0

I've searched in several places, but I didn't find a simple answer to this question - I have a .pcap file, generated using Wireshark, with several packets in it, and I wish to extract from each packet it's TCP-Timestamp (TSval). I've managed to open each packet using scapy

packets = rdpcap('pcap_file.pcap')
for packet in packets:
    print(packet.payload.id)

but I can't find the TSval of the packet (even though I can see the TSval field in the packet when I open it with Wireshark as shown in the picture below).

enter image description here

Improve this question

1 Answer 1

Reset to default
1

Packets can be accessed like dictionaries whose keys are protocols and values are payloads. For instance you can print the TCP payload in a packet like this:

if TCP in packet:
   packet[TCP].show()

Now to get the TSval of the payload you have to look in TCP options. Each TCP option is encoded by scapy as a couple (option name, option value). For the timestamp option, the option value is itself a couple (TSval, TSecr). So you can basically get what you want doing the following:

from scapy.all import TCP, rdpcap

packets = rdpcap('packets.pcapng')
for packet in packets:
    if TCP in packet:  #  ignore packets without TCP payload
        for opt, val in packet[TCP].options:  #  consider all TCP options
            if opt == 'Timestamp':
                TSval, TSecr = val  #  decode the value of the option
                print('TSval =', TSval)
Improve this answer
Sign up to request clarification or add additional context in comments.

1 Comment

They're not really dictionaries, they just partially act as such

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.