Python network packet capture library pypcap, unpackage dpkt)

Http://www.oschina.net/p/pypcap

 

ethereal comes with decoder of many protocols, which is simple and easy to use, an open-source software based on Winpcap. however, its architecture is not flexible. To add a custom decoder, you must modify the Code of Ethereal and re-compile it, very cumbersome. for general plain text protocols, there is no problem, but for encryption protocols, such as online games, the Program of the client sends a random key when the client is connected, and the subsequent packets are encrypted with this key. to crack the attack, you must have a programmable packet capture device.

Libpcap is a good choice, but C language is obviously not a wise choice for packet capture operations that require repeated "test-> modification.

Python provides several libpcapbind and http://monkey.org /~ Dugsong/pypcap/here is the simplest one. On Windows, you need to install Winpcap first. If you have installed Ethereal, it is very useful.

A standard packet capture process

Import pcap
Import dpkt
PC = pcap. pcap () # Note: The parameter can be the NIC name, for example, eth0
PC. setfilter ('tcp port 80') # Set the listener Filter
For ptime, pdata in PC: # ptime is the receipt time, pdata is the receipt data
Print ptime, pdata #...

Unpackage the captured Ethernet V2 packet (raw packet)

P = dpkt. Ethernet. Ethernet (pdata)
If P. Data. _ class _. _ name __= = 'IP ':
IP = '% d. % d' % tuple (MAP (ORD, list (P. Data. DST )))
If P. data. Data. _ class _. _ name __= = 'tcp ':
If data. dport = 80:
Print P. data. Data. Data # By gashero

Some display parameters

Nrecv, ndrop, nifdrop = pc. Stats ()
In the returned tuples, the first parameter is the received packet, and (by gashero) The second parameter is the packet discarded by the core.