User Interface

pcapkit.interface defines several user-oriented interfaces, variables, and etc. These interfaces are designed to help and simplify the usage of pcapkit.

PCAP Extration

pcapkit.interface.extract(fin=None, fout=None, format=None, auto=True, extension=True, store=True, files=False, nofile=False, verbose=False, engine=None, layer=None, protocol=None, ip=False, ipv4=False, ipv6=False, tcp=False, strict=True, trace=False, trace_fout=None, trace_format=None, trace_byteorder='little', trace_nanosecond=False)[source]

Extract a PCAP file.

Parameters

  • fin (Optiona[str]) – file name to be read; if file not exist, raise FileNotFound

  • fout (Optiona[str]) – file name to be written

  • format (Optional[Literal['plist', 'json', 'tree']]) – file format of output

  • auto (bool) – if automatically run till EOF

  • extension (bool) – if check and append extensions to output file

  • store (bool) – if store extracted packet info

  • files (bool) – if split each frame into different files

  • nofile (bool) – if no output file is to be dumped

  • verbose (bool) – if print verbose output information

  • engine (Optional[Literal['default', 'pcapkit', 'dpkt', 'scapy', 'pyshark', 'server', 'pipeline']]) – extraction engine to be used

  • layer (Optional[Literal['Link', 'Internet', 'Transport', 'Application']]) – extract til which layer

  • protocol (Optional[Union[str, Tuple[str], Type[Protocol]]]) – extract til which protocol

  • ip (bool) – if record data for IPv4 & IPv6 reassembly

  • ipv4 (bool) – if perform IPv4 reassembly

  • ipv6 (bool) – if perform IPv6 reassembly

  • tcp (bool) – if perform TCP reassembly

  • strict (bool) – if set strict flag for reassembly

  • trace (bool) – if trace TCP traffic flows

  • trace_fout (Optional[str]) – path name for flow tracer if necessary

  • trace_format (Optional[Literal['plist', 'json', 'tree', 'pcap']]) – output file format of flow tracer

  • trace_byteorder (Literal['little', 'big']) – output file byte order

  • trace_nanosecond (bool) – output nanosecond-resolution file flag

Returns

Extractor – an Extractor object

Application Layer Analysis

pcapkit.interface.analyse(file, length=None)[source]

Analyse application layer packets.

Parameters

  • file (Union[bytes, io.BytesIO]) – packet to be analysed

  • length (Optional[int]) – length of the analysing packet

Returns

an Analysis object

Return type

Analysis

Payload Reassembly

pcapkit.interface.reassemble(protocol, strict=False)[source]

Reassemble fragmented datagrams.

Parameters

  • protocol (Union[str, Type[Protocol]]) –

  • strict (bool) – if return all datagrams (including those not implemented) when submit

Returns

a Reassembly object of corresponding protocol

Return type

Union[IPv4_Reassembly, IPv6_Reassembly, TCP_Reassembly]

Raises

FormatError – If protocol is NOT any of IPv4, IPv6 or TCP.

TCP Flow Tracing

pcapkit.interface.trace(fout=None, format=None, byteorder='little', nanosecond=False)[source]

Trace TCP flows.

Parameters

  • fout (str) – output path

  • format (Optional[str]) – output format

  • byteorder (str) – output file byte order

  • nanosecond (bool) – output nanosecond-resolution file flag

Returns

a TraceFlow object

Return type

TraceFlow

Output File Formats

pcapkit.interface.TREE = 'tree'
pcapkit.interface.JSON = 'json'
pcapkit.interface.PLIST = 'plist'
pcapkit.interface.PCAP = 'pcap'

Layer Thresholds

pcapkit.interface.RAW = 'None'
pcapkit.interface.INET = 'Internet'
pcapkit.interface.TRANS = 'Transport'
pcapkit.interface.APP = 'Application'

Extration Engines

pcapkit.interface.DPKT = 'dpkt'
pcapkit.interface.Scapy = 'scapy'
pcapkit.interface.PCAPKit = 'default'
pcapkit.interface.PyShark = 'pyshark'
pcapkit.interface.MPServer = 'server'
pcapkit.interface.MPPipeline = 'pipeline'