PCAP Flow Analyzer

This Python script analyzes PCAP files and aggregates network flows based on source IP, destination IP, destination port, and protocol. It combines the speed of Scapy with the accuracy of PyShark for unknown packets to ensure all protocols are detected.

Features

Reads large PCAP files efficiently.

Detects common protocols with Scapy.

Uses PyShark to identify unknown protocols.

Aggregates flows by (src IP, dst IP, dst port, protocol).

Outputs a CSV report with total bytes and packet counts.

No dependency on source ports, only destination ports are considered.

Requirements

Python 3.x

Scapy

pip install scapy

Optional: PyShark (for advanced protocol detection)

pip install pyshark

Wireshark/Tshark installed if using PyShark.

Usage

Place your PCAP file in the same folder as the script.

Edit the script to set your input PCAP file and output CSV name:

pcap_file = "yourfile.pcap" out_csv = "report.csv"

Run the script:

python analyze.py

The output CSV will contain:

A_ID B_ID Port_B Protocol Total_Bytes Packet_Count

A_ID: Source IP or MAC

B_ID: Destination IP or MAC

Port_B: Destination port

Protocol: Detected protocol

Total_Bytes: Total bytes for this flow

Packet_Count: Number of packets for this flow

Notes

Large PCAP files may take several minutes if many packets require PyShark processing.

Only flows with meaningful protocols are included; padding and NTP header packets are ignored.# PCAP-Flow-Analyzer