PCAP file method for parsing Wireshark using PYTHON

PYTHON first installs the scapy module

PY3 installation scapy-python3, use PIP installation is good, note, PY3 can not use pyinstaller package file, PY2 is normal

Installing scapy for PY2 is troublesome

from scapy.all import *
pcaps = rdpcap("file.pcap")

pcaps is the parsed structure-like thing

<pre name="code" class="python">packet=pcaps[0] # No. 1 1 Packet structure 

packet.time# Packet timestamp 

packet[Raw].load#PY3 Method for reading node data ,packet[IP].src;packet[IP].dst

packet['Raw'].load#PY2 Method for reading node data ,PY3 It should also be possible 

lambda="lambda pcap:IP in pcap and UDP in pcap and pcap[IP].src=='192.168.1.1' and pcap[UDP].sport==80"

results=pcaps.filter(eval(lambda))#lambda Yes 1 Kinds of expressions , Strings are used here , You can also not use it eval, Write expression directly , Then the filtered packet is returned 

python parsing data packet takes up 10 minutes of memory. It is recommended to use tshark command line preprocessing to filter data packet once before PYTHON processing

cmd_filter="%s && ip.src==%s && ip.dst==%s && %s.srcport==%s && %s.port==%s"% \
        (Node['proto'].lower(),Node['src'],Node['dst'],Node['proto'].lower(),Node['sport'],Node['proto'].lower(),Node['dport'])
   
os.system('start /WAIT "" "%s\tshark" -r "%s" -R "%s" -w "%s"'%(Wireshark_path,pcap_filename,cmd_filter,Temp_pcap_File))

Then work on the Temp_pcap_File file