Python Scapy vs dpkt
I have been trying to parse packages using Python Scapy
from the beginning. On a recent search, I found that there is another module in python named dpkt
. With this module, I can parse the layers of a package, create packages, read a file .pcap
and write to a file .pcap
. The difference I found among them:
-
There is no packet sniffer in
dpkt
-
Some fields need to be unpacked using
struct.unpack
cdpkt
.
Are there any other differences I am missing?
source to share
Scapy
better than dpkt
.
- You can create, sniff, modify and send packets using scapy. Although dpkt can only parse packages and create them. To send them you need raw sockets.
- As you mentioned, Scapi can sniff live. It can sniff from the network and also read a file
.pcap
using a methodrdpcap
oroffline
methodsniff
. - Scapy is commonly used to build packet sniffers and injectors. Its modules can be used to create a specific application for a specific purpose.
There can be many other differences as well.
source to share
I don't understand why people say Scapy is the best performer. I quickly checked as shown below and dpkt was the winner. This is dpkt> scapy> pyshark.
My input pcap file used for testing is about 12.5 MB. The time is determined using the bash command time python testing.py
. In each chunk, I ensure that the packet is indeed decoded from the raw chunks. You can assign the FILENAME variable with the desired pcap file name.
dpkt
from dpkt.pcap import *
from dpkt.ethernet import *
import os
readBytes = 0
fileSize = os.stat(FILENAME).st_size
with open(FILENAME, 'rb') as f:
for t, pkt in Reader(f):
readBytes += len(Ethernet(pkt))
print("%.2f" % (float(readBytes) / fileSize * 100))
The average time is about 0.3 seconds.
scapy - using PcapReader
from scapy.all import *
import os
readBytes = 0
fileSize = os.stat(FILENAME).st_size
for pkt in PcapReader(FILENAME):
readBytes += len(pkt)
print("%.2f" % (float(readBytes) / fileSize * 100))
The average time is about 4.5 seconds.
scapy - using RawPcapReader
from scapy.all import *
import os
readBytes = 0
fileSize = os.stat(FILENAME).st_size
for pkt, (sec, usec, wirelen, c) in RawPcapReader(FILENAME):
readBytes += len(Ether(pkt))
print("%.2f" % (float(readBytes) / fileSize * 100))
The average time is about 4.5 seconds.
pyshark
import pyshark
import os
filtered_cap = pyshark.FileCapture(FILENAME)
readBytes = 0
fileSize = os.stat(FILENAME).st_size
for pkt in filtered_cap:
readBytes += int(pkt.length)
print("%.2f" % (float(readBytes) / fileSize * 100))
The average time is about 12 seconds.
I don't advertise for dpkt at all - I don't care. The thing is, I need to parse 8GB files at the moment. So I checked that using dpkt, the above code for an 8GB pcap file runs in 4.5 minutes, which is tolerable, although I wouldn't even bother waiting for other libraries to finish. At least this is my first quick impression. If I have any new information, I will update the post.
source to share