Reading PCAP file with scapy

Question

I have about 10GB pcap data with IPv6 traffic to analyze infos stored in IPv6 header and other extension header. To do this I decided to use Scapy framework. I tried rdpcap function , but for such big files it is not recommended. It tries to load all file into memory and get stuck in my case. I found in the Net that in such situation sniff is recommended, my code look like:

def main():
   sniff(offline='traffic.pcap', prn=my_method,store=0)


def my_method(packet):
   packet.show()

In function called my_method I receive each packet separately and I can parse them, but.... When I call show function with is in-build framework method I got sth like this:

When opened in wireshark I got properly looking packet:

Could you tell me how to parse this packets in scapy to get proper results?

EDIT: According to the discussion in comments I found a way to parse PCAP file with Python. In my opinion the easies way is to use pyshark framework:

import pyshark
pcap = pyshark.FileCapture(pcap_path) ### for reading PCAP file

It is possible to easily iterate read file with for loop

for pkt in pcap:
    #do what you want

For parsing IPv6 header following methods may be useful:

pkt['ipv6'].tclass            #Traffic class field
pkt['ipv6'].tclass_dscp       #Traffic class DSCP field
pkt['ipv6'].tclass_ecn        #Traffic class ECN field
pkt['ipv6'].flow              #Flow label field
pkt['ipv6'].plen              #Payload length field
pkt['ipv6'].nxt               #Next header field
pkt['ipv6'].hlim              #Hop limit field

Answer 1

Update

The latest scapy versions now support ipv6 parsing. So to parse an ipv6 ".pcap" file with scapy now it can be done like so:

from scapy.all import *

scapy_cap = rdpcap('file.pcap')
for packet in scapy_cap:
    print packet[IPv6].src

Now as I had commented back when this question was originally asked, for older scapy versions (that don't support ipv6 parsing):

• pyshark can be used instead (pyshark is a tshark wrapper) like so:

---

import pyshark

shark_cap = pyshark.FileCapture('file.pcap')
for packet in shark_cap:
    print packet.ipv6.src

• or even of course tshark (kind of the terminal version of wireshark):

---

$ tshark -r file.pcap -q -Tfields -e ipv6.src

Answer 2

If you want to keep using scapy and read the file Iteratively I'd recommend you to give it a shot to PcapReader()

It would do the same you tried to do with pyshark but in Scapy

from scapy.all import *

for packet in PcapReader('file.pcap')
    try:
        print(packet[IPv6].src)
    except:
        pass

I'd recommend wrapping this around just as a failsafe if you have any packet that does not have an IPv6 address.