cap2netflow.py convert pcap into netflow like output v. 1.2

1. #!/usr/bin/python -tt
2.  
3. from scapy.all import *
4.  
5. import sys
6.  
7. from datetime import datetime
8.  
9. '''Parse PCAP files into easy to read NETFLOW like output\n
10.  
11.   Usage:\n
12.  
13.   python cap2netflow.py <[ pcap filename or -l ]>\n
14.  
15.   -l is live capture switch\n
16.  
17.    ICMP packets print as source ip, type --> dest ip, code''   
18.  
19.  
20. def parse_netflow(pkt):  
21.  
22.    # grabs 'netflow-esqe' fields from packets in a PCAP file
23.  
24.    if pkt.haslayer(IP):
25.        
26.        type = pkt.getlayer(IP).proto
27.    
28.    else:
29.  
30.        type = 0
31.  
32.  
33.    snifftime = datetime.fromtimestamp(pkt.time).strftime('%Y-%m-%d %H:%M:%S').split(' ')[1]
34.    
35.  
36.    if type == 6:
37.  
38.        type = 'TCP'
39.  
40.    if type == 17:
41.  
42.        type = 'UDP'
43.  
44.    if type == 1:
45.  
46.        type = 'ICMP'
47.  
48.    if type == 'TCP' or type == 'UDP':
49.  
50.        print( ' '.join([snifftime, type.rjust(4, ' '), str(pkt.getlayer(IP).src).rjust(15, ' ') , str(pkt.getlayer(type).sport).rjust(5, ' ') , '-->' , str(pkt.getlayer(IP).dst).rjust(15, ' ') , str(pkt.getlayer(type).dport).rjust(5, ' ')]))
51.  
52.    elif type == 'ICMP':
53.  
54.        print(' '.join([snifftime, 'ICMP'.rjust(4, ' '),  str(pkt.getlayer(IP).src).rjust(15, ' ') , ('t: '+ str(pkt.getlayer(ICMP).type)).rjust(5, ' '), '-->' , str(pkt.getlayer(IP).dst).rjust(15, ' '), ('c: ' + str(pkt.getlayer(ICMP).code)).rjust(5, ' ')]))
55.  
56.    else:
57.  
58.        pass
59.  
60.  
61.  
62. if '-l' in sys.argv:
63.  
64.    sniff(prn=parse_netflow)
65.  
66. else:
67.  
68.    pkts = rdpcap(sys.argv[1])
69.  
70.    print(' '.join(['Date: ',datetime.fromtimestamp(pkts[0].time).strftime('%Y-%m-%d %H:%M:%S').split(' ')[0]]))
71.  
72.    for pkt in pkts:
73.  
74.        parse_netflow(pkt)