Usage Details¶
Usage¶
The usage command for the pcap2csv tool is as given below:
usage: pcap2csv [-v] -p PCAPFILE -o OUTDIR [-f METADATAFILE] [-h]
**required arguments:**
-p PCAPFILE, --pcapfile PCAPFILE
pcap file to convert
-o OUTDIR, --outdir OUTDIR
output directory to save csv files
**optional arguments:**
-v, --verbose
increase output stream log level of output
-f METADATAFILE, --metadatafile METADATAFILE
metadata json file with experiment description
-h, --help
show this help message and exit
The library can also be used within python with the code below:
from pcap2csv.pcap2csv import Pcap2csv
csvmaker = Pcap2csv(pcapfile, outdir, metadatafile)
csvmaker.makecsvs()
Note that the metadatafile argument is optional.
Output CSV Headings Description¶
pcap2csv pre-processes the packet capture file into a CSV file that
stores all the information extracted and calculated for each packet in
the capture.
Definitions for each item in the header of the CSV is given below:
epoch_time The epoch time stamp at which the packet
was captured.
idx Unique index for every packet seen in the
capture.
is_raw_pkt False if packet is a reassembled packet
l2_d_size Layer2 payload size in bytes
l2_dst_mac Destination MAC address of the packet
l2_src_mac Source MAC address of the packet
l2_vlan_idx VLAN id of packet if present
l3_d_size Layer3 payload size in bytes
l3_dcsp Differentiated Services Code Point (DSCP)
l3_defrag_d_size Unique index for all packet fragments of
the same original packet.
l3_defrag_pkt_idx Unique ID for packets after defragmentation
l3_df IP dont fragment flag
l3_dst_ip Destination IP address of the packet
l3_ecn Explicit Congestion Notification (ECN)
l3_flow_lbl A unique ID for each flow (one side of a L4
TCP/UDP session)
l3_frag_idx IP fragmentation index value
l3_frag_offset IP fragment offset value
l3_frags_idxs An ID shared by fragmented packets that
belonging to the same original IP packet
l3_hl The length of the header in bytes
l3_ip_chksm IPv4 header checksum field
l3_ip_opt_dict A string representation of the dictionary
of IP options
l3_ip_resvd IP reserved bit
l3_is_defrag A boolean, true when packet is defragmented
l3_is_frag A boolean, true when packet is a fragment
l3_len Total length header value in bytes
l3_mf IP more fragment flag
l3_src_ip Source IP address of the packet
l3_ttl Time to live value
l3_type Layer3 type of the packet 'ipv4' or 'ipv6'
only
l4_ack TCP acknowlegement flag value
l4_ack_num TCP acknowlegement number value
l4_chksm Checksum value for TCP packets
l4_conn_start_seen Boolean, true when the first packet in a
packet's TCP connection is present in the
capture being analysed
l4_cwr Congestion window reduced (CWR) flag
l4_d_size Layer4 payload size
l4_dst_port Destination layer4 port number of the
packet
l4_ece ECN-Echo bit
l4_fin TCP fin flag value
l4_from_client Packet is determined to be from the client
side of its TCP or UDP connection
l4_is_out_of_order Is 1 if TCP packet was received out of
order and 0 otherwise.
l4_is_retransmission Is 1 if packet is a TCP retransmission and
0 otherwise.
l4_l4_chksm Checksum value for TCP packets
l4_ns ECN-nonce bit
l4_psh TCP push flag value
l4_rst TCP reset flag value
l4_seq_num TCP sequence number value
l4_sess_idx Unique index for packets found to belong in
the same TCP or UDP connection.
l4_src_port Source layer4 port number of the packet
l4_syn TCP syn flag value
l4_tcp_off TCP data offset value
l4_tcp_opts A string representation of the dictionary
of TCP options
l4_tcp_resvd TCP reserved header field
l4_type Layer4 type of the packet 'tcp' or 'udp'
only
l4_urg TCP urgent flag value
l4_urp Urgent pointer
l4_win_size TCP window size value
protocol_data Up to first 10 bytes of Layer4 payload data