pcap file viewing library in python 3

14.2k views Asked by At

I'm looking at trying to read pcap files from various CTF events.

Ideally, I would like something that can do the breakdown of information such as wireshark, but just being able to read the timestamp and return the packet as a bytestring of some kind would be welcome.

The problem is that there is little or no python 3 support with all the commonly cited libraries: dpkt, pylibpcap, pcapy, etc.

Does anyone know of a pcap library that works with python 3?

1

There are 1 answers

1
David Bellot On

to my knowledge, there are at least 2 packages that seems to work with Python 3: pure-pcapfile and dpkt:

  • pure-pcapfile is easy to install in python 3 using pip. It's very easy to use but still limited to decoding Ethernet and IP data. The rest is left to you. But it works right out of the box.
  • dpkt doesn't work right out of the box and needs some manipulation before. They are porting it to Python 3 and plan to have a Python 2 and 3 compatible version for version 2.0. Unfortunately, it's not there yet. However, it is way more complete than pure-pcapfile and can decode many protocols. If your packet embeds several layers of protocols, it will decode them automatically for you. The only problem is that you need to make a few corrections here and there to make it work (as the time of writing this comment).

pure-pcapfile

the only one that I found working for Python 3 so far is pcapfile. You can find it at https://pypi.python.org/pypi/pypcapfile/ or install it by doing pip3 install pypcapfile.

There are just basic functionalities but it works very well for me and has been updated quite recently (at the time of writing this message):

from pcapfile import savefile
file = open('mypcapfile.pcp' , 'rb')
pcapfile = savefile.load_savefile(file,verbose=True)

If everything goes well, you should see something like this:

[+] attempting to load mypcapfile.pcap
[+] found valid header
[+] loaded 1234 packets
[+] finished loading savefile.

A few remarks now. I'm using Python 3.4.3. And doing import pcapfile will not import anything from it (I'm still a beginner with Python) but the only basic information and functions from the package. Next, you have to explicitly open your file in read binary mode by passing 'rb' as the mode in the open() function. In the documentation they don't say it explicitly.

The rest is like in the documentation:

packet = pcapfile.packets[12]

to access the packet number 12 (the 13th packet then, the first one being at 0). And you have basic functionalities like

packet.timestamp

to get a timestamp or

packet.raw()

to get raw data.

The documentation mentions functions to do packet decoding of some standard formats like Ethernet and IP.

dpkt

dpkt is not available for Python 3 so you need to do the following, assuming you have access to a command line. The code is available on https://github.com/kbandla/dpkt.git and you must download it before:

git clone https://github.com/kbandla/dpkt.git
cd dpkt
git checkout --track origin/migrate_py3
git pull

This 4 commands do the following:

  1. clone (download) the code from its git repository on github
  2. go into the newly created directory named dpkt
  3. switch to the branch name migrate_py3 which contains the Python 3 code. As you can see from the name of this branch, it's still experimental. So far it works for me.
  4. (just in case) download again the code

then copy the directory named dpkt in your project or wherever Python 3 can find it.

Later on, in Python 3 here is what you have to do to get started:

import dpkt
file = open('mypcapfile.pcap','rb')

will open your file. Don't forget the 'rb' binary mode in Python 3 (same thing as in pure-pcapfile).

pcap = dpkt.pcap.Reader(file)

will read and decode your file

for ts, buf in pcap:
    eth = dpkt.ethernet.Ethernet(buf)
    print(eth)

will, for example, decode Ethernet packet and print them. Then read the documentation on how to use dpkt. If your packets contain IP or TCP layer, then dpkt.ethernet.Ethernet(buf) will decode them as well. Also note that in the for loop, we have access to the timestamps in ts.

You may want to iterate it in a less constrained form and doing as follows will help:

(ts,buf) = next(pcap)
eth = dpkt.ethernet.Ethernet(buf)

where the first line get the next tuple from the pcap file. If pcap is False then you read everything.