Use python to create a network packet capture tool and write a filter for winpcapy

Currently, we have completed a network packet capture tool, which is implemented in Python. The preferred library or interface for packet capture on Windows is Winpcap. Naturally, Winpcap programs close to the underlying system and hardware are generally written in C language, and the development interface provided by Winpcap is also C native. But fortunately, people have provided encapsulation for the use of other languages, such as Java and. net. It seems that even VB is available. You can find it on the Winpcap official website.

Winpcapy is the encapsulation of Winpcap in Python. You can find this project on Google Code and download the source code. In fact, compared with the C-Language header file of Winpcap, we can find that winpcapy mainly uses ctype to convert the C functions provided by Winpcap and some data structures into Python functions and data structures, just like C is a pcap. h. winpcapy is a winpcapy. PY, as long as you import this module into the code, you can use Winpcap like the C language. Besides winpcapy. py, the source code also provides several samples like Winpcap. Comparing the two sets of samples, we can find that the winpcapy sample basically translates the sample written in C language into the Python language, and the corresponding relationship is obvious. However, there is no filter code in the sample, so I will write a Python version of pcap_filter just like pcap_filter.c In the Winpcap sample.

The main code about filter in pcap_filter.c is as follows:

//pcap_t *fp;//struct bpf_program fcode;//bpf_u_int32 NetMask;//char *filter;NetMask=0xffffff;//compile the filterif(pcap_compile(fp, &fcode, filter, 1, NetMask) < 0){printf(stderr,"\nError compiling filter: wrong syntax.\n");pcap_close(fp);return -3;}//set the filterif(pcap_setfilter(fp, &fcode)<0){fprintf(stderr,"\nError setting the filter\n");pcap_close(fp);return -4;}

Several parameter declarations are provided in the first few lines. For details, see the complete code. The code for the filter Part I wrote is as follows:

fcode = bpf_program()NetMask = 0xfffffffilter = "tcp"## compile the filterif pcap_compile(adhandle,byref(fcode),filter,1,NetMask) < 0:print('\nError compiling filter: wrong syntax.\n')pcap_close(adhandle)sys.exit(-3)## set the filterif pcap_setfilter(adhandle,byref(fcode)) < 0:print('\nError setting the filter\n')pcap_close(adhandle)sys.exit(-4)

Of course, it seems that it is basically for translation, and there is no technical content. This code can be placed before the code line of the winpcapy example basic_dump_ex.py begins to capture packets (

res=pcap_next_ex( adhandle, byref(header), byref(pkt_data))

.

If you want to verify it, you can use pcap_dump to save the captured packet and view it with Wireshark. A complete code file will be provided later.