PyPCAPKit - Stream PCAP File Extractor¶
The PyPCAPKit project is an open source Python program focus
on PCAP parsing and analysis, which works as a stream PCAP file extractor.
With support of DictDumper, it shall support multiple
output report formats.
Important
The whole project supports Python 3.6 or later.
Module Documentation¶
pcapkit is an independent open source library, using only
DictDumper as its formatted output dumper.
Unlike popular PCAP file extractors, such as Scapy,
DPKT, PyShark, and etc, pcapkit uses streaming
strategy to read input files. That is to read frame by
frame, decrease occupation on memory, as well as enhance
efficiency in some way.
User Interface¶
pcapkit.interface defines several user-oriented
interfaces, variables, and etc. These interfaces are
designed to help and simplify the usage of pcapkit.
Core User Interface¶
pcapkit.interface.core defines core user-oriented
interfaces, variables, and etc., which wraps around the
foundation classes from pcapkit.foundation.
PCAP Extration¶
Payload Reassembly¶
TCP Flow Tracing¶
Output File Formats¶
- pcapkit.interface.core.TREE = 'tree'¶
- pcapkit.interface.core.JSON = 'json'¶
- pcapkit.interface.core.PLIST = 'plist'¶
- pcapkit.interface.core.PCAP = 'pcap'¶
Layer Thresholds¶
- pcapkit.interface.core.RAW = 'none'¶
- pcapkit.interface.core.LINK = 'link'¶
- pcapkit.interface.core.INET = 'internet'¶
- pcapkit.interface.core.TRANS = 'transport'¶
- pcapkit.interface.core.APP = 'application'¶
Extration Engines¶
- pcapkit.interface.core.DPKT = 'dpkt'¶
- pcapkit.interface.core.Scapy = 'scapy'¶
- pcapkit.interface.core.PCAPKit = 'default'¶
- pcapkit.interface.core.PyShark = 'pyshark'¶
Auxiliary Interface¶
pcapkit.interface.misc contains miscellaneous
user interface functions, classes, etc., which are
generally provided per user’s requests.
Data Structures¶
Library Foundation¶
pcapkit.foundation is a collection of foundations for
pcapkit, including PCAP file extraction tool
Extrator, TCP flow tracer
TraceFlow, registry management
APIs for pcapkit, and TCP/IP reassembly implementations.
Extractor for PCAP Files¶
pcapkit.foundation.extraction contains
Extractor only,
which synthesises file I/O and protocol analysis,
coordinates information exchange in all network layers,
extracts parametres from a PCAP file.
Data Structures¶
Trace TCP Flows¶
pcapkit.foundation.traceflow is the interface to trace
TCP flows from a series of packets and connections.
Note
This was implemented as the demand of my mate @gousaiyang
Terminology¶
- trace.packet¶
Data structure for TCP flow tracing (
TraceFlow.dump) is as following:tract_dict = dict( protocol=data_link, # data link type from global header index=frame.info.number, # frame number frame=frame.info, # extracted frame info syn=tcp.flags.syn, # TCP synchronise (SYN) flag fin=tcp.flags.fin, # TCP finish (FIN) flag src=ip.src, # source IP dst=ip.dst, # destination IP srcport=tcp.srcport, # TCP source port dstport=tcp.dstport, # TCP destination port timestamp=frame.info.time_epoch, # frame timestamp )
See also
pcapkit.foundation.traceflow.Packet- trace.buffer¶
Data structure for internal buffering when performing flow tracing algorithms (
TraceFlow._buffer) is as following:(dict) buffer --> memory buffer for reassembly |--> (tuple) BUFID : (dict) | |--> ip.src | | |--> tcp.srcport | | |--> ip.dst | | |--> tcp.dstport | | |--> 'fpout' : (dictdumper.dumper.Dumper) output dumper object | |--> 'index': (list) list of frame index | | |--> (int) frame index | |--> 'label': (str) flow label generated from ``BUFID`` |--> (tuple) BUFID ...
See also
pcapkit.foundation.traceflow.Buffer- trace.index¶
Data structure for TCP flow tracing (element from
TraceFlow.indextuple) is as following:(tuple) index |--> (Info) data | |--> 'fpout' : (Optional[str]) output filename if exists | |--> 'index': (tuple) tuple of frame index | | |--> (int) frame index | |--> 'label': (str) flow label generated from ``BUFID`` |--> (Info) data ...
See also
pcapkit.foundation.traceflow.Index
Data Structures¶
Fragmented Packets Reassembly¶
pcapkit.reassembly bases on algorithms described
in RFC 791 and RFC 815, implements datagram reassembly
of IP and TCP packets.
Base Class¶
pcapkit.foundation.reassembly.reassembly contains
Reassembly only,
which is an abstract base class for all reassembly classes,
bases on algorithms described in RFC 791 and RFC 815,
implements datagram reassembly of IP and TCP packets.
IP Datagram Reassembly¶
The following algorithm implement is based on IP
reassembly procedure introduced in RFC 791, using
RCVBT (fragment receivedbit table). Though another
algorithm is explained in RFC 815, replacing RCVBT,
however, this implement still used the elder one.
Algorithm¶
See also
The algorithm is described in RFC 791.
|
Fragment Offset |
|
Internet Header Length |
|
More Fragments Flag |
|
Time To Live |
|
Number of Fragment Blocks |
|
Total Length |
|
Total Data Length |
|
Buffer Identifier |
|
Fragment Received Bit Table |
|
Timer Lower Bound |
DO {
BUFID <- source|destination|protocol|identification;
IF (FO = 0 AND MF = 0) {
IF (buffer with BUFID is allocated) {
flush all reassembly for this BUFID;
Submit datagram to next step;
DONE.
}
}
IF (no buffer with BUFID is allocated) {
allocate reassembly resources with BUFID;
TIMER <- TLB;
TDL <- 0;
put data from fragment into data buffer with BUFID
[from octet FO*8 to octet (TL-(IHL*4))+FO*8];
set RCVBT bits [from FO to FO+((TL-(IHL*4)+7)/8)];
}
IF (MF = 0) {
TDL <- TL-(IHL*4)+(FO*8)
}
IF (FO = 0) {
put header in header buffer
}
IF (TDL # 0 AND all RCVBT bits [from 0 to (TDL+7)/8] are set) {
TL <- TDL+(IHL*4)
Submit datagram to next step;
free all reassembly resources for this BUFID;
DONE.
}
TIMER <- MAX(TIMER,TTL);
} give up until (next fragment or timer expires);
timer expires: {
flush all reassembly with this BUFID;
DONE.
}
Base Class¶
pcapkit.foundation.reassembly.ip contains
IP_Reassembly
only, which reconstructs fragmented IP packets back to
origin.
IPv4 Datagram Reassembly¶
pcapkit.foundation.reassembly.ipv4 contains
IPv4_Reassembly
only, which reconstructs fragmented IPv4 packets back to
origin. Please refer to Base Class for more information.
- ipv4.packet¶
Data structure for IPv4 datagram reassembly (
IPv4_Reassembly.reassembly) is as following:packet_dict = dict( bufid = tuple( ipv4.src, # source IP address ipv4.dst, # destination IP address ipv4.id, # identification ipv4.proto, # payload protocol type ), num = frame.number, # original packet range number fo = ipv4.frag_offset, # fragment offset ihl = ipv4.hdr_len, # internet header length mf = ipv4.flags.mf, # more fragment flag tl = ipv4.len, # total length, header includes header = ipv4.header, # raw bytes type header payload = ipv4.payload, # raw bytearray type payload )
- ipv4.datagram¶
Data structure for reassembled IPv4 datagram (element from
IPv4_Reassembly.datagramtuple) is as following:(tuple) datagram |--> (Info) data | |--> 'completed' : (bool) True --> implemented | |--> 'id' : (Info) original packet identifier | | |--> 'src' --> (IPv4Address) ipv4.src | | |--> 'dst' --> (IPv4Address) ipv4.dst | | |--> 'id' --> (int) ipv4.id | | |--> 'proto' --> (EtherType) ipv4.proto | |--> 'index' : (tuple) packet numbers | | |--> (int) original packet range number | |--> 'header' : (bytes) IPv4 header | |--> 'payload' : (bytes) reassembled IPv4 payload | |--> 'packet' : (Protocol) parsed reassembled payload |--> (Info) data | |--> 'completed' : (bool) False --> not implemented | |--> 'id' : (Info) original packet identifier | | |--> 'src' --> (IPv4Address) ipv4.src | | |--> 'dst' --> (IPv4Address) ipv4.dst | | |--> 'id' --> (int) ipv4.id | | |--> 'proto' --> (EtherType) ipv4.proto | |--> 'index' : (tuple) packet numbers | | |--> (int) original packet range number | |--> 'header' : (bytes) IPv4 header | |--> 'payload' : (tuple) partially reassembled IPv4 payload | | |--> (bytes) IPv4 payload fragment | | |--> ... | |--> 'packet' : (None) |--> (Info) data ...
- ipv4.buffer¶
Data structure for internal buffering when performing reassembly algorithms (
IPv4_Reassembly._buffer) is as following:(dict) buffer --> memory buffer for reassembly |--> (tuple) BUFID : (dict) | |--> ipv4.src | | |--> ipv4.dst | | |--> ipv4.id | | |--> ipv4.proto | | |--> 'TDL' : (int) total data length | |--> 'RCVBT' : (bytearray) fragment received bit table | | |--> (bytes) b'\\x00' -> not received | | |--> (bytes) b'\\x01' -> received | | |--> (bytes) ... | |--> 'index' : (list) list of reassembled packets | | |--> (int) packet range number | |--> 'header' : (bytes) header buffer | |--> 'datagram' : (bytearray) data buffer, holes set to b'\\x00' |--> (tuple) BUFID ...
IPv6 Datagram Reassembly¶
pcapkit.foundation.reassembly.ipv6 contains
IPv6_Reassembly
only, which reconstructs fragmented IPv6 packets back to
origin. Please refer to Base Class for more information.
- ipv6.packet¶
Data structure for IPv6 datagram reassembly (
IPv6_Reassembly.reassembly) is as following:packet_dict = dict( bufid = tuple( ipv6.src, # source IP address ipv6.dst, # destination IP address ipv6.label, # label ipv6_frag.next, # next header field in IPv6 Fragment Header ), num = frame.number, # original packet range number fo = ipv6_frag.offset, # fragment offset ihl = ipv6.hdr_len, # header length, only headers before IPv6-Frag mf = ipv6_frag.mf, # more fragment flag tl = ipv6.len, # total length, header includes header = ipv6.header, # raw bytes type header before IPv6-Frag payload = ipv6.payload, # raw bytearray type payload after IPv6-Frag )
- ipv6.datagram¶
Data structure for reassembled IPv6 datagram (element from
IPv6_Reassembly.datagramtuple) is as following:(tuple) datagram |--> (Info) data | |--> 'completed' : (bool) True --> implemented | |--> 'id' : (Info) original packet identifier | | |--> 'src' --> (IPv6Address) ipv6.src | | |--> 'dst' --> (IPv6Address) ipv6.dst | | |--> 'id' --> (int) ipv6.label | | |--> 'proto' --> (EtherType) ipv6_frag.next | |--> 'index' : (tuple) packet numbers | | |--> (int) original packet range number | |--> 'payload' : (bytes) reassembled IPv4 packet | |--> 'packet' : (Protocol) parsed reassembled payload |--> (Info) data | |--> 'completed' : (bool) False --> not implemented | |--> 'id' : (Info) original packet identifier | | |--> 'src' --> (IPv6Address) ipv6.src | | |--> 'dst' --> (IPv6Address) ipv6.dst | | |--> 'id' --> (int) ipv6.id | | |--> 'proto' --> (EtherType) ipv6_frag.next | |--> 'index' : (tuple) packet numbers | | |--> (int) original packet range number | |--> 'header' : (bytes) IPv4 header | |--> 'payload' : (tuple) partially reassembled IPv4 payload | | |--> (bytes) IPv4 payload fragment | | |--> ... | |--> 'packet' : (None) |--> (Info) data ...
- ipv6.buffer¶
Data structure for internal buffering when performing reassembly algorithms (
IPv6_Reassembly._buffer) is as following:(dict) buffer --> memory buffer for reassembly |--> (tuple) BUFID : (dict) | |--> ipv6.src | | |--> ipc6.dst | | |--> ipv6.label | | |--> ipv6_frag.next | | |--> 'TDL' : (int) total data length | |--> RCVBT : (bytearray) fragment received bit table | | |--> (bytes) b'\\x00' -> not received | | |--> (bytes) b'\\x01' -> received | | |--> (bytes) ... | |--> 'index' : (list) list of reassembled packets | | |--> (int) packet range number | |--> 'header' : (bytes) header buffer | |--> 'datagram' : (bytearray) data buffer, holes set to b'\\x00' |--> (tuple) BUFID ...
TCP Datagram Reassembly¶
pcapkit.foundation.reassembly.tcp contains
TCP_Reassembly only,
which reconstructs fragmented TCP packets back to origin.
The algorithm for TCP reassembly is described as below.
Algorithm¶
See also
This algorithm is an adaptation of the algorithm described in RFC 815.
|
Data Sequence Number |
|
TCP Acknowledgement |
|
TCP Synchronisation Flag |
|
TCP Finish Flag |
|
TCP Reset Connection Flag |
|
Buffer Identifier |
|
Hole Discriptor List |
|
Initial Sequence Number |
|
source IP |
|
destination IP |
|
source TCP port |
|
destination TCP port |
DO {
BUFID <- src|dst|srcport|dstport|ACK;
IF (SYN is true) {
IF (buffer with BUFID is allocated) {
flush all reassembly for this BUFID;
submit datagram to next step;
}
}
IF (no buffer with BUFID is allocated) {
allocate reassembly resources with BUFID;
ISN <- DSN;
put data from fragment into data buffer with BUFID
[from octet fragment.first to octet fragment.last];
update HDL;
}
IF (FIN is true or RST is true) {
submit datagram to next step;
free all reassembly resources for this BUFID;
BREAK.
}
} give up until (next fragment);
update HDL: {
DO {
select the next hole descriptor from HDL;
IF (fragment.first >= hole.first) CONTINUE.
IF (fragment.last <= hole.first) CONTINUE.
delete the current entry from HDL;
IF (fragment.first >= hole.first) {
create new entry "new_hole" in HDL;
new_hole.first <- hole.first;
new_hole.last <- fragment.first - 1;
BREAK.
}
IF (fragment.last <= hole.last) {
create new entry "new_hole" in HDL;
new_hole.first <- fragment.last + 1;
new_hole.last <- hole.last;
BREAK.
}
} give up until (no entry from HDL)
}
The following algorithm implement is based on IP Datagram
Reassembly Algorithm introduced in RFC 815. It described an
algorithm dealing with RCVBT (fragment received bit table)
appeared in RFC 791. And here is the process:
Select the next hole descriptor from the hole descriptor list. If there are no more entries, go to step eight.
If
fragment.firstis greater thanhole.last, go to step one.If
fragment.lastis less thanhole.first, go to step one.Delete the current entry from the hole descriptor list.
If
fragment.firstis greater thanhole.first, then create a new hole descriptornew_holewithnew_hole.firstequal tohole.first, andnew_hole.lastequal tofragment.firstminus one (-1).If
fragment.lastis less thanhole.lastandfragment.more_fragmentsistrue, then create a new hole descriptornew_hole, withnew_hole.firstequal tofragment.lastplus one (+1) andnew_hole.lastequal tohole.last.Go to step one.
If the hole descriptor list is now empty, the datagram is now complete. Pass it on to the higher level protocol processor for further handling. Otherwise, return.
Implementation¶
pcapkit.foundation.reassembly.tcp contains
Reassembly only,
which reconstructs fragmented TCP packets back to origin.
- tcp.packet¶
Data structure for TCP datagram reassembly (
TCP_Reassembly.reassembly) is as following:packet_dict = Info( bufid = tuple( ip.src, # source IP address tcp.srcport, # source port ip.dst, # destination IP address tcp.dstport, # destination port ), dsn = tcp.seq, # data sequence number ack = tcp.ack, # acknowledgement number num = frame.number, # original packet range number syn = tcp.flags.syn, # synchronise flag fin = tcp.flags.fin, # finish flag rst = tcp.flags.rst, # reset connection flag len = tcp.raw_len, # payload length, header excludes first = tcp.seq, # this sequence number last = tcp.seq + tcp.raw_len, # next (wanted) sequence number header = tcp.packet.header, # raw bytes type header payload = tcp.raw, # raw bytearray type payload )
- tcp.datagram¶
Data structure for reassembled TCP datagram (element from
TCP_Reassembly.datagramtuple) is as following:(tuple) datagram |--> (Info) data | |--> 'completed' : (bool) True --> implemented | |--> 'id' : (Info) original packet identifier | | |--> 'src' --> (tuple) | | | |--> (IPv4Address) ip.src | | | |--> (int) tcp.srcport | | |--> 'dst' --> (tuple) | | | |--> (IPv4Address) ip.dst | | | |--> (int) tcp.dstport | | |--> 'ack' --> (int) original packet ACK number | |--> 'index' : (tuple) packet numbers | | |--> (int) original packet range number | | |--> ... | |--> 'header' : (bytes) initial TCP header | |--> 'payload' : (bytes) reassembled payload | |--> 'packet' : (Protocol) parsed reassembled payload |--> (Info) data | |--> 'completed' : (bool) False --> not implemented | |--> 'id' : (Info) original packet identifier | | |--> 'src' --> (tuple) | | | |--> (IPv4Address) ip.src | | | |--> (int) tcp.srcport | | |--> 'dst' --> (tuple) | | | |--> (IPv4Address) ip.dst | | | |--> (int) tcp.dstport | | |--> 'ack' --> (int) original packet ACK number | |--> 'index' : (tuple) packet numbers | | |--> (int) original packet range number | | |--> ... | |--> 'header' : (bytes) initial TCP header | |--> 'payload' : (tuple) partially reassembled payload | | |--> (bytes) payload fragment | | |--> ... | |--> 'packet' : (None) not implemented |--> (Info) data ...
- tcp.buffer¶
Data structure for internal buffering when performing reassembly algorithms (
TCP_Reassembly._buffer) is as following:(dict) buffer --> memory buffer for reassembly |--> (tuple) BUFID : (dict) | |--> ip.src | | |--> ip.dst | | |--> tcp.srcport | | |--> tcp.dstport | | |--> 'hdl' : (list) hole descriptor list | | |--> (Info) hole --> hole descriptor | | |--> "first" --> (int) start of hole | | |--> "last" --> (int) stop of hole | |--> 'hdr' : (bytes) initial TCP header | |--> 'ack' : (dict) ACK list | |--> (int) ACK : (dict) | | |--> 'ind' : (list) list of reassembled packets | | | |--> (int) packet range number | | |--> 'isn' : (int) ISN of payload buffer | | |--> 'len' : (int) length of payload buffer | | |--> 'raw' : (bytearray) reassembled payload, | | holes set to b'\x00' | |--> (int) ACK ... | |--> ... |--> (tuple) BUFID ...
Registry Management¶
This module (pcapkit.foundation.registry) provides the registry
management for pcapkit, as the module contains various registry
points.
Auxiliary Methods¶
Dumper Registries¶
Protocol Registries¶
Link Layer Registries¶
Internet Layer Registries¶
Transport Layer Registries¶
Application Layer Registries¶
Protocol Family¶
pcapkit.protocols is collection of all protocol families,
with detailed implementation and methods.
Root Protocol¶
pcapkit.protocols.protocol contains
Protocol only, which is
an abstract base class for all protocol family, with pre-defined
utility arguments and methods of specified protocols.
Data Structures¶
Auxiliary Protocols¶
pcapkit.protocols.misc contains the auxiliary protocol implementations.
Such includes the Raw class for not-supported
protocols, the NoPayload class for
indication of empty payload, and PCAP header classes.
PCAP File Headers¶
pcapkit.protocols.misc.pcap contains header descriptions for
PCAP files, including global header
(Header) and frame header
(Frame).
Global Header¶
pcapkit.protocols.misc.pcap.header contains
Header only,
which implements extractor for global headers *
of PCAP, whose structure is described as below:
typedef struct pcap_hdr_s {
guint32 magic_number; /* magic number */
guint16 version_major; /* major version number */
guint16 version_minor; /* minor version number */
gint32 thiszone; /* GMT to local correction */
guint32 sigfigs; /* accuracy of timestamps */
guint32 snaplen; /* max length of captured packets, in octets */
guint32 network; /* data link type */
} pcap_hdr_t;
Frame Header¶
pcapkit.protocols.misc.pcap.frame contains
Frame only,
which implements extractor for frame headers * of PCAP,
whose structure is described as below:
typedef struct pcaprec_hdr_s {
guint32 ts_sec; /* timestamp seconds */
guint32 ts_usec; /* timestamp microseconds */
guint32 incl_len; /* number of octets of packet saved in file */
guint32 orig_len; /* actual length of packet */
} pcaprec_hdr_t;
Raw Packet Data¶
pcapkit.protocols.misc.raw contains
Raw only, which implements
extractor for unknown protocol, and constructs a
Protocol like object.
Data Structures¶
No-Payload Packet¶
pcapkit.protocols.null contains
NoPayload only, which
implements a Protocol like
object whose payload is recursively
NoPayload itself.
Data Structures¶
Link Layer Protocols¶
pcapkit.protocols.link is collection of all protocols in
link layer, with detailed implementation and methods.
Base Protocol¶
pcapkit.protocols.link.link contains Link,
which is a base class for link layer protocols, e.g. ARP/InARP,
Ethernet, L2TP,
OSPF, RARP/DRARP and etc.
Ethernet Protocol¶
pcapkit.protocols.link.ethernet contains
Ethernet
only, which implements extractor for Ethernet
Protocol *, whose structure is described as
below:
Octets |
Bits |
Name |
Description |
|---|---|---|---|
0 |
0 |
|
Destination MAC Address |
1 |
8 |
|
Source MAC Address |
2 |
16 |
|
Protocol (Internet Layer) |
Data Structures¶
ARP/InARP - (Inverse) Address Resolution Protocol¶
pcapkit.protocols.link.arp contains
ARP only,
which implements extractor for (Inverse) Address Resolution
Protocol (ARP/InARP) *, whose structure is described as
below:
Octets |
Bits |
Name |
Description |
|---|---|---|---|
0 |
0 |
|
Hardware Type |
2 |
16 |
|
Protocol Type |
4 |
32 |
|
Hardware Address Length |
5 |
40 |
|
Protocol Address Length |
6 |
48 |
|
Operation |
8 |
64 |
|
Sender Hardware Address |
14 |
112 |
|
Sender Protocol Address |
18 |
144 |
|
Target Hardware Address |
24 |
192 |
|
Target Protocol Address |
- class pcapkit.protocols.link.InARP¶
Alias of
pcapkit.protocols.link.arp.ARP.
Data Structures¶
RARP/DRARP - (Dynamic) Reverse Address Resolution Protocol¶
pcapkit.protocols.link.rarp contains
RARP only,
which implements extractor for (Dynamic) Reverse
Address Resolution Protocol (RARP/DRARP) *,
whose structure is described as below:
Octets |
Bits |
Name |
Description |
|---|---|---|---|
0 |
0 |
|
Hardware Type |
2 |
16 |
|
Protocol Type |
4 |
32 |
|
Hardware Address Length |
5 |
40 |
|
Protocol Address Length |
6 |
48 |
|
Operation |
8 |
64 |
|
Sender Hardware Address |
14 |
112 |
|
Sender Protocol Address |
18 |
144 |
|
Target Hardware Address |
24 |
192 |
|
Target Protocol Address |
- class pcapkit.protocols.link.DRARP¶
Alias of
pcapkit.protocols.link.rarp.RARP.
L2TP - Layer Two Tunnelling Protocol¶
pcapkit.protocols.link.l2tp contains
L2TP only,
which implements extractor for Layer Two Tunnelling
Protocol (L2TP) *, whose structure is described
as below:
Octets |
Bits |
Name |
Description |
|---|---|---|---|
0 |
0 |
|
Flags and Version Info |
0 |
0 |
|
Type (control / data) |
0 |
1 |
|
Length |
0 |
2 |
Reserved (must be zero |
|
0 |
4 |
|
Sequence |
0 |
5 |
Reserved (must be zero |
|
0 |
6 |
|
Offset |
0 |
7 |
|
Priority |
1 |
8 |
Reserved (must be zero |
|
1 |
12 |
|
Version ( |
2 |
16 |
|
Length (optional by |
4 |
32 |
|
Tunnel ID |
6 |
48 |
|
Session ID |
8 |
64 |
|
Sequence Number (optional by |
10 |
80 |
|
Next Sequence Number (optional by |
12 |
96 |
|
Offset Size (optional by |
Data Structures¶
OSPF - Open Shortest Path First¶
pcapkit.protocols.link.ospf contains
OSPF only,
which implements extractor for Open Shortest Path
First (OSPF) *, whose structure is described
as below:
Octets |
Bits |
Name |
Description |
|---|---|---|---|
0 |
0 |
|
Version Number |
0 |
0 |
|
Type |
0 |
1 |
|
Packet Length (header included) |
0 |
2 |
|
Router ID |
0 |
4 |
|
Area ID |
0 |
6 |
|
Checksum |
0 |
7 |
|
Authentication Type |
1 |
8 |
|
Authentication |
Data Structures¶
VLAN - 802.1Q Customer VLAN Tag Type¶
pcapkit.protocols.link.vlan contains
VLAN
only, which implements extractor for 802.1Q
Customer VLAN Tag Type *, whose structure is
described as below:
Octets |
Bits |
Name |
Description |
|---|---|---|---|
1 |
0 |
|
Tag Control Information |
1 |
0 |
|
Priority Code Point |
1 |
3 |
|
Drop Eligible Indicator |
1 |
4 |
|
VLAN Identifier |
3 |
24 |
|
Protocol (Internet Layer) |
Data Structures¶
Todo
Implements DSL, EAPOL, FDDI, ISDN, NDP, PPP.
Protocol Registry¶
- pcapkit.protocols.link.LINKTYPE¶
Alias of
pcapkit.const.reg.linktype.LinkType.
Internet Layer Protocols¶
pcapkit.protocols.internet is collection of all protocols in
internet layer, with detailed implementation and methods.
Base Protocol¶
pcapkit.protocols.internet.internet contains Internet,
which is a base class for internet layer protocols, eg. AH,
IPsec, IPv4,
IPv6, IPX, and etc.
IP - Internet Protocol¶
pcapkit.protocols.internet.ip contains
IP only,
which is a base class for Internet Protocol (IP)
protocol family *, eg.
IPv4,
IPv6, and
IPsec.
IPv4 - Internet Protocol version 4¶
pcapkit.protocols.internet.ipv4 contains
IPv4 only,
which implements extractor for Internet Protocol
version 4 (IPv4) *, whose structure is described
as below:
Octets |
Bits |
Name |
Description |
|---|---|---|---|
0 |
0 |
|
Version ( |
0 |
4 |
|
Internal Header Length (IHL) |
1 |
8 |
|
Differentiated Services Code Point (DSCP) |
1 |
14 |
|
Explicit Congestion Notification (ECN) |
2 |
16 |
|
Total Length |
4 |
32 |
|
Identification |
6 |
48 |
Reserved Bit (must be |
|
6 |
49 |
|
Don’t Fragment (DF) |
6 |
50 |
|
More Fragments (MF) |
6 |
51 |
|
Fragment Offset |
8 |
64 |
|
Time To Live (TTL) |
9 |
72 |
|
Protocol (Transport Layer) |
10 |
80 |
|
Header Checksum |
12 |
96 |
|
Source IP Address |
16 |
128 |
|
Destination IP Address |
20 |
160 |
|
IP Options (if IHL > |
Data Structures¶
IPv6 - Internet Protocol version 6¶
pcapkit.protocols.internet.ipv6 contains
IPv6 only,
which implements extractor for Internet Protocol
version 6 (IPv6) *, whose structure is described
as below:
Octets |
Bits |
Name |
Description |
|---|---|---|---|
0 |
0 |
|
Version ( |
0 |
4 |
|
Traffic Class |
1 |
12 |
|
Flow Label |
4 |
32 |
|
Payload Length (header excludes) |
6 |
48 |
|
Next Header |
7 |
56 |
|
Hop Limit |
8 |
64 |
|
Source Address |
24 |
192 |
|
Destination Address |
Data Structures¶
IPv6-Frag - Fragment Header for IPv6¶
pcapkit.protocols.internet.ipv6_frag contains
IPv6_Frag
only, which implements extractor for Fragment Header for
IPv6 (IPv6-Frag) *, whose structure is described as
below:
Octets |
Bits |
Name |
Description |
|---|---|---|---|
0 |
0 |
|
Next Header |
1 |
8 |
Reserved |
|
2 |
16 |
|
Fragment Offset |
3 |
29 |
Reserved |
|
3 |
31 |
|
More Flag |
4 |
32 |
|
Identification |
Data Structures¶
IPv6-Opts - Destination Options for IPv6¶
pcapkit.protocols.internet.ipv6_opts contains
IPv6_Opts
only, which implements extractor for Destination Options
for IPv6 (IPv6-Opts) *, whose structure is described
as below:
Octets |
Bits |
Name |
Description |
|---|---|---|---|
0 |
0 |
|
Next Header |
1 |
8 |
|
Header Extensive Length |
2 |
16 |
|
Options |
Data Structures¶
IPv6-Route - Routing Header for IPv6¶
pcapkit.protocols.internet.ipv6_route contains
IPv6_Route
only, which implements extractor for Routing Header for IPv6
(IPv6-Route) *, whose structure is described as below:
Octets |
Bits |
Name |
Description |
|---|---|---|---|
0 |
0 |
|
Next Header |
1 |
8 |
|
Header Extensive Length |
2 |
16 |
|
Routing Type |
3 |
24 |
|
Segments Left |
4 |
32 |
|
Type-Specific Data |
Data Structures¶
HOPOPT - IPv6 Hop-by-Hop Options¶
pcapkit.protocols.internet.hopopt contains
HOPOPT
only, which implements extractor for IPv6 Hop-by-Hop
Options header (HOPOPT) *, whose structure is
described as below:
Octets |
Bits |
Name |
Description |
|---|---|---|---|
0 |
0 |
|
Next Header |
1 |
8 |
|
Header Extensive Length |
2 |
16 |
|
Options |
Data Structures¶
IPsec - Internet Protocol Security¶
pcapkit.protocols.internet.ipsec contains
IPsec
only, which is a base class for Internet Protocol
Security (IPsec) protocol family *, eg.
AH and
ESP †.
AH - Authentication Header¶
pcapkit.protocols.internet.ah contains
AH only,
which implements extractor for Authentication
Header (AH) *, whose structure is described
as below:
Octets |
Bits |
Name |
Description |
|---|---|---|---|
0 |
0 |
|
Next Header |
1 |
8 |
|
Payload Length |
2 |
16 |
Reserved (must be zero) |
|
4 |
32 |
|
Security Parameters Index (SPI) |
8 |
64 |
|
Sequence Number Field |
12 |
96 |
|
Integrity Check Value (ICV) |
Data Structures¶
HIP - Host Identity Protocol¶
pcapkit.protocols.internet.hip contains
HIP only,
which implements extractor for Host Identity
Protocol (HIP) *, whose structure is described
as below:
Octets |
Bits |
Name |
Description |
|---|---|---|---|
0 |
0 |
|
Next Header |
1 |
8 |
|
Header Length |
2 |
16 |
Reserved ( |
|
2 |
17 |
|
Packet Type |
3 |
24 |
|
Version |
3 |
28 |
Reserved |
|
3 |
31 |
Reserved ( |
|
4 |
32 |
|
Checksum |
6 |
48 |
|
Controls |
8 |
64 |
|
Sender’s Host Identity Tag |
24 |
192 |
|
Receiver’s Host Identity Tag |
40 |
320 |
|
HIP Parameters |
Data Structures¶
MH - Mobility Header¶
pcapkit.protocols.internet.mh contains
MH only,
which implements extractor for Mobility Header
(MH) *, whose structure is described as below:
Octets |
Bits |
Name |
Description |
|---|---|---|---|
0 |
0 |
|
Next Header |
1 |
8 |
|
Header Length |
2 |
16 |
|
Mobility Header Type |
3 |
24 |
Reserved |
|
4 |
32 |
|
Checksum |
6 |
48 |
|
Message Data |
Todo
Implements extractor for message data of all MH types.
Data Structures¶
IPX - Internetwork Packet Exchange¶
pcapkit.protocols.internet.ipx contains
IPX only,
which implements extractor for Internetwork Packet
Exchange (IPX) *, whose structure is described
as below:
Octets |
Bits |
Name |
Description |
|---|---|---|---|
0 |
0 |
|
Checksum |
2 |
16 |
|
Packet Length (header includes) |
4 |
32 |
|
Transport Control (hop count) |
5 |
40 |
|
Packet Type |
6 |
48 |
|
Destination Address |
18 |
144 |
|
Source Address |
Data Structures¶
Todo
Implements ECN, ESP, ICMP, ICMPv6, IGMP, Shim6.
Protocol Registry¶
- pcapkit.protocols.internet.ETHERTYPE¶
Alias of
pcapkit.const.reg.ethertype.EtherType.
Transport Layer Protocols¶
pcapkit.protocols.transport is collection of all protocols in
transport layer, with detailed implementation and methods.
Base Protocol¶
pcapkit.protocols.transport.transport contains
Transport,
which is a base class for transport layer protocols, eg.
TCP and
UDP.
TCP - Transmission Control Protocol¶
pcapkit.protocols.transport.tcp contains
TCP only,
which implements extractor for Transmission Control
Protocol (TCP) *, whose structure is described as
below:
Octets |
Bits |
Name |
Description |
|---|---|---|---|
0 |
0 |
|
Source Port |
2 |
16 |
|
Destination Port |
4 |
32 |
|
Sequence Number |
8 |
64 |
|
Acknowledgement Number (if ACK set) |
12 |
96 |
|
Data Offset |
12 |
100 |
Reserved (must be |
|
12 |
103 |
|
ECN Concealment Protection (NS) |
13 |
104 |
|
Congestion Window Reduced (CWR) |
13 |
105 |
|
ECN-Echo (ECE) |
13 |
106 |
|
Urgent (URG) |
13 |
107 |
|
Acknowledgement (ACK) |
13 |
108 |
|
Push Function (PSH) |
13 |
109 |
|
Reset Connection (RST) |
13 |
110 |
|
Synchronize Sequence Numbers (SYN) |
13 |
111 |
|
Last Packet from Sender (FIN) |
14 |
112 |
|
Size of Receive Window |
16 |
128 |
|
Checksum |
18 |
144 |
|
Urgent Pointer (if URG set) |
20 |
160 |
|
TCP Options (if data offset > 5) |
Data Structures¶
UDP - User Datagram Protocol¶
pcapkit.protocols.transport.udp contains
UDP only,
which implements extractor for User Datagram Protocol
(UDP) *, whose structure is described as below:
Octets |
Bits |
Name |
Description |
|---|---|---|---|
0 |
0 |
|
Source Port |
2 |
16 |
|
Destination Port |
4 |
32 |
|
Length (header includes) |
6 |
48 |
|
Checksum |
Data Structures¶
Todo
Implements DCCP, RSVP, SCTP.
Protocol Registry¶
- pcapkit.protocols.transport.TRANSTYPE¶
Alias of
pcapkit.const.reg.transtype.TransType.
Application Layer Protocols¶
pcapkit.protocols.application is collection of all protocols in
application layer, with detailed implementation and methods.
Base Protocol¶
pcapkit.protocols.application.application contains only
Application,
which is a base class for application layer protocols, eg.
HTTP/1.*,
HTTP/2
and etc.
HTTP - Hypertext Transfer Protocol¶
pcapkit.protocols.application.http contains
HTTP
only, which is a base class for Hypertext Transfer
Protocol (HTTP) * family, eg.
HTTP/1.*
and HTTP/2.
Data Structures¶
HTTP/1.* - Hypertext Transfer Protocol¶
pcapkit.protocols.application.httpv1 contains
HTTP
only, which implements extractor for Hypertext Transfer
Protocol (HTTP/1.*) *, whose structure is described
as below:
METHOD URL HTTP/VERSION\r\n :==: REQUEST LINE
<key> : <value>\r\n :==: REQUEST HEADER
............ (Ellipsis) :==: REQUEST HEADER
\r\n :==: REQUEST SEPARATOR
<body> :==: REQUEST BODY (optional)
HTTP/VERSION CODE DESP \r\n :==: RESPONSE LINE
<key> : <value>\r\n :==: RESPONSE HEADER
............ (Ellipsis) :==: RESPONSE HEADER
\r\n :==: RESPONSE SEPARATOR
<body> :==: RESPONSE BODY (optional)
Data Structures¶
HTTP/2 - Hypertext Transfer Protocol¶
pcapkit.protocols.application.httpv2 contains
HTTP
only, which implements extractor for Hypertext Transfer
Protocol (HTTP/2) *, whose structure is described as
below:
Octets |
Bits |
Name |
Description |
|---|---|---|---|
0 |
0 |
|
Length |
3 |
24 |
|
Type |
4 |
32 |
|
Flags |
5 |
40 |
Reserved |
|
5 |
41 |
|
Stream Identifier |
9 |
72 |
|
Frame Payload |
Data Structures¶
FTP - File Transfer Protocol¶
pcapkit.protocols.application.ftp contains
FTP only,
which implements extractor for File Transfer Protocol
(FTP) *.
Data Structures¶
Todo
Implements BGP, DHCP, DHCPv6, DNS, IMAP, LDAP, MQTT, NNTP, NTP, ONC:RPC, POP, RIP, RTP, SIP, SMTP, SNMP, SSH, TELNET, TLS/SSL, XMPP.
Protocol Registry¶
Core Utilities¶
pcapkit.corekit is the collection of core utilities
for pcapkit implementation, including dict like
class Info,
tuple like class VersionInfo,
protocol collection class ProtoChain,
and MultiDict family inspired from
Werkzeug for multientry dict data mapping.
Info Class¶
pcapkit.corekit.infoclass contains dict like class
Info only, which is originally
designed to work alike dataclasses.dataclass() as introduced
in PEP 557.
Multi-Mapping Dictionary¶
pcapkit.corekit.multidict contains multi-mapping dictionary classes,
which are used to store multiple mappings of the same key. The implementation
is inspired and based on the Werkzeug project.
Protocol Chain¶
pcapkit.corekit.protochain contains special protocol
collection class ProtoChain.
Version Info¶
pcapkit.corekit.version contains tuple
like class VersionInfo,
which is originally designed alike sys.version_info.
Compatibility Tools¶
pcapkit.toolkit provides several utility functions for
compatibility of multiple engine support.
PyPCAPKit Tools¶
pcapkit.toolkit.default contains all you need for
pcapkit handy usage. All functions returns with a
flag to indicate if usable for its caller.
DPKT Tools¶
pcapkit.toolkit.dpkt contains all you need for
pcapkit handy usage with DPKT engine. All reforming
functions returns with a flag to indicate if usable for
its caller.
PyShark Tools¶
pcapkit.toolkit.pyshark contains all you need for
pcapkit handy usage with PyShark engine. All
reforming functions returns with a flag to indicate if
usable for its caller.
Scapy Tools¶
pcapkit.toolkit.scapy contains all you need for
pcapkit handy usage with Scapy engine. All reforming
functions returns with a flag to indicate if usable for
its caller.
Warning
This module requires installed Scapy engine.
Dump Utilities¶
pcapkit.dumpkit is the collection of dumpers for
pcapkit implementation, which is alike those described
in dictdumper.
Null Dumper¶
pcapkit.dumpkit.null is the dumper for pcapkit implementation,
specifically for NotImplemented format, which is alike those described in
dictdumper.
Note
This dumper is used when the given format is not supported, as a fallback. It shall not produce any output.
PCAP Dumper¶
pcapkit.dumpkit.pcap is the dumper for pcapkit implementation,
specifically for PCAP format, which is alike those described in
dictdumper.
Utility Functions & Classes¶
pcapkit.utilities contains several useful functions
and classes which are fundations of pcapkit, including
decorater function seekset()
and beholder(), and
several user-refined exceptions and warnings.
Logging System¶
pcapkit.utilities.logging contains naïve integration
of the Python logging system, i.e. a logging.Logger
instance as logger.
- pcapkit.utilities.logging.DEVMODE¶
Development mode flag.
Note
This variable can be configured through the environment variable
PCAPKIT_DEVMODE.
Decorator Functions¶
pcapkit.utilities.decorators contains several useful
decorators, including seekset()
and beholder().
- @pcapkit.utilities.decorators.seekset(func)[source]¶
Read file from start then set back to original.
Important
This decorator function is designed for decorating class methods.
The decorator will keep the current offset of
self._file, then call the decorated function. Afterwards, it will rewind the offset ofself._fileto the original and returns the return value from the decorated function.Note
The decorated function should have following signature:
func(self, *args, **kw)
See also
pcapkit.protocols.protocol.Protocol._read_packet()- Parameters
func (Callable[Concatenate[Protocol, P], R]) – decorated function
- Return type
Callable[P, R]
- @pcapkit.utilities.decorators.beholder(func)[source]¶
Behold extraction procedure.
Important
This decorator function is designed for decorating class methods.
This decorate first keep the current offset of
self._file, then try to call the decorated function. Should any exception raised, it will re-parse theself._fileasRawprotocol.Note
The decorated function should have following signature:
func(self, proto, length, *args, **kwargs)
See also
pcapkit.protocols.protocol.Protocol._decode_next_layer()
Important
pcapkit.utilities.decorators.seekset() and
pcapkit.utilities.decorators.beholder() are designed
for decorating class methods.
User Defined Exceptions¶
pcapkit.exceptions refined built-in exceptions.
Make it possible to show only user error stack infomation *,
when exception raised on user’s operation.
- exception pcapkit.utilities.exceptions.BaseError(*args, quiet=False, **kwargs)[source]¶
Bases:
ExceptionBase error class of all kinds.
Important
Turn off system-default traceback function by set
sys.tracebacklimitto0.But bugs appear in Python 3.6, so we have to set
sys.tracebacklimittoNone.Note
This note is deprecated since Python fixed the problem above.
In Python 2.7,
trace.print_stack(limit)()dose not support negative limit.
- exception pcapkit.utilities.exceptions.DigitError(*args, quiet=False, **kwargs)[source]¶
-
The argument(s) must be (a) number(s).
- exception pcapkit.utilities.exceptions.IntError(*args, quiet=False, **kwargs)[source]¶
-
The argument(s) must be integral.
- exception pcapkit.utilities.exceptions.RealError(*args, quiet=False, **kwargs)[source]¶
-
The function is not defined for real number.
- exception pcapkit.utilities.exceptions.ComplexError(*args, quiet=False, **kwargs)[source]¶
-
The function is not defined for complex instance.
- exception pcapkit.utilities.exceptions.BoolError(*args, quiet=False, **kwargs)[source]¶
-
The argument(s) must be
booltype.
- exception pcapkit.utilities.exceptions.BytesError(*args, quiet=False, **kwargs)[source]¶
-
The argument(s) must be
bytestype.
- exception pcapkit.utilities.exceptions.StringError(*args, quiet=False, **kwargs)[source]¶
-
The argument(s) must be
strtype.
- exception pcapkit.utilities.exceptions.BytearrayError(*args, quiet=False, **kwargs)[source]¶
-
The argument(s) must be
bytearraytype.
- exception pcapkit.utilities.exceptions.DictError(*args, quiet=False, **kwargs)[source]¶
-
The argument(s) must be
dicttype.
- exception pcapkit.utilities.exceptions.ListError(*args, quiet=False, **kwargs)[source]¶
-
The argument(s) must be
listtype.
- exception pcapkit.utilities.exceptions.TupleError(*args, quiet=False, **kwargs)[source]¶
-
The argument(s) must be
tupletype.
- exception pcapkit.utilities.exceptions.IterableError(*args, quiet=False, **kwargs)[source]¶
-
The argument(s) must be iterable.
- exception pcapkit.utilities.exceptions.IOObjError(*args, quiet=False, **kwargs)[source]¶
-
The argument(s) must be file-like object.
- exception pcapkit.utilities.exceptions.ProtocolUnbound(*args, quiet=False, **kwargs)[source]¶
-
Protocol slice unbound.
- exception pcapkit.utilities.exceptions.CallableError(*args, quiet=False, **kwargs)[source]¶
-
The argument(s) must be callable.
- exception pcapkit.utilities.exceptions.InfoError(*args, quiet=False, **kwargs)[source]¶
-
The argument(s) must be
Infoinstance.
- exception pcapkit.utilities.exceptions.IPError(*args, quiet=False, **kwargs)[source]¶
-
The argument(s) must be IP address.
- exception pcapkit.utilities.exceptions.EnumError(*args, quiet=False, **kwargs)[source]¶
-
The argument(s) must be enumeration protocol type.
- exception pcapkit.utilities.exceptions.ComparisonError(*args, quiet=False, **kwargs)[source]¶
-
Rich comparison not supported between instances.
- exception pcapkit.utilities.exceptions.RegistryError(*args, quiet=False, **kwargs)[source]¶
-
The argument(s) must be registry type.
- exception pcapkit.utilities.exceptions.FormatError(*args, quiet=False, **kwargs)[source]¶
Bases:
BaseError,AttributeErrorUnknown format(s).
- exception pcapkit.utilities.exceptions.UnsupportedCall(*args, quiet=False, **kwargs)[source]¶
Bases:
BaseError,AttributeErrorUnsupported function or property call.
- exception pcapkit.utilities.exceptions.FileError(*args, quiet=False, **kwargs)[source]¶
-
[Errno 5] Wrong file format.
- exception pcapkit.utilities.exceptions.FileExists(*args, quiet=False, **kwargs)[source]¶
Bases:
BaseError,FileExistsError[Errno 17] File already exists.
- exception pcapkit.utilities.exceptions.FileNotFound(*args, quiet=False, **kwargs)[source]¶
Bases:
BaseError,FileNotFoundError[Errno 2] File not found.
- exception pcapkit.utilities.exceptions.ProtocolNotFound(*args, quiet=False, **kwargs)[source]¶
Bases:
BaseError,IndexErrorProtocol not found in ProtoChain.
- exception pcapkit.utilities.exceptions.VersionError(*args, quiet=False, **kwargs)[source]¶
Bases:
BaseError,ValueErrorUnknown IP version.
- exception pcapkit.utilities.exceptions.IndexNotFound(*args, quiet=False, **kwargs)[source]¶
Bases:
BaseError,ValueErrorProtocol not in ProtoChain.
- exception pcapkit.utilities.exceptions.ProtocolError(*args, quiet=False, **kwargs)[source]¶
Bases:
BaseError,ValueErrorInvalid protocol format.
- exception pcapkit.utilities.exceptions.EndianError(*args, quiet=False, **kwargs)[source]¶
Bases:
BaseError,ValueErrorInvalid endian (byte order).
- exception pcapkit.utilities.exceptions.KeyExists(*args, quiet=False, **kwargs)[source]¶
Bases:
BaseError,ValueErrorKey already exists.
- exception pcapkit.utilities.exceptions.ProtocolNotImplemented(*args, quiet=False, **kwargs)[source]¶
Bases:
BaseError,NotImplementedErrorProtocol not implemented.
- exception pcapkit.utilities.exceptions.VendorNotImplemented(*args, quiet=False, **kwargs)[source]¶
Bases:
BaseError,NotImplementedErrorVendor not implemented.
- exception pcapkit.utilities.exceptions.StructError(*args, eof=False, **kwargs)[source]¶
-
Unpack failed.
- exception pcapkit.utilities.exceptions.MissingKeyError(*args, quiet=False, **kwargs)[source]¶
-
Key not found.
- exception pcapkit.utilities.exceptions.FragmentError(*args, quiet=False, **kwargs)[source]¶
-
Invalid fragment dict.
- exception pcapkit.utilities.exceptions.PacketError(*args, quiet=False, **kwargs)[source]¶
-
Invalid packet dict.
- exception pcapkit.utilities.exceptions.ModuleNotFound(*args, quiet=False, **kwargs)[source]¶
Bases:
BaseError,ModuleNotFoundErrorModule not found.
- pcapkit.utilities.exceptions.stacklevel()[source]¶
Fetch current stack level.
The function will walk through the straceback stack (
traceback.extract_stack()), and fetch the stack level where the path contains/pcapkit/. So that it won’t display any disturbing internal traceback information when raising errors.- Return type
- Returns
Stack level until internal stacks, i.e. contains
/pcapkit/.
User Defined Warnings¶
pcapkit.warnings refined built-in warnings.
- pcapkit.utilities.warnings.warn(message, category, stacklevel=None)[source]¶
Wrapper function of
warnings.warn().
- exception pcapkit.utilities.warnings.BaseWarning(*args, **kwargs)[source]¶
Bases:
UserWarningBase warning class of all kinds.
- Parameters
*args (Any) – Arbitrary positional arguments.
**kwargs (Any) – Arbitrary keyword arguments.
- Return type
None
- exception pcapkit.utilities.warnings.FormatWarning(*args, **kwargs)[source]¶
Bases:
BaseWarning,ImportWarningWarning on unknown format(s).
- Parameters
*args (Any) – Arbitrary positional arguments.
**kwargs (Any) – Arbitrary keyword arguments.
- Return type
None
- exception pcapkit.utilities.warnings.EngineWarning(*args, **kwargs)[source]¶
Bases:
BaseWarning,ImportWarningUnsupported extraction engine.
- Parameters
*args (Any) – Arbitrary positional arguments.
**kwargs (Any) – Arbitrary keyword arguments.
- Return type
None
- exception pcapkit.utilities.warnings.InvalidVendorWarning(*args, **kwargs)[source]¶
Bases:
BaseWarning,ImportWarningVendor CLI invalid updater.
- Parameters
*args (Any) – Arbitrary positional arguments.
**kwargs (Any) – Arbitrary keyword arguments.
- Return type
None
- exception pcapkit.utilities.warnings.FileWarning(*args, **kwargs)[source]¶
Bases:
BaseWarning,RuntimeWarningWarning on file(s).
- Parameters
*args (Any) – Arbitrary positional arguments.
**kwargs (Any) – Arbitrary keyword arguments.
- Return type
None
- exception pcapkit.utilities.warnings.LayerWarning(*args, **kwargs)[source]¶
Bases:
BaseWarning,RuntimeWarningUnrecognised layer.
- Parameters
*args (Any) – Arbitrary positional arguments.
**kwargs (Any) – Arbitrary keyword arguments.
- Return type
None
- exception pcapkit.utilities.warnings.ProtocolWarning(*args, **kwargs)[source]¶
Bases:
BaseWarning,RuntimeWarningUnrecognised protocol.
- Parameters
*args (Any) – Arbitrary positional arguments.
**kwargs (Any) – Arbitrary keyword arguments.
- Return type
None
- exception pcapkit.utilities.warnings.AttributeWarning(*args, **kwargs)[source]¶
Bases:
BaseWarning,RuntimeWarningUnsupported attribute.
- Parameters
*args (Any) – Arbitrary positional arguments.
**kwargs (Any) – Arbitrary keyword arguments.
- Return type
None
- exception pcapkit.utilities.warnings.DevModeWarning(*args, **kwargs)[source]¶
Bases:
BaseWarning,RuntimeWarningRun in development mode.
- Parameters
*args (Any) – Arbitrary positional arguments.
**kwargs (Any) – Arbitrary keyword arguments.
- Return type
None
- exception pcapkit.utilities.warnings.VendorRequestWarning(*args, **kwargs)[source]¶
Bases:
BaseWarning,RuntimeWarningVendor request connection failed.
- Parameters
*args (Any) – Arbitrary positional arguments.
**kwargs (Any) – Arbitrary keyword arguments.
- Return type
None
- exception pcapkit.utilities.warnings.VendorRuntimeWarning(*args, **kwargs)[source]¶
Bases:
BaseWarning,RuntimeWarningVendor failed during runtime.
- Parameters
*args (Any) – Arbitrary positional arguments.
**kwargs (Any) – Arbitrary keyword arguments.
- Return type
None
- exception pcapkit.utilities.warnings.DPKTWarning(*args, **kwargs)[source]¶
Bases:
BaseWarning,ResourceWarningWarnings on DPKT usage.
- Parameters
*args (Any) – Arbitrary positional arguments.
**kwargs (Any) – Arbitrary keyword arguments.
- Return type
None
- exception pcapkit.utilities.warnings.ScapyWarning(*args, **kwargs)[source]¶
Bases:
BaseWarning,ResourceWarningWarnings on Scapy usage.
- Parameters
*args (Any) – Arbitrary positional arguments.
**kwargs (Any) – Arbitrary keyword arguments.
- Return type
None
- exception pcapkit.utilities.warnings.PySharkWarning(*args, **kwargs)[source]¶
Bases:
BaseWarning,ResourceWarningWarnings on PyShark usage.
- Parameters
*args (Any) – Arbitrary positional arguments.
**kwargs (Any) – Arbitrary keyword arguments.
- Return type
None
- exception pcapkit.utilities.warnings.EmojiWarning(*args, **kwargs)[source]¶
Bases:
BaseWarning,ResourceWarningWarnings on Emoji usage.
- Parameters
*args (Any) – Arbitrary positional arguments.
**kwargs (Any) – Arbitrary keyword arguments.
- Return type
None
- exception pcapkit.utilities.warnings.VendorWarning(*args, **kwargs)[source]¶
Bases:
BaseWarning,ResourceWarningWarnings on vendor usage.
- Parameters
*args (Any) – Arbitrary positional arguments.
**kwargs (Any) – Arbitrary keyword arguments.
- Return type
None
Version Compatibility¶
pcapkit further provides a compatibility layer for the
following objects and functions:
Python 3.6+ |
|
Python 3.6+ |
|
Python 3.5+ |
|
Python 3.8+ |
Constant Enumerations¶
This module contains all constant enumerations of pcapkit, which are
automatically generated from the pcapkit.vendor module.
Protocol Numbers¶
Protocol Type Registry Constant Enumerations¶
This module contains all constant enumerations of protocol type registry implementations. Available enumerations include:
Link-Layer Header Type Values * |
|
Ethertype IEEE 802 Numbers † |
|
Transport Layer Protocol Numbers ‡ |
Link-Layer Header Type Values¶
This module contains the constant enumeration for Link-Layer Header Type Values,
which is automatically generated from pcapkit.vendor.reg.linktype.LinkType.
- class pcapkit.const.reg.linktype.LinkType(value=<no_arg>, names=None, module=None, qualname=None, type=None, start=1, boundary=None)[source]¶
Bases:
IntEnum[LinkType] Link-Layer Header Type Values
- NULL = 0¶
[
DLT_NULL] BSD loopback encapsulation; the link layer header is a 4-byte field, in host byte order, containing a value of 2 for IPv4 packets, a value of either 24, 28, or 30 for IPv6 packets, a value of 7 for OSI packets, or a value of 23 for IPX packets. All of the IPv6 values correspond to IPv6 packets; code reading files should check for all of them. Note that ``host byte order’’ is the byte order of the machine on that the packets are captured; if a live capture is being done, ``host byte order’’ is the byte order of the machine capturing the packets, but if a ``savefile’’ is being read, the byte order is not necessarily that of the machine reading the capture file.
- ETHERNET = 1¶
[
DLT_EN10MB] IEEE 802.3 Ethernet (10Mb, 100Mb, 1000Mb, and up); the 10MB in the DLT_ name is historical.
- AX25 = 3¶
[
DLT_AX25] AX.25 packet, with nothing preceding it.
- IEEE802_5 = 6¶
[
DLT_IEEE802] IEEE 802.5 Token Ring; the IEEE802, without _5, in the DLT_ name is historical.
- ARCNET_BSD = 7¶
[
DLT_ARCNET] ARCNET Data Packets, as described by the ARCNET Trade Association standard ATA 878.1-1999, but without the Starting Delimiter, Information Length, or Frame Check Sequence fields, and with only the first ISU of the Destination Identifier. For most packet types, ARCNET Trade Association draft standard ATA 878.2 is also used. See also RFC 1051 and RFC 1201; for RFC 1051 frames, ATA 878.2 is not used.
- SLIP = 8¶
[
DLT_SLIP] SLIP, encapsulated with a LINKTYPE_SLIP header.
- PPP = 9¶
[
DLT_PPP] PPP, as per RFC 1661 and RFC 1662; if the first 2 bytes are 0xff and 0x03, it’s PPP in HDLC-like framing, with the PPP header following those two bytes, otherwise it’s PPP without framing, and the packet begins with the PPP header. The data in the frame is not octet-stuffed or bit- stuffed.
- FDDI = 10¶
[
DLT_FDDI] FDDI, as specified by ANSI INCITS 239-1994.
- PPP_HDLC = 50¶
[
DLT_PPP_SERIAL] PPP in HDLC-like framing, as per RFC 1662, or Cisco PPP with HDLC framing, as per section 4.3.1 of RFC 1547; the first byte will be 0xFF for PPP in HDLC-like framing, and will be 0x0F or 0x8F for Cisco PPP with HDLC framing. The data in the frame is not octet-stuffed or bit- stuffed.
- PPP_ETHER = 51¶
[
DLT_PPP_ETHER] PPPoE; the packet begins with a PPPoE header, as per RFC 2516.
- ATM_RFC1483 = 100¶
[
DLT_ATM_RFC1483] RFC 1483 LLC/SNAP-encapsulated ATM; the packet begins with an ISO 8802-2 (formerly known as IEEE 802.2) LLC header.
- RAW = 101¶
[
DLT_RAW] Raw IP; the packet begins with an IPv4 or IPv6 header, with the version field of the header indicating whether it’s an IPv4 or IPv6 header.
- C_HDLC = 104¶
[
DLT_C_HDLC] Cisco PPP with HDLC framing, as per section 4.3.1 of RFC 1547.
- IEEE802_11 = 105¶
[
DLT_IEEE802_11] IEEE 802.11 wireless LAN.
- FRELAY = 107¶
[
DLT_FRELAY] Frame Relay LAPF frames, beginning with a ITU-T Recommendation Q.922 LAPF header starting with the address field, and without an FCS at the end of the frame.
- LOOP = 108¶
[
DLT_LOOP] OpenBSD loopback encapsulation; the link-layer header is a 4-byte field, in network byte order, containing a value of 2 for IPv4 packets, a value of either 24, 28, or 30 for IPv6 packets, a value of 7 for OSI packets, or a value of 23 for IPX packets. All of the IPv6 values correspond to IPv6 packets; code reading files should check for all of them.
- LINUX_SLL = 113¶
[
DLT_LINUX_SLL] Linux “cooked” capture encapsulation.
- LTALK = 114¶
[
DLT_LTALK] Apple LocalTalk; the packet begins with an AppleTalk LocalTalk Link Access Protocol header, as described in chapter 1 of Inside AppleTalk, Second Edition.
- PFLOG = 117¶
[
DLT_PFLOG] OpenBSD pflog; the link-layer header contains a struct pfloghdr structure, as defined by the host on that the file was saved. (This differs from operating system to operating system and release to release; there is nothing in the file to indicate what the layout of that structure is.)
- IEEE802_11_PRISM = 119¶
[
DLT_PRISM_HEADER] Prism monitor mode information followed by an 802.11 header.
- IP_OVER_FC = 122¶
[
DLT_IP_OVER_FC] RFC 2625 IP-over-Fibre Channel, with the link-layer header being the Network_Header as described in that RFC.
- SUNATM = 123¶
[
DLT_SUNATM] ATM traffic, encapsulated as per the scheme used by SunATM devices.
- IEEE802_11_RADIOTAP = 127¶
[
DLT_IEEE802_11_RADIO] Radiotap link-layer information followed by an 802.11 header.
- ARCNET_LINUX = 129¶
[
DLT_ARCNET_LINUX] ARCNET Data Packets, as described by the ARCNET Trade Association standard ATA 878.1-1999, but without the Starting Delimiter, Information Length, or Frame Check Sequence fields, with only the first ISU of the Destination Identifier, and with an extra two-ISU offset field following the Destination Identifier. For most packet types, ARCNET Trade Association draft standard ATA 878.2 is also used; however, no exception frames are supplied, and reassembled frames, rather than fragments, are supplied. See also RFC 1051 and RFC 1201; for RFC 1051 frames, ATA 878.2 is not used.
- APPLE_IP_OVER_IEEE1394 = 138¶
[
DLT_APPLE_IP_OVER_IEEE1394] Apple IP-over-IEEE 1394 cooked header.
- MTP2_WITH_PHDR = 139¶
[
DLT_MTP2_WITH_PHDR] Signaling System 7 Message Transfer Part Level 2, as specified by ITU-T Recommendation Q.703, preceded by a pseudo-header.
- MTP2 = 140¶
[
DLT_MTP2] Signaling System 7 Message Transfer Part Level 2, as specified by ITU-T Recommendation Q.703.
- MTP3 = 141¶
[
DLT_MTP3] Signaling System 7 Message Transfer Part Level 3, as specified by ITU-T Recommendation Q.704, with no MTP2 header preceding the MTP3 packet.
- SCCP = 142¶
[
DLT_SCCP] Signaling System 7 Signalling Connection Control Part, as specified by ITU-T Recommendation Q.711, ITU-T Recommendation Q.712, ITU-T Recommendation Q.713, and ITU-T Recommendation Q.714, with no MTP3 or MTP2 headers preceding the SCCP packet.
- DOCSIS = 143¶
[
DLT_DOCSIS] DOCSIS MAC frames, as described by the DOCSIS 3.1 MAC and Upper Layer Protocols Interface Specification or earlier specifications for MAC frames.
- LINUX_IRDA = 144¶
[
DLT_LINUX_IRDA] Linux-IrDA packets, with a LINKTYPE_LINUX_IRDA header, with the payload for IrDA frames beginning with by the IrLAP header as defined by IrDA Data Specifications, including the IrDA Link Access Protocol specification.
- USER0 = 147¶
[
DLT_USER0] Reserved for private use; see above.
- USER1 = 148¶
[
DLT_USER1] Reserved for private use; see above.
- USER2 = 149¶
[
DLT_USER2] Reserved for private use; see above.
- USER3 = 150¶
[
DLT_USER3] Reserved for private use; see above.
- USER4 = 151¶
[
DLT_USER4] Reserved for private use; see above.
- USER5 = 152¶
[
DLT_USER5] Reserved for private use; see above.
- USER6 = 153¶
[
DLT_USER6] Reserved for private use; see above.
- USER7 = 154¶
[
DLT_USER7] Reserved for private use; see above.
- USER8 = 155¶
[
DLT_USER8] Reserved for private use; see above.
- USER9 = 156¶
[
DLT_USER9] Reserved for private use; see above.
- USER10 = 157¶
[
DLT_USER10] Reserved for private use; see above.
- USER11 = 158¶
[
DLT_USER11] Reserved for private use; see above.
- USER12 = 159¶
[
DLT_USER12] Reserved for private use; see above.
- USER13 = 160¶
[
DLT_USER13] Reserved for private use; see above.
- USER14 = 161¶
[
DLT_USER14] Reserved for private use; see above.
- USER15 = 162¶
[
DLT_USER15] Reserved for private use; see above.
- IEEE802_11_AVS = 163¶
[
DLT_IEEE802_11_RADIO_AVS] AVS monitor mode information followed by an 802.11 header.
- BACNET_MS_TP = 165¶
[
DLT_BACNET_MS_TP] BACnet MS/TP frames, as specified by section 9.3 MS/TP Frame Format of ANSI/ASHRAE Standard 135, BACnet® - A Data Communication Protocol for Building Automation and Control Networks, including the preamble and, if present, the Data CRC.
- PPP_PPPD = 166¶
[
DLT_PPP_PPPD] PPP in HDLC-like encapsulation, like LINKTYPE_PPP_HDLC, but with the 0xff address byte replaced by a direction indication—0x00 for incoming and 0x01 for outgoing.
- GPRS_LLC = 169¶
[
DLT_GPRS_LLC] General Packet Radio Service Logical Link Control, as defined by 3GPP TS 04.64.
- GPF_T = 170¶
[
DLT_GPF_T] Transparent-mapped generic framing procedure, as specified by ITU-T Recommendation G.7041/Y.1303.
- GPF_F = 171¶
[
DLT_GPF_F] Frame-mapped generic framing procedure, as specified by ITU-T Recommendation G.7041/Y.1303.
- LINUX_LAPD = 177¶
[
DLT_LINUX_LAPD] Link Access Procedures on the D Channel (LAPD) frames, as specified by ITU-T Recommendation Q.920 and ITU-T Recommendation Q.921, captured via vISDN, with a LINKTYPE_LINUX_LAPD header, followed by the Q.921 frame, starting with the address field.
- MFR = 182¶
[
DLT_MFR] FRF.16.1 Multi-Link Frame Relay frames, beginning with an FRF.12 Interface fragmentation format fragmentation header.
- BLUETOOTH_HCI_H4 = 187¶
[
DLT_BLUETOOTH_HCI_H4] Bluetooth HCI UART transport layer; the frame contains an HCI packet indicator byte, as specified by the UART Transport Layer portion of the most recent Bluetooth Core specification, followed by an HCI packet of the specified packet type, as specified by the Host Controller Interface Functional Specification portion of the most recent Bluetooth Core Specification.
- USB_LINUX = 189¶
[
DLT_USB_LINUX] USB packets, beginning with a Linux USB header, as specified by the struct usbmon_packet in the Documentation/usb/usbmon.txt file in the Linux source tree. Only the first 48 bytes of that header are present. All fields in the header are in host byte order. When performing a live capture, the host byte order is the byte order of the machine on that the packets are captured. When reading a pcap file, the byte order is the byte order for the file, as specified by the file’s magic number; when reading a pcapng file, the byte order is the byte order for the section of the pcapng file, as specified by the Section Header Block.
- PPI = 192¶
[
DLT_PPI] Per-Packet Information information, as specified by the Per- Packet Information Header Specification, followed by a packet with the LINKTYPE_ value specified by the pph_dlt field of that header.
- IEEE802_15_4_WITHFCS = 195¶
[
DLT_IEEE802_15_4_WITHFCS] IEEE 802.15.4 Low-Rate Wireless Networks, with each packet having the FCS at the end of the frame.
- SITA = 196¶
[
DLT_SITA] Various link-layer types, with a pseudo-header, for SITA.
- ERF = 197¶
[
DLT_ERF] Various link-layer types, with a pseudo-header, for Endace DAG cards; encapsulates Endace ERF records.
- BLUETOOTH_HCI_H4_WITH_PHDR = 201¶
[
DLT_BLUETOOTH_HCI_H4_WITH_PHDR] Bluetooth HCI UART transport layer; the frame contains a 4-byte direction field, in network byte order (big-endian), the low-order bit of which is set if the frame was sent from the host to the controller and clear if the frame was received by the host from the controller, followed by an HCI packet indicator byte, as specified by the UART Transport Layer portion of the most recent Bluetooth Core specification, followed by an HCI packet of the specified packet type, as specified by the Host Controller Interface Functional Specification portion of the most recent Bluetooth Core Specification.
- AX25_KISS = 202¶
[
DLT_AX25_KISS] AX.25 packet, with a 1-byte KISS header containing a type indicator.
- LAPD = 203¶
[
DLT_LAPD] Link Access Procedures on the D Channel (LAPD) frames, as specified by ITU-T Recommendation Q.920 and ITU-T Recommendation Q.921, starting with the address field, with no pseudo-header.
- PPP_WITH_DIR = 204¶
[
DLT_PPP_WITH_DIR] PPP, as per RFC 1661 and RFC 1662, preceded with a one-byte pseudo-header with a zero value meaning “received by this host” and a non-zero value meaning “sent by this host”; if the first 2 bytes are 0xff and 0x03, it’s PPP in HDLC-like framing, with the PPP header following those two bytes, otherwise it’s PPP without framing, and the packet begins with the PPP header. The data in the frame is not octet-stuffed or bit-stuffed.
- C_HDLC_WITH_DIR = 205¶
[
DLT_C_HDLC_WITH_DIR] Cisco PPP with HDLC framing, as per section 4.3.1 of RFC 1547, preceded with a one-byte pseudo-header with a zero value meaning “received by this host” and a non-zero value meaning “sent by this host”.
- FRELAY_WITH_DIR = 206¶
[
DLT_FRELAY_WITH_DIR] Frame Relay LAPF frames, beginning with a one-byte pseudo-header with a zero value meaning “received by this host” (DCE->DTE) and a non-zero value meaning “sent by this host” (DTE->DCE), followed by an ITU-T Recommendation Q.922 LAPF header starting with the address field, and without an FCS at the end of the frame.
- LAPB_WITH_DIR = 207¶
[
DLT_LAPB_WITH_DIR] Link Access Procedure, Balanced (LAPB), as specified by ITU-T Recommendation X.25, preceded with a one-byte pseudo-header with a zero value meaning “received by this host” (DCE->DTE) and a non-zero value meaning “sent by this host” (DTE->DCE).
- IPMB_LINUX = 209¶
[
DLT_IPMB_LINUX] IPMB over an I2C circuit, with a Linux-specific pseudo- header.
- FLEXRAY = 210¶
[
DLT_FLEXRAY] FlexRay automotive bus frames or symbols, preceded by a pseudo-header.
- LIN = 212¶
[
DLT_LIN] Local Interconnect Network (LIN) automotive bus, preceded by a pseudo-header.
- IEEE802_15_4_NONASK_PHY = 215¶
[
DLT_IEEE802_15_4_NONASK_PHY] IEEE 802.15.4 Low-Rate Wireless Networks, with each packet having the FCS at the end of the frame, and with the PHY- level data for the O-QPSK, BPSK, GFSK, MSK, and RCC DSS BPSK PHYs (4 octets of 0 as preamble, one octet of SFD, one octet of frame length + reserved bit) preceding the MAC-layer data (starting with the frame control field).
- USB_LINUX_MMAPPED = 220¶
[
DLT_USB_LINUX_MMAPPED] USB packets, beginning with a Linux USB header, as specified by the struct usbmon_packet in the Documentation/usb/usbmon.txt file in the Linux source tree. All 64 bytes of the header are present. All fields in the header are in host byte order. When performing a live capture, the host byte order is the byte order of the machine on that the packets are captured. When reading a pcap file, the byte order is the byte order for the file, as specified by the file’s magic number; when reading a pcapng file, the byte order is the byte order for the section of the pcapng file, as specified by the Section Header Block. For isochronous transfers, the ndesc field specifies the number of isochronous descriptors that follow.
- FC_2 = 224¶
[
DLT_FC_2] Fibre Channel FC-2 frames, beginning with a Frame_Header.
- FC_2_WITH_FRAME_DELIMS = 225¶
[
DLT_FC_2_WITH_FRAME_DELIMS] Fibre Channel FC-2 frames, beginning an encoding of the SOF, followed by a Frame_Header, and ending with an encoding of the SOF. The encodings represent the frame delimiters as 4-byte sequences representing the corresponding ordered sets, with K28.5 represented as 0xBC, and the D symbols as the corresponding byte values; for example, SOFi2, which is K28.5 - D21.5 - D1.2 - D21.2, is represented as 0xBC 0xB5 0x55 0x55.
- IPNET = 226¶
[
DLT_IPNET] Solaris ipnet pseudo-header, followed by an IPv4 or IPv6 datagram.
- CAN_SOCKETCAN = 227¶
[
DLT_CAN_SOCKETCAN] CAN (Controller Area Network) frames, with a pseudo- header followed by the frame payload.
- IPV4 = 228¶
[
DLT_IPV4] Raw IPv4; the packet begins with an IPv4 header.
- IPV6 = 229¶
[
DLT_IPV6] Raw IPv6; the packet begins with an IPv6 header.
- IEEE802_15_4_NOFCS = 230¶
[
DLT_IEEE802_15_4_NOFCS] IEEE 802.15.4 Low-Rate Wireless Network, without the FCS at the end of the frame.
- DBUS = 231¶
[
DLT_DBUS] Raw D-Bus messages, starting with the endianness flag, followed by the message type, etc., but without the authentication handshake before the message sequence.
- DVB_CI = 235¶
[
DLT_DVB_CI] DVB-CI (DVB Common Interface for communication between a PC Card module and a DVB receiver), with the message format specified by the PCAP format for DVB-CI specification.
- MUX27010 = 236¶
[
DLT_MUX27010] Variant of 3GPP TS 27.010 multiplexing protocol (similar to, but not the same as, 27.010).
- STANAG_5066_D_PDU = 237¶
[
DLT_STANAG_5066_D_PDU] D_PDUs as described by NATO standard STANAG 5066, starting with the synchronization sequence, and including both header and data CRCs. The current version of STANAG 5066 is backwards-compatible with the 1.0.2 version, although newer versions are classified.
- NFLOG = 239¶
[
DLT_NFLOG] Linux netlink NETLINK NFLOG socket log messages.
- NETANALYZER = 240¶
[
DLT_NETANALYZER] Pseudo-header for Hilscher Gesellschaft für Systemautomation mbH netANALYZER devices, followed by an Ethernet frame, beginning with the MAC header and ending with the FCS.
- NETANALYZER_TRANSPARENT = 241¶
[
DLT_NETANALYZER_TRANSPARENT] Pseudo-header for Hilscher Gesellschaft für Systemautomation mbH netANALYZER devices, followed by an Ethernet frame, beginning with the preamble, SFD, and MAC header, and ending with the FCS.
- IPOIB = 242¶
[
DLT_IPOIB] IP-over-InfiniBand, as specified by RFC 4391 section 6.
- MPEG_2_TS = 243¶
[
DLT_MPEG_2_TS] MPEG-2 Transport Stream transport packets, as specified by ISO 13818-1/ITU-T Recommendation H.222.0 (see table 2-2 of section 2.4.3.2 “Transport Stream packet layer”).
- NG40 = 244¶
[
DLT_NG40] Pseudo-header for ng4T GmbH’s UMTS Iub/Iur-over-ATM and Iub/Iur-over-IP format as used by their ng40 protocol tester, followed by frames for the Frame Protocol as specified by 3GPP TS 25.427 for dedicated channels and 3GPP TS 25.435 for common/shared channels in the case of ATM AAL2 or UDP traffic, by SSCOP packets as specified by ITU-T Recommendation Q.2110 for ATM AAL5 traffic, and by NBAP packets for SCTP traffic.
- NFC_LLCP = 245¶
[
DLT_NFC_LLCP] Pseudo-header for NFC LLCP packet captures, followed by frame data for the LLCP Protocol as specified by NFCForum-TS-LLCP_1.1.
- INFINIBAND = 247¶
[
DLT_INFINIBAND] Raw InfiniBand frames, starting with the Local Routing Header, as specified in Chapter 5 “Data packet format” of InfiniBand™ Architectural Specification Release 1.2.1 Volume 1 - General Specifications.
- SCTP = 248¶
[
DLT_SCTP] SCTP packets, as defined by RFC 4960, with no lower-level protocols such as IPv4 or IPv6.
- USBPCAP = 249¶
[
DLT_USBPCAP] USB packets, beginning with a USBPcap header.
- RTAC_SERIAL = 250¶
[
DLT_RTAC_SERIAL] Serial-line packet header for the Schweitzer Engineering Laboratories “RTAC” product, followed by a payload for one of a number of industrial control protocols.
- BLUETOOTH_LE_LL = 251¶
[
DLT_BLUETOOTH_LE_LL] Bluetooth Low Energy air interface Link Layer packets, in the format described in section 2.1 “PACKET FORMAT” of volume 6 of the Bluetooth Specification Version 4.0 (see PDF page 2200), but without the Preamble.
- NETLINK = 253¶
[
DLT_NETLINK] Linux Netlink capture encapsulation.
- BLUETOOTH_LINUX_MONITOR = 254¶
[
DLT_BLUETOOTH_LINUX_MONITOR] Bluetooth Linux Monitor encapsulation of traffic for the BlueZ stack.
- BLUETOOTH_BREDR_BB = 255¶
[
DLT_BLUETOOTH_BREDR_BB] Bluetooth Basic Rate and Enhanced Data Rate baseband packets.
- BLUETOOTH_LE_LL_WITH_PHDR = 256¶
[
DLT_BLUETOOTH_LE_LL_WITH_PHDR] Bluetooth Low Energy link-layer packets.
- PROFIBUS_DL = 257¶
[
DLT_PROFIBUS_DL] PROFIBUS data link layer packets, as specified by IEC standard 61158-4-3, beginning with the start delimiter, ending with the end delimiter, and including all octets between them.
- PKTAP = 258¶
[
DLT_PKTAP] Apple PKTAP capture encapsulation.
- EPON = 259¶
[
DLT_EPON] Ethernet-over-passive-optical-network packets, starting with the last 6 octets of the modified preamble as specified by 65.1.3.2 “Transmit” in Clause 65 of Section 5 of IEEE 802.3, followed immediately by an Ethernet frame.
- IPMI_HPM_2 = 260¶
[
DLT_IPMI_HPM_2] IPMI trace packets, as specified by Table 3-20 “Trace Data Block Format” in the PICMG HPM.2 specification. The time stamps for packets in this format must match the time stamps in the Trace Data Blocks.
- ZWAVE_R1_R2 = 261¶
[
DLT_ZWAVE_R1_R2] Z-Wave RF profile R1 and R2 packets, as specified by ITU-T Recommendation G.9959, with some MAC layer fields moved.
- ZWAVE_R3 = 262¶
[
DLT_ZWAVE_R3] Z-Wave RF profile R3 packets, as specified by ITU-T Recommendation G.9959, with some MAC layer fields moved.
- WATTSTOPPER_DLM = 263¶
[
DLT_WATTSTOPPER_DLM] Formats for WattStopper Digital Lighting Management (DLM) and Legrand Nitoo Open protocol common packet structure captures.
- ISO_14443 = 264¶
[
DLT_ISO_14443] Messages between ISO 14443 contactless smartcards (Proximity Integrated Circuit Card, PICC) and card readers (Proximity Coupling Device, PCD), with the message format specified by the PCAP format for ISO14443 specification.
- RDS = 265¶
[
DLT_RDS] Radio data system (RDS) groups, as per IEC 62106, encapsulated in this form.
- USB_DARWIN = 266¶
[
DLT_USB_DARWIN] USB packets, beginning with a Darwin (macOS, etc.) USB header.
- SDLC = 268¶
[
DLT_SDLC] SDLC packets, as specified by Chapter 1, “DLC Links”, section “Synchronous Data Link Control (SDLC)” of Systems Network Architecture Formats, GA27-3136-20, without the flag fields, zero-bit insertion, or Frame Check Sequence field, containing SNA path information units (PIUs) as the payload.
- LORATAP = 270¶
[
DLT_LORATAP] LoRaTap pseudo-header, followed by the payload, which is typically the PHYPayload from the LoRaWan specification.
- VSOCK = 271¶
[
DLT_VSOCK] Protocol for communication between host and guest machines in VMware and KVM hypervisors.
- NORDIC_BLE = 272¶
[
DLT_NORDIC_BLE] Messages to and from a Nordic Semiconductor nRF Sniffer for Bluetooth LE packets, beginning with a pseudo-header.
- DOCSIS31_XRA31 = 273¶
[
DLT_DOCSIS31_XRA31] DOCSIS packets and bursts, preceded by a pseudo- header giving metadata about the packet.
- ETHERNET_MPACKET = 274¶
[
DLT_ETHERNET_MPACKET] mPackets, as specified by IEEE 802.3br Figure 99-4, starting with the preamble and always ending with a CRC field.
- DISPLAYPORT_AUX = 275¶
[
DLT_DISPLAYPORT_AUX] DisplayPort AUX channel monitoring data as specified by VESA DisplayPort (DP) Standard preceded by a pseudo-header.
- LINUX_SLL2 = 276¶
[
DLT_LINUX_SLL2] Linux “cooked” capture encapsulation v2.
- OPENVIZSLA = 278¶
[
DLT_OPENVIZSLA] Openvizsla FPGA-based USB sniffer.
- EBHSCR = 279¶
[
DLT_EBHSCR] Elektrobit High Speed Capture and Replay (EBHSCR) format.
- VPP_DISPATCH = 280¶
//fd.io VPP graph dispatch tracer, in the the graph dispatcher trace format.
- Type
[
DLT_VPP_DISPATCH] Records in traces from the http
- DSA_TAG_BRCM = 281¶
[
DLT_DSA_TAG_BRCM] Ethernet frames, with a switch tag inserted between the source address field and the type/length field in the Ethernet header.
- DSA_TAG_BRCM_PREPEND = 282¶
[
DLT_DSA_TAG_BRCM_PREPEND] Ethernet frames, with a switch tag inserted before the destination address in the Ethernet header.
- IEEE802_15_4_TAP = 283¶
[
DLT_IEEE802_15_4_TAP] IEEE 802.15.4 Low-Rate Wireless Networks, with a pseudo-header containing TLVs with metadata preceding the 802.15.4 header.
- DSA_TAG_DSA = 284¶
[
DLT_DSA_TAG_DSA] Ethernet frames, with a switch tag inserted between the source address field and the type/length field in the Ethernet header.
- DSA_TAG_EDSA = 285¶
[
DLT_DSA_TAG_EDSA] Ethernet frames, with a programmable Ethernet type switch tag inserted between the source address field and the type/length field in the Ethernet header.
- ELEE = 286¶
[
DLT_ELEE] Payload of lawful intercept packets using the ELEE protocol. The packet begins with the ELEE header; it does not include any transport- layer or lower-layer headers for protcols used to transport ELEE packets.
- Z_WAVE_SERIAL = 287¶
[
DLT_Z_WAVE_SERIAL] Serial frames transmitted between a host and a Z-Wave chip over an RS-232 or USB serial connection, as described in section 5 of the Z-Wave Serial API Host Application Programming Guide.
- USB_2_0 = 288¶
[
DLT_USB_2_0] USB 2.0, 1.1, or 1.0 packet, beginning with a PID, as described by Chapter 8 “Protocol Layer” of the the Universal Serial Bus Specification Revision 2.0.
- ATSC_ALP = 289¶
[
DLT_ATSC_ALP] ATSC Link-Layer Protocol frames, as described in section 5 of the A/330 Link-Layer Protocol specification, found at the ATSC 3.0 standards page, beginning with a Base Header.
- ETW = 290¶
[
DLT_ETW] Event Tracing for Windows messages, beginning with a pseudo- header.
- ZBOSS_NCP = 292¶
[
DLT_ZBOSS_NCP] Serial NCP (Network Co-Processor) protocol for Zigbee stack ZBOSS by DSR. ZBOSS NCP protocol, beginning with a header.
Ethertype IEEE 802 Numbers¶
This module contains the constant enumeration for Ethertype IEEE 802 Numbers,
which is automatically generated from pcapkit.vendor.reg.ethertype.EtherType.
- class pcapkit.const.reg.ethertype.EtherType(value=<no_arg>, names=None, module=None, qualname=None, type=None, start=1, boundary=None)[source]¶
Bases:
IntEnum[EtherType] Ethertype IEEE 802 Numbers
- XEROX_PUP = 512¶
XEROX PUP (see 0A00) [Boggs, D., J. Shoch, E. Taft, and R. Metcalfe, “PUP: An Internetwork Architecture”, XEROX Palo Alto Research Center, CSL-79-10, July 1979; also in IEEE Transactions on Communication, Volume COM-28, Number 4, April 1980.][Neil Sembower]
- PUP_Addr_Trans_0x0201 = 513¶
PUP Addr Trans (see 0A01) [Neil Sembower]
- Nixdorf = 1024¶
Nixdorf [Neil Sembower]
- XEROX_NS_IDP = 1536¶
Data Link Layer and Physical Layer Specification”, AA-K759B-TK, Digital Equipment Corporation, Maynard, MA. Also as: “The Ethernet - A Local Area Network”, Version 1.0, Digital Equipment Corporation, Intel Corporation, Xerox Corporation, September 1980. And: “The Ethernet, A Local Area Network: Data Link Layer and Physical Layer Specifications”, Digital, Intel and Xerox, November 1982. And: XEROX, “The Ethernet, A Local Area Network: Data Link Layer and Physical Layer Specification”, X3T51/80-50, Xerox Corporation, Stamford, CT., October 1980.][Neil Sembower]
- Type
XEROX NS IDP [“The Ethernet, A Local Area Network
- DLOG_0x0660 = 1632¶
DLOG [Neil Sembower]
- DLOG_0x0661 = 1633¶
DLOG [Neil Sembower]
- X_75_Internet = 2049¶
X.75 Internet [Neil Sembower]
- NBS_Internet = 2050¶
NBS Internet [Neil Sembower]
- ECMA_Internet = 2051¶
ECMA Internet [Neil Sembower]
- Chaosnet = 2052¶
Chaosnet [Neil Sembower]
- X_25_Level_3 = 2053¶
X.25 Level 3 [Neil Sembower]
- XNS_Compatability = 2055¶
XNS Compatability [Neil Sembower]
- Symbolics_Private = 2076¶
Symbolics Private [David Plummer]
- Ungermann_Bass_net_debugr = 2304¶
Ungermann-Bass net debugr [Neil Sembower]
- Xerox_IEEE802_3_PUP = 2560¶
Xerox IEEE802.3 PUP [Neil Sembower]
- PUP_Addr_Trans_0x0A01 = 2561¶
PUP Addr Trans [Neil Sembower]
- Banyan_VINES = 2989¶
Banyan VINES [Neil Sembower]
- Berkeley_Trailer_nego = 4096¶
Berkeley Trailer nego [Neil Sembower]
- Valid_Systems = 5632¶
Valid Systems [Neil Sembower]
- PCS_Basic_Block_Protocol = 16962¶
PCS Basic Block Protocol [Neil Sembower]
- BBN_Simnet = 21000¶
BBN Simnet [Neil Sembower]
- DEC_Unassigned_0x6000 = 24576¶
DEC Unassigned (Exp.) [Neil Sembower]
- DEC_MOP_Dump_Load = 24577¶
DEC MOP Dump/Load [Neil Sembower]
- DEC_MOP_Remote_Console = 24578¶
DEC MOP Remote Console [Neil Sembower]
- DEC_DECNET_Phase_IV_Route = 24579¶
DEC DECNET Phase IV Route [Neil Sembower]
- DEC_LAT = 24580¶
DEC LAT [Neil Sembower]
- DEC_Diagnostic_Protocol = 24581¶
DEC Diagnostic Protocol [Neil Sembower]
- DEC_Customer_Protocol = 24582¶
DEC Customer Protocol [Neil Sembower]
- DEC_LAVC_SCA = 24583¶
DEC LAVC, SCA [Neil Sembower]
- Ungermann_Bass_download = 28672¶
Ungermann-Bass download [Neil Sembower]
- Ungermann_Bass_dia_loop = 28674¶
Ungermann-Bass dia/loop [Neil Sembower]
- Proteon = 28720¶
Proteon [Neil Sembower]
- Cabletron = 28724¶
Cabletron [Neil Sembower]
- HP_Probe = 32773¶
HP Probe [Neil Sembower]
- Nestar = 32774¶
Nestar [Neil Sembower]
- AT_T_0x8008 = 32776¶
AT&T [Neil Sembower]
- Excelan = 32784¶
Excelan [Neil Sembower]
- SGI_diagnostics = 32787¶
SGI diagnostics [Andrew Cherenson]
- SGI_network_games = 32788¶
SGI network games [Andrew Cherenson]
- SGI_reserved = 32789¶
SGI reserved [Andrew Cherenson]
- SGI_bounce_server = 32790¶
SGI bounce server [Andrew Cherenson]
- Apollo_Domain = 32793¶
Apollo Domain [Neil Sembower]
Tymshare [Neil Sembower]
- Tigan_Inc = 32815¶
Tigan, Inc. [Neil Sembower]
- Reverse_Address_Resolution_Protocol = 32821¶
Reverse Address Resolution Protocol (RARP) [RFC 903][Joseph Murdock]
- Aeonic_Systems = 32822¶
Aeonic Systems [Neil Sembower]
- DEC_LANBridge = 32824¶
DEC LANBridge [Neil Sembower]
- DEC_Ethernet_Encryption = 32829¶
DEC Ethernet Encryption [Neil Sembower]
- DEC_Unassigned_0x803E = 32830¶
DEC Unassigned [Neil Sembower]
- DEC_LAN_Traffic_Monitor = 32831¶
DEC LAN Traffic Monitor [Neil Sembower]
- Planning_Research_Corp = 32836¶
Planning Research Corp. [Neil Sembower]
- AT_T_0x8046 = 32838¶
AT&T [Neil Sembower]
- AT_T_0x8047 = 32839¶
AT&T [Neil Sembower]
- ExperData = 32841¶
ExperData [Neil Sembower]
- Stanford_V_Kernel_exp = 32859¶
Stanford V Kernel exp. [Neil Sembower]
- Stanford_V_Kernel_prod = 32860¶
Stanford V Kernel prod. [Neil Sembower]
- Evans_Sutherland = 32861¶
Evans & Sutherland [Neil Sembower]
- Little_Machines = 32864¶
Little Machines [Neil Sembower]
- Counterpoint_Computers = 32866¶
Counterpoint Computers [Neil Sembower]
- Univ_of_Mass_Amherst_0x8065 = 32869¶
Univ. of Mass. @ Amherst [Neil Sembower]
- Univ_of_Mass_Amherst_0x8066 = 32870¶
Univ. of Mass. @ Amherst [Neil Sembower]
- Veeco_Integrated_Auto = 32871¶
Veeco Integrated Auto. [Neil Sembower]
- General_Dynamics = 32872¶
General Dynamics [Neil Sembower]
- AT_T_0x8069 = 32873¶
AT&T [Neil Sembower]
- Autophon = 32874¶
Autophon [Neil Sembower]
- ComDesign = 32876¶
ComDesign [Neil Sembower]
- Computgraphic_Corp = 32877¶
Computgraphic Corp. [Neil Sembower]
- Matra = 32890¶
Matra [Neil Sembower]
- Dansk_Data_Elektronik = 32891¶
Dansk Data Elektronik [Neil Sembower]
- Merit_Internodal = 32892¶
Merit Internodal [Hans Werner Braun]
- Vitalink_TransLAN_III = 32896¶
Vitalink TransLAN III [Neil Sembower]
- Appletalk = 32923¶
Appletalk [Neil Sembower]
- Spider_Systems_Ltd = 32927¶
Spider Systems Ltd. [Neil Sembower]
- Nixdorf_Computers = 32931¶
Nixdorf Computers [Neil Sembower]
- Banyan_Systems_0x80C4 = 32964¶
Banyan Systems [Neil Sembower]
- Banyan_Systems_0x80C5 = 32965¶
Banyan Systems [Neil Sembower]
- Pacer_Software = 32966¶
Pacer Software [Neil Sembower]
- Applitek_Corporation = 32967¶
Applitek Corporation [Neil Sembower]
- IBM_SNA_Service_on_Ether = 32981¶
IBM SNA Service on Ether [Neil Sembower]
- Varian_Associates = 32989¶
Varian Associates [Neil Sembower]
- Retix = 33010¶
Retix [Neil Sembower]
- AppleTalk_AARP = 33011¶
AppleTalk AARP (Kinetics) [Neil Sembower]
- Apollo_Computer = 33015¶
Apollo Computer [Neil Sembower]
- Wellfleet_Communications = 33023¶
Wellfleet Communications [Neil Sembower]
- Customer_VLAN_Tag_Type = 33024¶
Customer VLAN Tag Type (C-Tag, formerly called the Q-Tag) (initially Wellfleet) [RFC 7042]
- Hayes_Microcomputers = 33072¶
Hayes Microcomputers [Neil Sembower]
- VG_Laboratory_Systems = 33073¶
VG Laboratory Systems [Neil Sembower]
- Logicraft = 33096¶
Logicraft [Neil Sembower]
- Network_Computing_Devices = 33097¶
Network Computing Devices [Neil Sembower]
- Alpha_Micro = 33098¶
Alpha Micro [Neil Sembower]
- SNMP = 33100¶
SNMP [Joyce K Reynolds]
- BIIN_0x814D = 33101¶
BIIN [Neil Sembower]
- BIIN_0x814E = 33102¶
BIIN [Neil Sembower]
- Technically_Elite_Concept = 33103¶
Technically Elite Concept [Neil Sembower]
- Rational_Corp = 33104¶
Rational Corp [Neil Sembower]
- XTP = 33149¶
XTP [Neil Sembower]
- SGI_Time_Warner_prop = 33150¶
SGI/Time Warner prop. [Neil Sembower]
- HIPPI_FP_encapsulation = 33152¶
HIPPI-FP encapsulation [Neil Sembower]
- STP_HIPPI_ST = 33153¶
STP, HIPPI-ST [Neil Sembower]
- Reserved_for_HIPPI_6400_0x8182 = 33154¶
Reserved for HIPPI-6400 [Neil Sembower]
- Reserved_for_HIPPI_6400_0x8183 = 33155¶
Reserved for HIPPI-6400 [Neil Sembower]
- Motorola_Computer = 33165¶
Motorola Computer [Neil Sembower]
- ARAI_Bunkichi = 33188¶
ARAI Bunkichi [Neil Sembower]
- SECTRA = 34523¶
SECTRA [Neil Sembower]
- Delta_Controls = 34526¶
Delta Controls [Neil Sembower]
- ATOMIC = 34527¶
ATOMIC [Joe Touch]
- IEEE_Std_802_3_Ethernet_Passive_Optical_Network = 34824¶
IEEE Std 802.3 - Ethernet Passive Optical Network (EPON) [EPON][RFC 7042]
- Slow_Protocols = 34825¶
Slow Protocols (Link Aggregation, OAM, etc.) [IEEE]
- Ethernet_NIC_hardware_and_software_testing = 34850¶
Ethernet NIC hardware and software testing [Wind River]
- Multicast_Channel_Allocation_Protocol = 34913¶
Multicast Channel Allocation Protocol (MCAP) [RFC 7042]
- PPP_over_Ethernet_Session_Stage = 34916¶
PPP over Ethernet (PPPoE) Session Stage [RFC 2516][RFC 8822]
- IEEE_Std_802_1X_Port_based_network_access_control = 34958¶
IEEE Std 802.1X - Port-based network access control [IEEE]
- IEEE_Std_802_1Q_Service_VLAN_tag_identifier = 34984¶
IEEE Std 802.1Q - Service VLAN tag identifier (S-Tag) [IEEE]
- IEEE_Std_802_Local_Experimental_Ethertype_0x88B5 = 34997¶
IEEE Std 802 - Local Experimental Ethertype [IEEE]
- IEEE_Std_802_Local_Experimental_Ethertype_0x88B6 = 34998¶
IEEE Std 802 - Local Experimental Ethertype [IEEE]
- IEEE_Std_802_OUI_Extended_Ethertype = 34999¶
IEEE Std 802 - OUI Extended Ethertype [IEEE]
- IEEE_Std_802_11_Pre_Authentication = 35015¶
IEEE Std 802.11 - Pre-Authentication (802.11i) [IEEE]
- IEEE_Std_802_1AB_Link_Layer_Discovery_Protocol = 35020¶
IEEE Std 802.1AB - Link Layer Discovery Protocol (LLDP) [IEEE]
- IEEE_Std_802_1AE_Media_Access_Control_Security = 35045¶
IEEE Std 802.1AE - Media Access Control Security [IEEE]
- Provider_Backbone_Bridging_Instance_tag = 35047¶
Provider Backbone Bridging Instance tag [IEEE Std 802.1Q-2014]
- IEEE_Std_802_1Q_Multiple_VLAN_Registration_Protocol = 35061¶
IEEE Std 802.1Q - Multiple VLAN Registration Protocol (MVRP) [IEEE]
- IEEE_Std_802_1Q_Multiple_Multicast_Registration_Protocol = 35062¶
IEEE Std 802.1Q - Multiple Multicast Registration Protocol (MMRP) [IEEE]
- IEEE_Std_802_11_Fast_Roaming_Remote_Request = 35085¶
IEEE Std 802.11 - Fast Roaming Remote Request (802.11r) [IEEE]
- IEEE_Std_802_21_Media_Independent_Handover_Protocol = 35095¶
IEEE Std 802.21 - Media Independent Handover Protocol [IEEE]
- IEEE_Std_802_1Qbe_Multiple_I_SID_Registration_Protocol = 35113¶
IEEE Std 802.1Qbe - Multiple I-SID Registration Protocol [IEEE]
- IEEE_Std_802_1Qbg_ECP_Protocol = 35136¶
IEEE Std 802.1Qbg - ECP Protocol (also used in 802.1BR) [IEEE]
- GeoNetworking_as_defined_in_ETSI_EN_302_636_4_1 = 35143¶
GeoNetworking as defined in ETSI EN 302 636-4-1 [IEEE]
- Loopback = 36864¶
Loopback [Neil Sembower]
- EtherType_3Com_XNS_Sys_Mgmt = 36865¶
3Com(Bridge) XNS Sys Mgmt [Neil Sembower]
- EtherType_3Com_TCP_IP_Sys = 36866¶
3Com(Bridge) TCP-IP Sys [Neil Sembower]
- EtherType_3Com_loop_detect = 36867¶
3Com(Bridge) loop detect [Neil Sembower]
- The_Ethertype_will_be_used_to_identify_a_Channel_in_which_control_messages_are_encapsulated_as_payload_of_GRE_packets_When_a_GRE_packet_tagged_with_the_Ethertype_is_received_the_payload_will_be_handed_to_the_network_processor_for_processing = 47082¶
The Ethertype will be used to identify a “Channel” in which control messages are encapsulated as payload of GRE packets. When a GRE packet tagged with the Ethertype is received, the payload will be handed to the network processor for processing. [RFC 8157]
- BBN_VITAL_LanBridge_cache = 65280¶
BBN VITAL-LanBridge cache [Neil Sembower]
Transport Layer Protocol Numbers¶
This module contains the constant enumeration for Transport Layer Protocol Numbers,
which is automatically generated from pcapkit.vendor.reg.transtype.TransType.
- class pcapkit.const.reg.transtype.TransType(value=<no_arg>, names=None, module=None, qualname=None, type=None, start=1, boundary=None)[source]¶
Bases:
IntEnum[TransType] Transport Layer Protocol Numbers
- TCP = 6¶
Transmission Control [RFC-ietf-tcpm-rfc793bis-28]
- CBT = 7¶
CBT [Tony Ballardie]
- IGP = 9¶
any private interior gateway (used by Cisco for their IGRP) [Internet Assigned Numbers Authority]
- BBN_RCC_MON = 10¶
BBN RCC Monitoring [Steve Chipman]
- PUP = 12¶
An Internetwork Architecture”, XEROX Palo Alto Research Center, CSL-79-10, July 1979; also in IEEE Transactions on Communication, Volume COM-28, Number 4, April 1980.][XEROX]
- Type
PUP [Boggs, D., J. Shoch, E. Taft, and R. Metcalfe, “PUP
- ARGUS = 13¶
ARGUS (deprecated)) [Robert W Scheifler]
- EMCON = 14¶
EMCON [<mystery contact>]
- XNET = 15¶
Cross Net Debugger [Haverty, J., “XNET Formats for Internet Protocol Version 4”, IEN 158, October 1980.][Jack Haverty]
- CHAOS = 16¶
Chaos [J Noel Chiappa]
- MUX = 18¶
Multiplexing [Cohen, D. and J. Postel, “Multiplexing Protocol”, IEN 90, USC/Information Sciences Institute, May 1979.][Jon Postel]
- DCN_MEAS = 19¶
DCN Measurement Subsystems [David Mills]
- PRM = 21¶
Packet Radio Measurement [Zaw Sing Su]
- XNS_IDP = 22¶
Data Link Layer and Physical Layer Specification”, AA-K759B-TK, Digital Equipment Corporation, Maynard, MA. Also as: “The Ethernet - A Local Area Network”, Version 1.0, Digital Equipment Corporation, Intel Corporation, Xerox Corporation, September 1980. And: “The Ethernet, A Local Area Network: Data Link Layer and Physical Layer Specifications”, Digital, Intel and Xerox, November 1982. And: XEROX, “The Ethernet, A Local Area Network: Data Link Layer and Physical Layer Specification”, X3T51/80-50, Xerox Corporation, Stamford, CT., October 1980.][XEROX]
- Type
XEROX NS IDP [“The Ethernet, A Local Area Network
- TRUNK_1 = 23¶
Trunk-1 [Barry Boehm]
- TRUNK_2 = 24¶
Trunk-2 [Barry Boehm]
- LEAF_1 = 25¶
Leaf-1 [Barry Boehm]
- LEAF_2 = 26¶
Leaf-2 [Barry Boehm]
- MFE_NSP = 31¶
MFE Network Services Protocol [Shuttleworth, B., “A Documentary of MFENet, a National Computer Network”, UCRL-52317, Lawrence Livermore Labs, Livermore, California, June 1977.][Barry Howard]
- MERIT_INP = 32¶
MERIT Internodal Protocol [Hans Werner Braun]
- TransType_3PC = 34¶
Third Party Connect Protocol [Stuart A Friedberg]
- IDPR = 35¶
Inter-Domain Policy Routing Protocol [Martha Steenstrup]
- XTP = 36¶
XTP [Greg Chesson]
- DDP = 37¶
Datagram Delivery Protocol [Wesley Craig]
- IDPR_CMTP = 38¶
IDPR Control Message Transport Proto [Martha Steenstrup]
- TP = 39¶
TP++ Transport Protocol [Dirk Fromhein]
- IL = 40¶
IL Transport Protocol [Dave Presotto]
- SDRP = 42¶
Source Demand Routing Protocol [Deborah Estrin]
- IPv6_Route = 43¶
Routing Header for IPv6 [Steve Deering]
- IPv6_Frag = 44¶
Fragment Header for IPv6 [Steve Deering]
- IDRP = 45¶
Inter-Domain Routing Protocol [Sue Hares]
- BNA = 49¶
BNA [Gary Salamon]
- I_NLSP = 52¶
Integrated Net Layer Security TUBA [K Robert Glenn]
- SWIPE = 53¶
IP with Encryption (deprecated)) [John Ioannidis]
- MOBILE = 55¶
IP Mobility [Charlie Perkins]
- TLSP = 56¶
Transport Layer Security Protocol using Kryptonet key management [Christer Oberg]
- SKIP = 57¶
SKIP [Tom Markson]
- any_host_internal_protocol = 61¶
any host internal protocol [Internet Assigned Numbers Authority]
- CFTP = 62¶
CFTP [Forsdick, H., “CFTP”, Network Message, Bolt Beranek and Newman, January 1982.][Harry Forsdick]
- any_local_network = 63¶
any local network [Internet Assigned Numbers Authority]
- SAT_EXPAK = 64¶
SATNET and Backroom EXPAK [Steven Blumenthal]
- KRYPTOLAN = 65¶
Kryptolan [Paul Liu]
- RVD = 66¶
MIT Remote Virtual Disk Protocol [Michael Greenwald]
- IPPC = 67¶
Internet Pluribus Packet Core [Steven Blumenthal]
- any_distributed_file_system = 68¶
any distributed file system [Internet Assigned Numbers Authority]
- SAT_MON = 69¶
SATNET Monitoring [Steven Blumenthal]
- VISA = 70¶
VISA Protocol [Gene Tsudik]
- IPCV = 71¶
Internet Packet Core Utility [Steven Blumenthal]
- CPNX = 72¶
Computer Protocol Network Executive [David Mittnacht]
- CPHB = 73¶
Computer Protocol Heart Beat [David Mittnacht]
- WSN = 74¶
Wang Span Network [Victor Dafoulas]
- PVP = 75¶
Packet Video Protocol [Steve Casner]
- BR_SAT_MON = 76¶
Backroom SATNET Monitoring [Steven Blumenthal]
- SUN_ND = 77¶
SUN ND PROTOCOL-Temporary [William Melohn]
- WB_MON = 78¶
WIDEBAND Monitoring [Steven Blumenthal]
- WB_EXPAK = 79¶
WIDEBAND EXPAK [Steven Blumenthal]
- ISO_IP = 80¶
ISO Internet Protocol [Marshall T Rose]
- VMTP = 81¶
VMTP [Dave Cheriton]
- SECURE_VMTP = 82¶
SECURE-VMTP [Dave Cheriton]
- VINES = 83¶
VINES [Brian Horn]
- TTP = 84¶
Transaction Transport Protocol [Jim Stevens]
- IPTM = 84¶
Internet Protocol Traffic Manager [Jim Stevens]
- NSFNET_IGP = 85¶
NSFNET-IGP [Hans Werner Braun]
- DGP = 86¶
Dissimilar Gateway Protocol [M/A-COM Government Systems, “Dissimilar Gateway Protocol Specification, Draft Version”, Contract no. CS901145, November 16, 1987.][Mike Little]
- TCF = 87¶
TCF [Guillermo A Loyola]
- Sprite_RPC = 90¶
Sprite RPC Protocol [Welch, B., “The Sprite Remote Procedure Call System”, Technical Report, UCB/Computer Science Dept., 86/302, University of California at Berkeley, June 1986.][Bruce Willins]
- LARP = 91¶
Locus Address Resolution Protocol [Brian Horn]
- MTP = 92¶
Multicast Transport Protocol [Susie Armstrong]
- AX_25 = 93¶
AX.25 Frames [Brian Kantor]
- IPIP = 94¶
IP-within-IP Encapsulation Protocol [John Ioannidis]
- MICP = 95¶
Mobile Internetworking Control Pro. (deprecated)) [John Ioannidis]
- SCC_SP = 96¶
Semaphore Communications Sec. Pro. [Howard Hart]
- any_private_encryption_scheme = 99¶
any private encryption scheme [Internet Assigned Numbers Authority]
- GMTP = 100¶
GMTP [RXB5]
- IFMP = 101¶
Ipsilon Flow Management Protocol [Bob Hinden][November 1995, 1997.]
- PNNI = 102¶
PNNI over IP [Ross Callon]
- ARIS = 104¶
ARIS [Nancy Feldman]
- SCPS = 105¶
SCPS [Robert Durst]
- QNX = 106¶
QNX [Michael Hunter]
- A_N = 107¶
Active Networks [Bob Braden]
- SNP = 109¶
Sitara Networks Protocol [Manickam R Sridhar]
- Compaq_Peer = 110¶
Compaq Peer Protocol [Victor Volpe]
- IPX_in_IP = 111¶
IPX in IP [CJ Lee]
- PGM = 113¶
PGM Reliable Transport Protocol [Tony Speakman]
- any_0_hop_protocol = 114¶
any 0-hop protocol [Internet Assigned Numbers Authority]
- DDX = 116¶
D-II Data Exchange (DDX) [John Worley]
- IATP = 117¶
Interactive Agent Transfer Protocol [John Murphy]
- STP = 118¶
Schedule Transfer Protocol [Jean Michel Pittet]
- SRP = 119¶
SpectraLink Radio Protocol [Mark Hamilton]
- UTI = 120¶
UTI [Peter Lothberg]
- SMP = 121¶
Simple Message Protocol [Leif Ekblad]
- SM = 122¶
Simple Multicast Protocol (deprecated)) [Jon Crowcroft][draft-perlman- simple-multicast]
- PTP = 123¶
Performance Transparency Protocol [Michael Welzl]
- ISIS_over_IPv4 = 124¶
[Tony Przygienda]
- FIRE = 125¶
[Criag Partridge]
- CRTP = 126¶
Combat Radio Transport Protocol [Robert Sautter]
- CRUDP = 127¶
Combat Radio User Datagram [Robert Sautter]
- SSCOPMCE = 128¶
[Kurt Waber]
- IPLT = 129¶
[Hollbach]
- SPS = 130¶
Secure Packet Shield [Bill McIntosh]
- PIPE = 131¶
Private IP Encapsulation within IP [Bernhard Petri]
- SCTP = 132¶
Stream Control Transmission Protocol [Randall R Stewart]
- Reserved_255 = 255¶
[Internet Assigned Numbers Authority]
Link Layer¶
ARP Constant Enumerations¶
This module contains all constant enumerations of ARP
and RARP implementations. Available
enumerations include:
ARP Hardware Types * |
|
Operation Codes † |
Hardware Types¶
This module contains the constant enumeration for Hardware Types,
which is automatically generated from pcapkit.vendor.arp.hardware.Hardware.
- class pcapkit.const.arp.hardware.Hardware(value=<no_arg>, names=None, module=None, qualname=None, type=None, start=1, boundary=None)[source]¶
Bases:
IntEnum[Hardware] Hardware Types [RFC 826][RFC 5494]
- Ethernet = 1¶
Ethernet (10Mb) [Jon Postel]
- Experimental_Ethernet = 2¶
Experimental Ethernet (3Mb) [Jon Postel]
- Amateur_Radio_AX_25 = 3¶
Amateur Radio AX.25 [Philip Koch]
- Proteon_ProNET_Token_Ring = 4¶
Proteon ProNET Token Ring [Avri Doria]
- Chaos = 5¶
Chaos [Gill Pratt]
- IEEE_802_Networks = 6¶
IEEE 802 Networks [Jon Postel]
- Hyperchannel = 8¶
Hyperchannel [Jon Postel]
- Lanstar = 9¶
Lanstar [Tom Unger]
- Autonet_Short_Address = 10¶
Autonet Short Address [Mike Burrows]
- LocalTalk = 11¶
LocalTalk [Joyce K Reynolds]
- LocalNet = 12¶
LocalNet (IBM PCNet or SYTEK LocalNET) [Joseph Murdock]
- Ultra_link = 13¶
Ultra link [Rajiv Dhingra]
- SMDS = 14¶
SMDS [George Clapp]
- Frame_Relay = 15¶
Frame Relay [Andy Malis]
- Asynchronous_Transmission_Mode_16 = 16¶
Asynchronous Transmission Mode (ATM) [JXB2]
- HDLC = 17¶
HDLC [Jon Postel]
- Serial_Line = 20¶
Serial Line [Jon Postel]
- Asynchronous_Transmission_Mode_21 = 21¶
Asynchronous Transmission Mode (ATM) [Mike Burrows]
- MIL_STD_188_220 = 22¶
MIL-STD-188-220 [Herb Jensen]
- Metricom = 23¶
Metricom [Jonathan Stone]
- IEEE_1394_1995 = 24¶
IEEE 1394.1995 [Myron Hattig]
- Twinaxial = 26¶
Twinaxial [Marion Pitts]
- EUI_64 = 27¶
EUI-64 [Kenji Fujisawa]
- HIPARP = 28¶
HIPARP [Jean Michel Pittet]
- IP_and_ARP_over_ISO_7816_3 = 29¶
IP and ARP over ISO 7816-3 [Scott Guthery]
- ARPSec = 30¶
ARPSec [Jerome Etienne]
- TIA_102_Project_25_Common_Air_Interface = 33¶
TIA-102 Project 25 Common Air Interface (CAI) [Jeff Anderson, Telecommunications Industry of America (TIA) TR-8.5 Formulating Group, <cja015&motorola.com>, June 2004]
- Wiegand_Interface = 34¶
Wiegand Interface [Scott Guthery 2]
- Pure_IP = 35¶
Pure IP [Inaky Perez-Gonzalez]
- HFI = 37¶
HFI [Tseng-Hui Lin]
- AEthernet = 257¶
AEthernet [Geoffroy Gramaize]
Operation Codes¶
This module contains the constant enumeration for Operation Codes,
which is automatically generated from pcapkit.vendor.arp.operation.Operation.
- class pcapkit.const.arp.operation.Operation(value=<no_arg>, names=None, module=None, qualname=None, type=None, start=1, boundary=None)[source]¶
Bases:
IntEnum[Operation] Operation Codes [RFC 826][RFC 5494]
- MARS_Request = 11¶
MARS-Request [Grenville Armitage]
- MARS_Multi = 12¶
MARS-Multi [Grenville Armitage]
- MARS_MServ = 13¶
MARS-MServ [Grenville Armitage]
- MARS_Join = 14¶
MARS-Join [Grenville Armitage]
- MARS_Leave = 15¶
MARS-Leave [Grenville Armitage]
- MARS_NAK = 16¶
MARS-NAK [Grenville Armitage]
- MARS_Unserv = 17¶
MARS-Unserv [Grenville Armitage]
- MARS_SJoin = 18¶
MARS-SJoin [Grenville Armitage]
- MARS_SLeave = 19¶
MARS-SLeave [Grenville Armitage]
- MARS_Grouplist_Request = 20¶
MARS-Grouplist-Request [Grenville Armitage]
- MARS_Grouplist_Reply = 21¶
MARS-Grouplist-Reply [Grenville Armitage]
- MARS_Redirect_Map = 22¶
MARS-Redirect-Map [Grenville Armitage]
L2TP Constant Enumerations¶
This module contains all constant enumerations of
L2TP implementations. Available
enumerations include:
|
L2TP Types |
OSPF Constant Enumerations¶
This module contains all constant enumerations of
OSPF implementations. Available
enumerations include:
|
Authentication Codes * |
|
OSPF Packet Types † |
VLAN Constant Enumerations¶
This module contains all constant enumerations of
VLAN implementations. Available
enumerations include:
|
Priority Levels * |
Internet Layer¶
HIP Constant Enumerations¶
This module contains all constant enumerations of
HIP implementations. Available
enumerations include:
|
HIP Certificate Types * |
|
HIP Cipher IDs † |
|
DI-Types ‡ |
|
ECDSA Curve Label § |
|
ECDSA_LOW Curve Label ¶ |
|
ESP Transform Suite IDs # |
|
Group IDs ♠ |
|
HI Algorithm ♥ |
|
HIT Suite IDs ♦ |
|
HIP NAT Traversal Modes ♣ |
|
Notify Message Types ** |
|
Packet Types †† |
|
Parameter Types ‡‡ |
|
Registration Types §§ |
|
Registration Failure Types ¶¶ |
|
Suite IDs ## |
|
HIP Transport Modes ♠♠ |
- *
https://www.iana.org/assignments/hip-parameters/hip-parameters.xhtml#certificate-types
- †
https://www.iana.org/assignments/hip-parameters/hip-parameters.xhtml#hip-cipher-id
- ‡
https://www.iana.org/assignments/hip-parameters/hip-parameters.xhtml#hip-parameters-7
- §
https://www.iana.org/assignments/hip-parameters/hip-parameters.xhtml#ecdsa-curve-label
- ¶
https://www.iana.org/assignments/hip-parameters/hip-parameters.xhtml#ecdsa-low-curve-label
- #
https://www.iana.org/assignments/hip-parameters/hip-parameters.xhtml#esp-transform-suite-ids
- ♠
https://www.iana.org/assignments/hip-parameters/hip-parameters.xhtml#hip-parameters-5
- ♥
https://www.iana.org/assignments/hip-parameters/hip-parameters.xhtml#hi-algorithm
- ♦
https://www.iana.org/assignments/hip-parameters/hip-parameters.xhtml#hit-suite-id
- ♣
https://www.iana.org/assignments/hip-parameters/hip-parameters.xhtml#nat-traversal
- **
https://www.iana.org/assignments/hip-parameters/hip-parameters.xhtml#hip-parameters-9
- ††
https://www.iana.org/assignments/hip-parameters/hip-parameters.xhtml#hip-parameters-1
- ‡‡
https://www.iana.org/assignments/hip-parameters/hip-parameters.xhtml#hip-parameters-4
- §§
https://www.iana.org/assignments/hip-parameters/hip-parameters.xhtml#hip-parameters-11
- ¶¶
https://www.iana.org/assignments/hip-parameters/hip-parameters.xhtml#hip-parameters-13
- ##
https://www.iana.org/assignments/hip-parameters/hip-parameters.xhtml#hip-parameters-6
- ♠♠
https://www.iana.org/assignments/hip-parameters/hip-parameters.xhtml#transport-modes
IPv4 Constant Enumerations¶
This module contains all constant enumerations of
IPv4 implementations. Available
enumerations include:
|
Classification Level Encodings |
|
Option Classes |
|
IP Option Numbers * |
|
Protection Authority Bit Assignments |
|
QS Functions |
|
IPv4 Router Alert Option Values † |
|
ToS (DS Field) Delay |
|
ToS ECN Field |
|
ToS (DS Field) Precedence |
|
ToS (DS Field) Reliability |
|
ToS (DS Field) Throughput |
|
TS Flag |
IPv6 Constant Enumerations¶
This module contains all constant enumerations of
IPv6 implementations. Available
enumerations include:
|
IPv6 Extension Header Types * |
|
Destination Options and Hop-by-Hop Options † |
|
IPv6 QS Functions |
|
IPv6 Router Alert Option Values ‡ |
|
Routing Types § |
|
Seed-ID Types |
|
Simplified Multicast Forwarding Duplicate Packet Detection ( |
|
Tagger-ID Types ¶ |
- *
https://www.iana.org/assignments/ipv6-parameters/ipv6-parameters.xhtml#extension-header
- †
https://www.iana.org/assignments/ipv6-parameters/ipv6-parameters.xhtml#ipv6-parameters-2
- ‡
- §
https://www.iana.org/assignments/ipv6-parameters/ipv6-parameters.xhtml#ipv6-parameters-3
- ¶
https://www.iana.org/assignments/ipv6-parameters/ipv6-parameters.xhtml#taggerId-types
IPX Constant Enumerations¶
This module contains all constant enumerations of
IPX implementations. Available
enumerations include:
|
IPX Packet Types * |
|
IPX Socket Types † |
MH Constant Enumerations¶
This module contains all constant enumerations of
MH implementations. Available
enumerations include:
|
Mobility Header Types * |
Transport Layer¶
Application Layer¶
FTP Constant Enumerations¶
This module contains all constant enumerations of
FTP implementations. Available
enumerations include:
FTP Commands * |
|
|
FTP Return Codes † |
- pcapkit.const.ftp.command.Command: defaultInfo[CommandType]¶
FTP commands.
HTTP Constant Enumerations¶
This module contains all constant enumerations of
HTTP implementations. Available
enumerations include:
|
HTTP/2 Error Code * |
|
HTTP/2 Frame Type † |
|
HTTP/2 Settings ‡ |
Vendor Crawlers¶
This module contains all web crawlers of pcapkit, which are
automatically generating from the pcapkit.const module’s constant
enumerations.
Base Crawler¶
Base Crawler¶
pcapkit.vendor.default contains Vendor
only, which is the base meta class for all vendor crawlers.
Vendor Crawler¶
Crawler Template¶
- pcapkit.vendor.default.LINE(NAME, DOCS, FLAG, ENUM, MISS, MODL)¶
Default constant template of enumeration registry from IANA CSV.
- Parameters
NAME (str) – name of the constant enumeration class
DOCS (str) – docstring for the constant enumeration class
FLAG (str) – threshold value validator (range of valid values)
ENUM (str) – enumeration data (class attributes)
MISS (str) – missing value handler (default value)
MODL (str) – module name of the constant enumeration class
- Return type
Crawler Proxy¶
Protocol Numbers¶
Link Layer¶
ARP Vendor Crawlers¶
This module contains all vendor crawlers of ARP
and RARP implementations. Available
vendor crawlers include:
|
ARP Hardware Types * |
|
Operation Codes † |
L2TP Vendor Crawlers¶
This module contains all vendor crawlers of
L2TP implementations. Available
enumerations include:
|
L2TP Types |
OSPF Vendor Crawlers¶
This module contains all vendor crawlers of
OSPF implementations. Available
enumerations include:
|
Authentication Codes * |
|
OSPF Packet Types † |
VLAN Vendor Crawlers¶
This module contains all vendor crawlers of
VLAN implementations. Available
enumerations include:
|
Priority Levels * |
Internet Layer¶
HIP Vendor Crawlers¶
This module contains all vendor crawlers of
HIP implementations. Available
crawlers include:
|
HIP Certificate Types * |
|
HIP Cipher IDs † |
|
DI-Types ‡ |
|
ECDSA Curve Label § |
|
ECDSA_LOW Curve Label ¶ |
|
ESP Transform Suite IDs # |
|
Group IDs ♠ |
|
HI Algorithm ♥ |
|
HIT Suite IDs ♦ |
|
HIP NAT Traversal Modes ♣ |
|
Notify Message Types ** |
|
Packet Types †† |
|
Parameter Types ‡‡ |
|
Registration Types §§ |
|
Registration Failure Types ¶¶ |
|
Suite IDs ## |
|
HIP Transport Modes ♠♠ |
- *
https://www.iana.org/assignments/hip-parameters/hip-parameters.xhtml#certificate-types
- †
https://www.iana.org/assignments/hip-parameters/hip-parameters.xhtml#hip-cipher-id
- ‡
https://www.iana.org/assignments/hip-parameters/hip-parameters.xhtml#hip-parameters-7
- §
https://www.iana.org/assignments/hip-parameters/hip-parameters.xhtml#ecdsa-curve-label
- ¶
https://www.iana.org/assignments/hip-parameters/hip-parameters.xhtml#ecdsa-low-curve-label
- #
https://www.iana.org/assignments/hip-parameters/hip-parameters.xhtml#esp-transform-suite-ids
- ♠
https://www.iana.org/assignments/hip-parameters/hip-parameters.xhtml#hip-parameters-5
- ♥
https://www.iana.org/assignments/hip-parameters/hip-parameters.xhtml#hi-algorithm
- ♦
https://www.iana.org/assignments/hip-parameters/hip-parameters.xhtml#hit-suite-id
- ♣
https://www.iana.org/assignments/hip-parameters/hip-parameters.xhtml#nat-traversal
- **
https://www.iana.org/assignments/hip-parameters/hip-parameters.xhtml#hip-parameters-9
- ††
https://www.iana.org/assignments/hip-parameters/hip-parameters.xhtml#hip-parameters-1
- ‡‡
https://www.iana.org/assignments/hip-parameters/hip-parameters.xhtml#hip-parameters-4
- §§
https://www.iana.org/assignments/hip-parameters/hip-parameters.xhtml#hip-parameters-11
- ¶¶
https://www.iana.org/assignments/hip-parameters/hip-parameters.xhtml#hip-parameters-13
- ##
https://www.iana.org/assignments/hip-parameters/hip-parameters.xhtml#hip-parameters-6
- ♠♠
https://www.iana.org/assignments/hip-parameters/hip-parameters.xhtml#transport-modes
IPv4 Vendor Crawlers¶
This module contains all vendor crawlers of
IPv4 implementations. Available
crawlers include:
|
Classification Level Encodings |
|
Option Classes |
|
IP Option Numbers * |
|
Protection Authority Bit Assignments |
|
QS Functions |
|
IPv4 Router Alert Option Values † |
|
ToS (DS Field) Delay |
|
ToS ECN Field |
|
ToS (DS Field) Precedence |
|
ToS (DS Field) Reliability |
|
ToS (DS Field) Throughput |
IPv6 Vendor Crawlers¶
This module contains all vendor crawlers of
IPv6 implementations. Available
crawlers include:
|
IPv6 Extension Header Types * |
|
Destination Options and Hop-by-Hop Options † |
|
IPv6 QS Functions |
|
IPv6 Router Alert Option Values ‡ |
|
Routing Types § |
|
Seed-ID Types |
|
Simplified Multicast Forwarding Duplicate Packet Detection ( |
|
Tagger-ID Types ¶ |
- *
https://www.iana.org/assignments/ipv6-parameters/ipv6-parameters.xhtml#extension-header
- †
https://www.iana.org/assignments/ipv6-parameters/ipv6-parameters.xhtml#ipv6-parameters-2
- ‡
- §
https://www.iana.org/assignments/ipv6-parameters/ipv6-parameters.xhtml#ipv6-parameters-3
- ¶
https://www.iana.org/assignments/ipv6-parameters/ipv6-parameters.xhtml#taggerId-types
IPX Vendor Crawlers¶
This module contains all vendor crawlers of
IPX implementations. Available
crawlers include:
|
IPX Packet Types * |
|
IPX Socket Types † |
MH Vendor Crawlers¶
This module contains all vendor crawlers of
MH implementations. Available
enumerations include:
|
Mobility Header Types * |
Transport Layer¶
Application Layer¶
FTP Vendor Crawler¶
This module contains all vendor crawlers of
FTP implementations. Available
crawlers include:
|
FTP Commands * |
|
FTP Return Codes † |
HTTP Venddor Crawlers¶
This module contains all vendor crawlers of
HTTP implementations. Available
vendor crawlers include:
|
HTTP/2 Error Code * |
|
HTTP/2 Frame Type † |
|
HTTP/2 Settings ‡ |
usage: pcapkit-vendor [-h] [-V] ...
update constant enumerations
positional arguments:
target update targets, supply none to update all
optional arguments:
-h, --help show this help message and exit
-V, --version show program's version number and exit
usage: pcapkit-cli [-h] [-V] [-o file-name] [-f format] [-j] [-p] [-t] [-a]
[-v] [-F] [-E PKG] [-P PROTOCOL] [-L LAYER]
input-file-name
PCAP file extractor and formatted dumper
positional arguments:
input-file-name The name of input pcap file. If ".pcap" omits, it will
be automatically appended.
optional arguments:
-h, --help show this help message and exit
-V, --version show program's version number and exit
-o file-name, --output file-name
The name of input pcap file. If format extension
omits, it will be automatically appended.
-f format, --format format
Print a extraction report in the specified output
format. Available are all formats supported by
dictdumper, e.g.: json, plist, and tree.
-j, --json Display extraction report as json. This will yield
"raw" output that may be used by external tools. This
option overrides all other options.
-p, --plist Display extraction report as macOS Property List
(plist). This will yield "raw" output that may be used
by external tools. This option overrides all other
options.
-t, --tree Display extraction report as tree view text. This will
yield "raw" output that may be used by external tools.
This option overrides all other options.
-a, --auto-extension If output file extension omits, append automatically.
-v, --verbose Show more information.
-F, --files Split each frame into different files.
-E PKG, --engine PKG Indicate extraction engine. Note that except default
or pcapkit engine, all other engines need support of
corresponding packages.
-P PROTOCOL, --protocol PROTOCOL
Indicate extraction stops after which protocol.
-L LAYER, --layer LAYER
Indicate extract frames until which layer.
How to …¶
Basic Samples¶
pcapkit is quite easy to use, with simply three verbs as
its main interface. Several scenarios are shown as below.
extract a PCAP file and dump the result to a specific file (with no reassembly)
from pcapkit import extract # dump to a PLIST file with no frame storage (property frame disabled) plist = extract(fin='in.pcap', fout='out.plist', format='plist', store=False) # dump to a JSON file with no extension auto-complete json = extract(fin='in.cap', fout='out.json', format='json', extension=False) # dump to a folder with each tree-view text file per frame tree = extract(fin='in.pcap', fout='out', format='tree', files=True)
extract a PCAP file and fetch IP packet (both IPv4 and IPv6) from a frame (with no output file)
from pcapkit import IP, extract extraction = extract(fin='in.pcap', nofile=True) frame0 = extraction.frame[0] # check if IP (IPv4 or IPv6) in this frame flag = IP in frame0 if IP in frame0: # fetch the IP packet from this frame ip = frame0[IP]
extract a PCAP file and reassemble TCP payload (with no output file nor frame storage)
from pcapkit import HTTP, extract # set strict to make sure full reassembly extraction = extract(fin='in.pcap', store=False, nofile=True, tcp=True, strict=True) # print extracted packet if HTTP in reassembled payloads for datagram in extraction.reassembly.tcp: if datagram.packet is not None and HTTP in datagram.packet: print(datagram.packet[HTTP])
CLI Samples¶
The CLI (command line interface) of pcapkit has two different access.
through console scripts
Use command name
pcapkit-cli [...]directly (as shown in samples).through Python module
python -m pypcapkit [...]works exactly the same as above.
Here are some usage samples:
export to a macOS Property List (Xcode has special support for this format)
$ pcapkit-cli in --format plist --verbose 🚨Loading file 'in.pcap' Frame 1: Ethernet:IPv6:IPv6_ICMP Frame 2: Ethernet:IPv6:IPv6_ICMP Frame 3: Ethernet:IPv4:TCP Frame 4: Ethernet:IPv4:TCP Frame 5: Ethernet:IPv4:TCP Frame 6: Ethernet:IPv4:UDP:Raw 🍺Report file stored in 'out.plist'
export to a JSON file (with no format specified)
$ pcapkit-cli in --output out.json --verbose 🚨Loading file 'in.pcap' Frame 1: Ethernet:IPv6:IPv6_ICMP Frame 2: Ethernet:IPv6:IPv6_ICMP Frame 3: Ethernet:IPv4:TCP Frame 4: Ethernet:IPv4:TCP Frame 5: Ethernet:IPv4:TCP Frame 6: Ethernet:IPv4:UDP:Raw 🍺Report file stored in 'out.json'
export to a text tree view file (without extension autocorrect)
$ pcapkit-cli in --output out.txt --format tree --verbose 🚨Loading file 'in.pcap' Frame 1: Ethernet:IPv6:IPv6_ICMP Frame 2: Ethernet:IPv6:IPv6_ICMP Frame 3: Ethernet:IPv4:TCP Frame 4: Ethernet:IPv4:TCP Frame 5: Ethernet:IPv4:TCP Frame 6: Ethernet:IPv4:UDP:Raw 🍺Report file stored in 'out.txt'
Help Wanted¶
Important
This is a copy of the discussion thread started on the GitHub. The documentation is only used as a backup reference to the original discussion thread.
As PyPCAPKit reaches its 16k lines of code and 800th commit, I figure it would be a better idea to record the project enchancement proposals here in the discussion thread. The proposals and/or notes will be documented and maintained here.
Pull requests for the existing proposals and any new ideas are highly welcomed and encouraged. Should you have any questions, please leave a note either in this thread or under the Q&A category discussions.
Wish you enjoy PyPCAPKit!!!
More Protocols, More!!!¶
As you may have noticed, there are some protocol-named files under the
NotImplemented folders. These protocols are what I planned to implement
but not yet done. Namely, grouped by each TCP/IP layer and ordered by protocol
name alphabetically,
Link Layer: DSL, EAPOL, FDDI, ISDN, PPP
Internet Layer: ECN, ESP, ICMP, ICMPv6, IGMP, NDP, Shim6
Transport Layer: DCCP, QUIC, RSVP, SCTP
Application Layer: BGP, DHCP, DHCPv6, DNS, IMAP, LDAP, MQTT, NNTP, NTP, ONC/RPC, POP, RIP, RTP, SIP, SMTP, SNMP, SSH, Telnet, TLS/SSL, XMPP
Specifically, I have attempted to implement ESP several years ago, and I abandoned the implementation in the NotImplemented folder due to some design flaws within PyPCAPKit at that time. But now, the protocol should be able to implement quite smoothly.
More over, MH requires some help to
implement all the message data types, you can find more information in the
specific file.
Also, for the existing protocols, I am looking for a helping hand to implement
the construction features, as defined in the Protocol.make
method. You can find some reference from the PCAP’s Frame
header class.
PCAPNG Support¶
As mentioned in #35, PyPCAPKit does not support parsing PCAPNG files with its builtin default engine at the moment – partly because I could not understand the file format specifications.
If you are to help with it, please refer to the implementation of PCAP format
support in pcapkit.protocols.misc.pcap module.
Maybe Even Faster?¶
Based on my recent benchmarking, PyPCAPKit’s builtin default engine is only 4 times slower than Scapy and 10 times to DPKT. Considering the general overhead and verbose features provided by PyPCAPKit’s builtin default engine, such performance difference is acceptable.
However, there might still be a way to further accelerate the protocol
implementation – merge and concatenation _read_xxxxxx methods within one
single file.read(), such that we shall decrease the overall number of IO
calls and reduce the duplicated struct.unpack() calls, etc. I am not yet
confident about the performance improvement, but this is the most efficient way
to accelerate PyPCAPKit at the moment, inspired from the implementation of
Scapy and DPKT themselves.
Specifically, as the following code from pcapkit.protocols.misc.pcap.Frame.read(),
_tsus = self._read_unpack(4, lilendian=True)
_ilen = self._read_unpack(4, lilendian=True)
_olen = self._read_unpack(4, lilendian=True)
we might be able to rewrite it as
_tsus, _ilen, _olen = self._read_fields(unpack(4, lilendian=True), unpack(4, lilendian=True), unpack(4, lilendian=True))
and the PoC of _read_fields would be something like
def _read_fields(self, *fields: 'Field') -> 'tuple[Any, ...]':
# built template
fmt = ''.join(field.template for field in fields)
len = sum([field.length for field in fields])
# read from buffer & do unpack
buf = self._file.read(fmt)
tmp = struct.unpack(fmt, buf)
# do post-processing based on field-specific implementations
ret = []
for field, val in itertools.chain(fields, tmp):
ret.append(field.post_process(val))
return ret
Logging Integration¶
As PyPCAPKit now has the pcapkit.utilities.logging.logger in place, I’m
expecting to fully extend its functionality in the entire module. Ideas and
contributions are welcomed to integrate the logging system into PyPCAPKit.
New Engines¶
Although PyPCAPKit already has support for some popular PCAP parsing libraries, I’m expecting to extend the list of supported engines furthermore. The candidate engines include:
Implementation for support of new engines would include adding corresponding
handler methods and code blocks into pcapkit.foundation.extraction.Extractor
(see support for Scapy, DPKT, and/or PyShark), as well as, the unified auxiliary
tools located in pcapkit.toolkit.
About¶
PyPCAPKit is an independent open source library, using only
DictDumper as its formatted output dumper.
Note
There is a project called jspcapy works on pcapkit, which is a
command line tool for PCAP extraction.
Unlike popular PCAP file extractors, such as Scapy,
dpkt, PyShark, and etc, pcapkit uses
streaming strategy to read input files. That is to read frame by frame,
decrease occupation on memory, as well as enhance efficiency in some way.
Module Structure¶
In pcapkit, all files can be described as following eight parts.
Interface (
pcapkit.interface)User interface for the
pcapkitlibrary, which standardises and simplifies the usage of this library.Foundation (
pcapkit.foundation)Synthesises file I/O and protocol analysis, coordinates information exchange in all network layers, as well as provides the foundamental functions for
pcapkit.Protocols (
pcapkit.protocols)Collection of all protocol family, with detailed implementation and methods.
Utilities (
pcapkit.utilities)Auxiliary functions and tools for
pcapkit.CoreKit (
pcapkit.corekit)Core utilities for
pcapkitimplementation, mainly for internal data structure and processing.ToolKit (
pcapkit.toolkit)Auxiliary tools for
pcapkitto support the multiple extraction engines with a unified interface.DumpKit (
pcapkit.dumpkit)File output formatters for
pcapkit.Constants (
pcapkit.const)Constant enumerations used in
pcapkitfor protocol family extraction and representation.
Engine Comparison¶
Due to the general overhead of pcapkit, its extraction procedure takes
around 0.0008 seconds per packet, which is already impressive but not enough
comparing to other popular extration engines availbale on the market. Thus
pcapkit introduced alternative extractionengines to accelerate this
procedure. By now pcapkit supports Scapy, DPKT, and PyShark.
Test Environment¶
Operating System |
macOS Monterey |
Processor Name |
Intel Core i7 |
Processor Speed |
2.6 GHz |
Total Number of Cores |
6 |
Memory |
16 GB |
Test Results¶
Engine |
Performance (seconds per packet) |
|---|---|
|
0.00006832083066304525 |
|
0.0002489296595255534 |
|
0.0008274253209431966 |
|
0.039607704480489093 |
Installation¶
Note
pcapkit supports Python versions since 3.6.
Simply run the following to install the current version from PyPI:
pip install pypcapkit
Or install the latest version from the gi repository:
git clone https://github.com/JarryShaw/PyPCAPKit.git
cd pypcapkit
pip install -e .
# and to update at any time
git pull
And since pcapkit supports various extraction engines, and extensive
plug-in functions, you may want to install the optional ones:
# for DPKT only
pip install pypcapkit[DPKT]
# for Scapy only
pip install pypcapkit[Scapy]
# for PyShark only
pip install pypcapkit[PyShark]
# and to install all the optional packages
pip install pypcapkit[all]
# or to do this explicitly
pip install pypcapkit dpkt scapy pyshark
For CLI usage, you will need to install the optional packages:
pip install pypcapkit[cli]
# or explicitly...
pip install pypcapkit emoji
