Clever Geek Handbook

Python Scapy vs dpkt

I have been trying to parse packages using Python Scapy

from the beginning. On a recent search, I found that there is another module in python named dpkt

. With this module, I can parse the layers of a package, create packages, read a file .pcap

and write to a file .pcap

. The difference I found among them:

  • There is no packet sniffer in dpkt

  • Some fields need to be unpacked using struct.unpack

    c dpkt

    .

Are there any other differences I am missing?

+3


source to share


2 answers


Scapy

better than dpkt

.

  • You can create, sniff, modify and send packets using scapy. Although dpkt can only parse packages and create them. To send them you need raw sockets.
  • As you mentioned, Scapi can sniff live. It can sniff from the network and also read a file .pcap

    using a method rdpcap

    or offline

    method sniff

    .
  • Scapy is commonly used to build packet sniffers and injectors. Its modules can be used to create a specific application for a specific purpose.


There can be many other differences as well.

+7


source


I don't understand why people say Scapy is the best performer. I quickly checked as shown below and dpkt was the winner. This is dpkt> scapy> pyshark.

My input pcap file used for testing is about 12.5 MB. The time is determined using the bash command time python testing.py

. In each chunk, I ensure that the packet is indeed decoded from the raw chunks. You can assign the FILENAME variable with the desired pcap file name.

dpkt

from dpkt.pcap import *
from dpkt.ethernet import *
import os

readBytes = 0
fileSize  = os.stat(FILENAME).st_size

with open(FILENAME, 'rb') as f:
    for t, pkt in Reader(f):
        readBytes += len(Ethernet(pkt))
        print("%.2f" % (float(readBytes) / fileSize * 100))

The average time is about 0.3 seconds.



scapy - using PcapReader

from scapy.all import *
import os

readBytes = 0
fileSize  = os.stat(FILENAME).st_size

for pkt in PcapReader(FILENAME):

    readBytes += len(pkt)
    print("%.2f" % (float(readBytes) / fileSize * 100))

The average time is about 4.5 seconds.



scapy - using RawPcapReader

from scapy.all import *
import os

readBytes = 0
fileSize  = os.stat(FILENAME).st_size

for pkt, (sec, usec, wirelen, c) in RawPcapReader(FILENAME):

    readBytes += len(Ether(pkt))
    print("%.2f" % (float(readBytes) / fileSize * 100))

The average time is about 4.5 seconds.



pyshark

import pyshark
import os

filtered_cap = pyshark.FileCapture(FILENAME)

readBytes = 0
fileSize  = os.stat(FILENAME).st_size

for pkt in filtered_cap:
     readBytes += int(pkt.length)
     print("%.2f" % (float(readBytes) / fileSize * 100))

The average time is about 12 seconds.



I don't advertise for dpkt at all - I don't care. The thing is, I need to parse 8GB files at the moment. So I checked that using dpkt, the above code for an 8GB pcap file runs in 4.5 minutes, which is tolerable, although I wouldn't even bother waiting for other libraries to finish. At least this is my first quick impression. If I have any new information, I will update the post.

0


source






More articles:


All Articles