Built-in Support

PCAP Tools

pcapkit.toolkit.pcap contains all you need for PCAP file format handling. All functions returns with a flag to indicate if usable for its caller.

pcapkit.toolkit.pcap.ipv4_reassembly(frame)

Make data for IPv4 reassembly.

Parameters:

frame (Frame) – PCAP frame.

Return type:

Packet[IPv4Address] | None

Returns:

Data for IPv4 reassembly.

• If the frame can be used for IPv4 reassembly. A frame can be reassembled if it contains IPv4 layer (IPv4) and the DF (IPv4.flags.df) flag is False.

• If the frame can be reassembled, then the dict mapping of data for IPv4 reassembly (c.f. reasm.ipv4.packet) will be returned; otherwise, returns None.

See also

pcapkit.foundation.reassembly.ipv4.IPv4

pcapkit.toolkit.pcap.ipv6_reassembly(frame)

Make data for IPv6 reassembly.

Parameters:

frame (Frame) – PCAP frame.

Return type:

Packet[IPv6Address] | None

Returns:

A tuple of data for IPv6 reassembly.

• If the frame can be used for IPv6 reassembly. A frame can be reassembled if it contains IPv6 layer (IPv6) and IPv6 Fragment header (RFC 2460#section-4.5, i.e., IPv6_Frag).

• If the frame can be reassembled, then the dict mapping of data for IPv6 reassembly (reasm.ipv6.packet) will be returned; otherwise, returns None.

See also

pcapkit.foundation.reassembly.ipv6.IPv6

pcapkit.toolkit.pcap.tcp_reassembly(frame)

Make data for TCP reassembly.

Parameters:

frame (Frame) – PCAP frame.

Return type:

Packet | None

Returns:

A tuple of data for TCP reassembly.

• If the frame can be used for TCP reassembly. A frame can be reassembled if it contains TCP layer (TCP).

• If the frame can be reassembled, then the dict mapping of data for TCP reassembly (reasm.tcp.packet) will be returned; otherwise, returns None.

See also

pcapkit.foundation.reassembly.tcp.TCP

pcapkit.toolkit.pcap.tcp_traceflow(frame, *, data_link)

Trace packet flow for TCP.

Parameters:

• frame (Frame) – PCAP frame.

• data_link (LinkType) – Data link layer protocol (from global header).

Return type:

Packet | None

Returns:

Data for TCP reassembly.

• If the packet can be used for TCP flow tracing. A frame can be reassembled if it contains TCP layer (TCP).

• If the frame can be reassembled, then the dict mapping of data for TCP flow tracing (trace.tcp.packet) will be returned; otherwise, returns None.

See also

pcapkit.foundation.traceflow.tcp.TCP

PCAP-NG Tools

pcapkit.toolkit.pcapng contains all you need for PCAP-NG file format handling. All functions returns with a flag to indicate if usable for its caller.

pcapkit.toolkit.pcapng.ipv4_reassembly(frame)

Make data for IPv4 reassembly.

Parameters:

frame (PCAPNG) – PCAP-NG frame.

Return type:

Packet[IPv4Address] | None

Returns:

Data for IPv4 reassembly.

• If the frame can be used for IPv4 reassembly. A frame can be reassembled if it contains IPv4 layer (IPv4) and the DF (IPv4.flags.df) flag is False.

• If the frame can be reassembled, then the dict mapping of data for IPv4 reassembly (c.f. reasm.ipv4.packet) will be returned; otherwise, returns None.

See also

pcapkit.foundation.reassembly.ipv4.IPv4

pcapkit.toolkit.pcapng.ipv6_reassembly(frame)

Make data for IPv6 reassembly.

Parameters:

frame (PCAPNG) – PCAP-NG frame.

Return type:

Packet[IPv6Address] | None

Returns:

A tuple of data for IPv6 reassembly.

• If the frame can be used for IPv6 reassembly. A frame can be reassembled if it contains IPv6 layer (IPv6) and IPv6 Fragment header (RFC 2460#section-4.5, i.e., IPv6_Frag).

• If the frame can be reassembled, then the dict mapping of data for IPv6 reassembly (reasm.ipv6.packet) will be returned; otherwise, returns None.

See also

pcapkit.foundation.reassembly.ipv6.IPv6

pcapkit.toolkit.pcapng.tcp_reassembly(frame)

Make data for TCP reassembly.

Parameters:

frame (PCAPNG) – PCAP-NG frame.

Return type:

Packet | None

Returns:

A tuple of data for TCP reassembly.

• If the frame can be used for TCP reassembly. A frame can be reassembled if it contains TCP layer (TCP).

• If the frame can be reassembled, then the dict mapping of data for TCP reassembly (reasm.tcp.packet) will be returned; otherwise, returns None.

See also

pcapkit.foundation.reassembly.tcp.TCP

pcapkit.toolkit.pcapng.tcp_traceflow(frame, *, nanosecond=False)

Trace packet flow for TCP.

Parameters:

• frame (PCAPNG) – PCAP-NG frame.

• nanosecond (bool) – Whether to use nanosecond precision.

Return type:

Packet | None

Returns:

Data for TCP reassembly.

• If the packet can be used for TCP flow tracing. A frame can be reassembled if it contains TCP layer (TCP).

• If the frame can be reassembled, then the dict mapping of data for TCP flow tracing (trace.tcp.packet) will be returned; otherwise, returns None.

See also

pcapkit.foundation.traceflow.tcp.TCP

pcapkit.toolkit.pcapng.block2frame(block, *, nanosecond=False)

Convert PCAP-NG block to PCAP frame.

Parameters:

• block (Union[EnhancedPacketBlock, SimplePacketBlock, PacketBlock]) – PCAP-NG block.

• nanosecond (bool) – Whether to use nanosecond precision.

Return type:

Frame

Returns:

PCAP frame.