I'm looking at trying to read pcap files from various CTF events.
Ideally, I would like something that can do the breakdown of information such as wireshark, but just being able to read the timestamp and return the packet as a bytestring of some kind would be welcome.
The problem is that there is little or no python 3 support with all the commonly cited libraries: dpkt, pylibpcap, pcapy, etc.
Does anyone know of a pcap library that works with python 3?
to my knowledge, there are at least 2 packages that seems to work with Python 3:
pure-pcapfile
anddpkt
:pure-pcapfile
is easy to install in python 3 usingpip
. It's very easy to use but still limited to decoding Ethernet and IP data. The rest is left to you. But it works right out of the box.dpkt
doesn't work right out of the box and needs some manipulation before. They are porting it to Python 3 and plan to have a Python 2 and 3 compatible version for version 2.0. Unfortunately, it's not there yet. However, it is way more complete thanpure-pcapfile
and can decode many protocols. If your packet embeds several layers of protocols, it will decode them automatically for you. The only problem is that you need to make a few corrections here and there to make it work (as the time of writing this comment).pure-pcapfile
the only one that I found working for Python 3 so far is pcapfile. You can find it at https://pypi.python.org/pypi/pypcapfile/ or install it by doing
pip3 install pypcapfile
.There are just basic functionalities but it works very well for me and has been updated quite recently (at the time of writing this message):
If everything goes well, you should see something like this:
A few remarks now. I'm using Python 3.4.3. And doing
import pcapfile
will not import anything from it (I'm still a beginner with Python) but the only basic information and functions from the package. Next, you have to explicitly open your file in read binary mode by passing'rb'
as the mode in theopen()
function. In the documentation they don't say it explicitly.The rest is like in the documentation:
to access the packet number 12 (the 13th packet then, the first one being at 0). And you have basic functionalities like
to get a timestamp or
to get raw data.
The documentation mentions functions to do packet decoding of some standard formats like Ethernet and IP.
dpkt
dpkt
is not available for Python 3 so you need to do the following, assuming you have access to a command line. The code is available on https://github.com/kbandla/dpkt.git and you must download it before:This 4 commands do the following:
dpkt
migrate_py3
which contains the Python 3 code. As you can see from the name of this branch, it's still experimental. So far it works for me.then copy the directory named
dpkt
in your project or wherever Python 3 can find it.Later on, in Python 3 here is what you have to do to get started:
will open your file. Don't forget the
'rb'
binary mode in Python 3 (same thing as inpure-pcapfile
).will read and decode your
file
will, for example, decode Ethernet packet and print them. Then read the documentation on how to use
dpkt
. If your packets contain IP or TCP layer, thendpkt.ethernet.Ethernet(buf)
will decode them as well. Also note that in thefor
loop, we have access to the timestamps ints
.You may want to iterate it in a less constrained form and doing as follows will help:
where the first line get the next tuple from the pcap file. If pcap is
False
then you read everything.