'Convert Pcap file to text using python script

I used the below code to convert a pcap file to text file with the given columns. The output text file. Code doesn't give any error and it gives output but it gives it empty without any data. can you help please to find the error

from scapy.all import *
data = "Emotet-infection-with-Gootkit.pcap"
a = rdpcap(data)
os.system("tshark  -T fields -e _ws.col.Info -e http -e frame.time -e  "
      "data.data -w Emotet-infection-with-Gootkit.pcap > Emotet-infection-with-Gootkit.txt -c 1000")
os.system("tshark -r Emotet-infection-with-Gootkit.pcap -Y http -w Emotet-infection-with-Gootkit.pcap")
sessions = a.sessions()
i = 1
for session in sessions:
 http_payload = ""
javascriptpythonpython-3.xpython-requestspcap


Solution 1:[1]

tshark -F k12text -r a.pcap -w a.txt.

"K12 text format" is a text packet capture format; it's what some Tektronix equipment can write out - in that sense, it's similar to writing out the raw hex data, plus some metadata. However, from a user-interface sense, it's more like "Save As..." in Wireshark, because it's a capture file format. I guess this should work for you

Solution 2:[2]

The two tshark commands you're running are:

tshark -T fields -e _ws.col.Info -e http -e frame.time -e data.data -w Emotet-infection-with-Gootkit.pcap > Emotet-infection-with-Gootkit.txt -c 1000

That command will do a live capture from the default interface, write 1000 captured packets to a capture file named Emotet-infection-with-Gootkit.pcap (probably pcapng, not pcap, as pcapng has been Wireshark's default capture format for many years now), and write the Info column, the word "http" for HTTP packets and nothing for non-HTTP packets, the time stamp, and any otherwise not dissected data out to Emotet-infection-with-Gootkit.txt as text.

tshark -r Emotet-infection-with-Gootkit.pcap -Y http -w Emotet-infection-with-Gootkit.pcap

That will read the Emotet-infection-with-Gootkit.pcap capture file and write out the HTTP packets in it to the same file. This is not recommended, because if you're reading from a file and writing to the same file in a given TShark command, you will write to the file as you're reading from it. This may or may not work.

If you want to extract the HTTP packets to a file, I'd suggest writing to a different file, e.g.:

tshark -r Emotet-infection-with-Gootkit.pcap -Y http -w Emotet-infection-with-Gootkit-http-packets.pcap

So your first command does a live capture, writes the packets to a pcapng file, and writes the fields in question to a text file, and your second command overwrites the capture file you wrote in the first command.

The first command should product text - are you saying that the Emotet-infection-with-Gootkit.txt file is empty?

Sources

This article follows the attribution requirements of Stack Overflow and is licensed under CC BY-SA 3.0.

Source: Stack Overflow

Solution Source
Solution 1 chinmay karnad
Solution 2 user16139739

Related Questions

Selenium-Python: How do I make my WebDriverWait a few seconds before reloading a page?

Selenium-Python: How do I make my WebDriverWait a few seconds before reloading a page?

pip issue installing almost any library

pip issue installing almost any library

pip issue installing almost any library

Selenium-Python: How do I make my WebDriverWait a few seconds before reloading a page?

Selenium-Python: How do I make my WebDriverWait a few seconds before reloading a page?

A simple SMTP server (in Python)

How to specify which pytorch to import, if I have two different versions installed?

How to specify which pytorch to import, if I have two different versions installed?

A simple SMTP server (in Python)

Python: get all months in range?

Python: get all months in range?

Python: get all months in range?

How to specify which pytorch to import, if I have two different versions installed?