Use Python to capture and parse packets in windows.

Use Python to capture and parse packets in windows.

System Environment: windows 7, because I am more interested in the traffic on my daily machines

Python environment: python2.7. The reason why python3 is not selected here is that the scapy package to be used in python3 is much more troublesome to install than python2. If you are used to using python3, data packet analysis can be done under 3, Because packet capture and analysis are two completely independent processes.

Required python packages: scapy and dpkt

Packet Capture code:

From scapy. sendrecv import snifffrom scapy. utils import wrpcapdpkt = sniff (count = 100) # This is the host for a single Nic. For Multiple NICs, you can specify the NIC wrpcap ("demo. pcap ", dpkt)

You are not mistaken. You only need two lines of code to implement a simple packet capture function. The sniff function is used to sniff data packets, while the wrpcap function saves the captured data packets.

Data Packet Analysis:

Import dpktimport socketimport datetimedef printPcap (pcap): try: for timestamp, buf in pcap: eth = dpkt. ethernet. ethernet (buf) # obtain the Ethernet packet, that is, print ("ip layer:" + eth. data. _ class __. _ name _) # The data of an Ethernet packet is both the print ("tcp layer:" + eth. data. data. _ class __. _ name _) # The data in the network layer package is both a transport layer package print ("http layer:" + eth. data. data. data. _ class __. _ name _) # The data in the transport layer package is not only the application layer package print ('timestamp': ', str (datetime. datetime. utcfromtimestamp (timestamp) # print the packet capture time if not isinstance (eth. data, dpkt. ip. IP): print ('non IP Packet type not supported % s' % eth. data. _ class __. _ name _) continueip = eth. datado_not_fragment = bool (ip. off & dpkt. ip. IP_DF) more_fragments = bool (ip. off & dpkt. ip. IP_MF) fragment_offset = ip. off & dpkt. ip. IP_OFFMASKprint ('IP: % s-> % s (len = % d ttl = % d DF = % d MF = % d offset = % d) '% (socket. inet_ntoa (ip. src), socket. inet_ntoa (ip. dst), ip. len, ip. ttl, do_not_fragment, more_fragments, fragment_offset) T: passdef main (): f = open ('demo. pcap ', 'rb') pcap = dpkt. pcap. reader (f) printPcap (pcap) if _ name _ = '_ main _': main ()

Result:

This is the packet that I captured when I opened the 360 vro guard. The software communicates with the vro when it is turned on to obtain a list of computers and mobile phones connected to the vro. 192.168.1.100 is my machine, 192.168.1.1 is the router address, and the ttl value of the data packet sent by windows is 128 by default, and that of other systems is 64 by default, it is consistent with our theoretical knowledge.

The layer-5 TCP/IP structure and packet process are shown in the following figure:

Summary

The above section describes how to use Python to capture and parse packets in windows. I hope it will be helpful to you. If you have any questions, please leave a message for me, the editor will reply to you in a timely manner. Thank you very much for your support for the help House website!