.2k Views Asked by Chris At 22 March 2010 at 00:09

I am running the following test script to try to read packets from a sample .pcap file I have downloaded. It won't seem to run. I have all of the modules, but no examples seem to be running.

import socket
import dpkt
import sys
pcapReader = dpkt.pcap.Reader(file("test1.pcap", "rb"))
for ts, data in pcapReader:
    ether = dpkt.ethernet.Ethernet(data)
    if ether.type != dpkt.ethernet.ETH_TYPE_IP: raise
    ip = ether.data
    src = socket.inet_ntoa(ip.src)
    dst = socket.inet_ntoa(ip.dst)
    print "%s -> %s" % (src, dst)

For some reason, this is not being interpreted properly. When running it, I get

KeyError: 138

module body   in test.py at line 4
function __init__     in pcap.py at line 105
Program exited.

Why is this? What's wrong? Is there an issue with my installation? I'm using Python 2.6 on a mac

Original Q&A

There are 4 best solutions below

**John Machin** · Answer 1 · 2010-03-22T13:54:08.960000

Well you seem to be short of assistance ... I don't know a pcap from a kneecap, so all I can do is try to help you help yourself. Suggestions:

(1) Have you had a look at line 105 of pcap.py? I guess that the "KeyError: 138" means that it is trying to access a dictionary, but the dictionary doesn't have 138 (or "138") as a key. What is the variable containing 138? A byte from a packet?

(2) Consider asking the author/maintainer of pcap.

(3) Consider providing a URL for pcap.

**PSS** · Answer 2 · 2011-02-09T21:59:01.780000

PSS On 09 February 2011 at 21:59

Do


pcapReader = dpkt.pcap.Reader(open('test1.pcap'))

Instead of:


pcapReader = dpkt.pcap.Reader(file("test1.pcap", "rb"))

**user405925** · Answer 3 · 2012-05-18T12:53:49.127000

Line 105 of dpkt.pcap module is using the pcap file's link type to access a dictionary of link type mappings:

        self.dloff = dltoff[self.__fh.linktype]

The dltoff dictionary is defined at the top of the module and it does not contain the key 138, hence the exception you are seeing. According to tcpdump's link types page a value of 138 is the link type for LINKTYPE_APPLE_IP_OVER_IEEE1394. If this is not the link type you expect then the pacp file may be corrupt. Otherwise you could try updating the dltoff dictionary and add an entry for 138. According to its packet structure its header is 18 bytes long. So adding the following instructions after line 40 of dkpt/pcap.py should work:

        LINKTYPE_APPLE_IP_OVER_IEEE1394 = 138
        dltoff[LINKTYPE_APPLE_IP_OVER_IEEE1394 ] = 18

**Richy.Guo** · Answer 4 · 2017-04-11T06:26:17.527000

I also encountered similar problems, but I was KEY ERROR 192.

I found that my dkpt/pcap.py is not complete and is a very old version.

So I uninstalled the current package

sudo apt-get remove python-dpkt

Use pip to intall the latest

pip install dpkt

And that finally solved the problem, good luck to you!

Issue reading packets from a pcap file. dpkt module. What gives?

There are 4 best solutions below

Related Questions in PYTHON

Related Questions in PACKET

Related Questions in PCAP

Related Questions in PACKET-MANGLING

Trending Questions

Popular # Hahtags

Popular Questions