pcapng.blocks

Module containing the definition of known / supported “blocks” of the pcap-ng format.

Each block is a struct-like object with some fields and possibly a variable amount of “items” (usually options).

They can optionally expose some other properties, used eg. to provide better access to decoded information, …

class pcapng.blocks.Block(raw)

Base class for blocks

schema = []

classmethod from_context(raw, ctx)

class pcapng.blocks.SectionMemberBlock(raw, section)

classmethod from_context(raw, ctx)

pcapng.blocks.register_block(block)

Handy decorator to register a new known block type

class pcapng.blocks.SectionHeader(raw, endianness)

magic_number = 168627466

schema = [('version_major', IntField(size=16, signed=False)), ('version_minor', IntField(size=16, signed=False)), ('section_length', IntField(size=64, signed=True)), ('options', OptionsField([(2, 'shb_hardware', 'string'), (3, 'shb_os', 'string'), (4, 'shb_userappl', 'string')]))]

register_interface(interface)

Helper method to register an interface within this section

add_interface_stats(interface_stats)

Helper method to register interface stats within this section

version

length

class pcapng.blocks.InterfaceDescription(raw, section)

magic_number = 1

schema = [('link_type', IntField(size=16, signed=False)), ('reserved', RawBytes(size=2)), ('snaplen', IntField(size=32, signed=False)), ('options', OptionsField([(2, 'if_name', 'string'), (3, 'if_description', 'string'), (4, 'if_IPv4addr', 'ipv4+mask'), (5, 'if_IPv6addr', 'ipv6+prefix'), (6, 'if_MACaddr', 'macaddr'), (7, 'if_EUIaddr', 'euiaddr'), (8, 'if_speed', 'u64'), (9, 'if_tsresol'), (10, 'if_tzone', 'u32'), (11, 'if_filter', 'string'), (12, 'if_os', 'string'), (13, 'if_fcslen', 'u8'), (14, 'if_tsoffset', 'i64')]))]

timestamp_resolution

statistics

link_type_description

class pcapng.blocks.BlockWithTimestampMixin

Block mixin adding properties to better access timestamps of blocks that provide one.

timestamp

timestamp_resolution

class pcapng.blocks.BlockWithInterfaceMixin

interface

class pcapng.blocks.BasePacketBlock(raw, section)

Base class for the “EnhancedPacket” and “Packet” blocks

class pcapng.blocks.EnhancedPacket(raw, section)

magic_number = 6

schema = [('interface_id', IntField(size=32, signed=False)), ('timestamp_high', IntField(size=32, signed=False)), ('timestamp_low', IntField(size=32, signed=False)), ('packet_payload_info', PacketDataField()), ('options', OptionsField([(2, 'epb_flags'), (3, 'epb_hash'), (4, 'epb_dropcount', 'u64')]))]

captured_len

packet_len

packet_data

class pcapng.blocks.SimplePacket(raw, section)

magic_number = 3

schema = [('packet_simple_payload_info', SimplePacketDataField())]

packet_len

packet_data

class pcapng.blocks.Packet(raw, section)

magic_number = 2

schema = [('interface_id', IntField(size=16, signed=False)), ('drops_count', IntField(size=16, signed=False)), ('timestamp_high', IntField(size=32, signed=False)), ('timestamp_low', IntField(size=32, signed=False)), ('packet_payload_info', PacketDataField()), ('options', OptionsField([(2, 'epb_flags', 'u32'), (3, 'epb_hash')]))]

captured_len

packet_len

packet_data

class pcapng.blocks.NameResolution(raw, section)

magic_number = 4

schema = [('records', ListField(NameResolutionRecordField())), ('options', OptionsField([(2, 'ns_dnsname', 'string'), (3, 'ns_dnsIP4addr', 'ipv4'), (4, 'ns_dnsIP6addr', 'ipv6')]))]

class pcapng.blocks.InterfaceStatistics(raw, section)

magic_number = 5

schema = [('interface_id', IntField(size=32, signed=False)), ('timestamp_high', IntField(size=32, signed=False)), ('timestamp_low', IntField(size=32, signed=False)), ('options', OptionsField([(2, 'isb_starttime', 'u64'), (3, 'isb_endtime', 'u64'), (4, 'isb_ifrecv', 'u64'), (5, 'isb_ifdrop', 'u64'), (6, 'isb_filteraccept', 'u64'), (7, 'isb_osdrop', 'u64'), (8, 'isb_usrdeliv', 'u64')]))]

class pcapng.blocks.UnknownBlock(block_type, data)

Class used to represent an unknown block.

Its block type and raw data will be stored directly with no further processing.