Of course! The rdpcap function from the Scapy library is a fundamental and powerful tool for reading network packet captures. Here's a comprehensive guide covering what it is, how to use it, and common examples.

What is rdpcap?

rdpcap stands for Read Pcap. It's a Scapy function that reads a packet capture file (in formats like .pcap, .pcapng, .cap) and loads its contents into memory as a Scapy PacketList object.

A PacketList is more than just a simple list of packets; it's a rich object that provides:

• Easy iteration: You can loop through the packets.
• Powerful filtering: You can select packets based on their headers (e.g., only TCP packets).
• Statistical analysis: You can get counts, durations, and other statistics.
• Convenient attributes: It has properties like summary(), nsummary(), and sessions().

Basic Usage

First, make sure you have Scapy installed:

pip install scapy

Here is the most basic way to use rdpcap.

Import the function

from scapy.all import rdpcap

Read the pcap file

Provide the path to your .pcap or .pcapng file. The function returns a PacketList.

# Assuming you have a file named 'example.pcap' in the same directory
packets = rdpcap('example.pcap')
# The 'packets' variable is now a PacketList object
print(f"Type of the loaded object: {type(packets)}")
print(f"Number of packets read: {len(packets)}")

Working with the PacketList

Once you have the PacketList, you can start analyzing the packets.

Example 1: Inspecting a Single Packet

You can access packets by their index, just like a Python list.

# Get the first packet in the list
first_packet = packets[0]
# Display a summary of the first packet
print("\n--- First Packet Summary ---")
print(first_packet.summary())
# Access specific layers
# Check if the packet has an IP layer
if first_packet.haslayer('IP'):
    ip_layer = first_packet['IP']
    print(f"\nSource IP: {ip_layer.src}")
    print(f"Destination IP: {ip_layer.dst}")
# Check if the packet has a TCP layer
if first_packet.haslayer('TCP'):
    tcp_layer = first_packet['TCP']
    print(f"\nSource Port: {tcp_layer.sport}")
    print(f"Destination Port: {tcp_layer.dport}")

Example 2: Iterating and Filtering All Packets

This is the most common use case. You loop through the PacketList and apply logic to each packet.

print("\n--- Analyzing All Packets ---")
# Counters
tcp_count = 0
udp_count = 0
icmp_count = 0
for packet in packets:
    # Check the layer and perform actions
    if packet.haslayer('TCP'):
        tcp_count += 1
    elif packet.haslayer('UDP'):
        udp_count += 1
    elif packet.haslayer('ICMP'):
        icmp_count += 1
print(f"Total TCP packets: {tcp_count}")
print(f"Total UDP packets: {udp_count}")
print(f"Total ICMP packets: {icmp_count}")

Example 3: Advanced Filtering with a Lambda Function

Scapy's PacketList objects have a filter method that makes it easy to extract specific packets. This is much more concise than a manual for loop.

# Get all TCP packets where the destination port is 80 (HTTP)
http_packets = packets.filter(lambda p: p.haslayer('TCP') and p['TCP'].dport == 80)
print(f"\n--- Found {len(http_packets)} HTTP packets ---")
# Print a summary of the first 5 HTTP packets
for i, packet in enumerate(http_packets[:5]):
    print(f"HTTP Packet {i+1}: {packet.summary()}")
# You can also use the `lambda` with the `p` object directly
# Get all packets from a specific IP
src_ip = '192.168.1.101' # Example IP
packets_from_ip = packets.filter(lambda p: p.haslayer('IP') and p['IP'].src == src_ip)
print(f"\n--- Found {len(packets_from_ip)} packets from {src_ip} ---")

A Complete, Practical Example

Let's put it all together. Imagine you have a sample.pcap file and you want to find all the unique destination IP addresses that were communicated with.

from scapy.all import rdpcap
# 1. Read the pcap file
try:
    packets = rdpcap('sample.pcap')
except FileNotFoundError:
    print("Error: 'sample.pcap' not found. Please create a sample file or use a valid path.")
    exit()
# 2. Initialize a set to store unique destination IPs
unique_dst_ips = set()
# 3. Iterate through the packets
print("Analyzing packets for unique destination IPs...")
for packet in packets:
    # Check if the packet has an IP layer
    if packet.haslayer('IP'):
        # Get the destination IP and add it to the set
        # Sets automatically handle uniqueness
        dst_ip = packet['IP'].dst
        unique_dst_ips.add(dst_ip)
# 4. Print the results
print("\n--- Unique Destination IP Addresses Found ---")
if unique_dst_ips:
    for ip in sorted(list(unique_dst_ips)):
        print(ip)
else:
    print("No IP packets found in the capture file.")

Key Takeaways and Best Practices

1. Use try...except: Always wrap rdpcap in a try...except block to handle cases where the file doesn't exist or is corrupted.
2. Filter Early, Filter Often: If you're only interested in a small subset of packets (e.g., only HTTP traffic), use the .filter() method immediately after reading the file. This reduces the amount of data you need to process in memory.
3. Leverage the PacketList Object: Don't just treat it as a list. Use its built-in methods like summary(), nsummary() (nicer summary), and sessions() (for reconstructing TCP conversations) to get a quick overview of your capture.
4. Performance: For very large capture files (several gigabytes), loading the entire file into memory with rdpcap can be slow or cause memory issues. In such cases, you might need to use a more specialized tool like PyShark (which uses TShark) or process the file in chunks if possible. For most common-sized files, rdpcap is perfectly efficient.