Python 3 pcap file viewer library
I'm looking for an attempt to read pcap files from various CTF events.
Ideally, I would like something that could do the pagination of information, like wireshark, but just be able to read the timestamp and return the packet as some kind of error, which would be welcome.
The problem is that there is little or no support for python 3 with all common libraries: dpkt, pylibpcap, pcapy, etc.
Does anyone know of a pcap library that works with python 3?
source to share
As far as I know, there are at least 2 packages that work with Python 3: and : pure-pcapfile
dpkt
-
pure-pcapfile
easy to install in python 3 withpip
. It is very easy to use but still limited to Ethernet and IP decoding . The rest is up to you. But it works right out of the box. -
dpkt
doesn't work straight out of the box and requires some tweaking before. They are porting it to Python 3 and plan to have a Python 2 and 3 compatible version for version 2.0. Unfortunately, this is not yet the case. However, this is more complete thanpure-pcapfile
and can decode many protocols. If your package contains multiple layers of protocols, it will automatically decrypt them for you. The only problem is that you have to do a few fixes here and there to get it working (as of the time of writing this comment).
pure pcapfile
the only thing I've found for Python 3 so far is pcapfile. You can find it at https://pypi.python.org/pypi/pypcapfile/ or install it by running pip3 install pypcapfile
.
There are only basic functionality, but it works very well for me and was updated quite recently (at the time of this writing):
from pcapfile import savefile
file = open('mypcapfile.pcp' , 'rb')
pcapfile = savefile.load_savefile(file,verbose=True)
If all goes well, you should see something like this:
[+] attempting to load mypcapfile.pcap
[+] found valid header
[+] loaded 1234 packets
[+] finished loading savefile.
A few comments. I am using Python 3.4.3. And executing import pcapfile
won't import anything from it (I'm still new to Python), but the only basic information and functions from the package. Then you must explicitly open the file in binary read mode, passing 'rb'
as mode to functions open()
. They don't explicitly talk about it in the documentation.
The rest is similar to the documentation:
packet = pcapfile.packets[12]
to access the package number 12 (the 13th package, the first of which is at 0). And you have basic functions like
packet.timestamp
to get a time stamp or
packet.raw()
to get raw data.
The documentation mentions functions for packet decoding of some standard formats such as Ethernet and IP.
dpkt
dpkt
is not available for Python 3, so you need to do the following if you have command line access. The code is available at https://github.com/kbandla/dpkt.git and you must download it before:
git clone https://github.com/kbandla/dpkt.git
cd dpkt
git checkout --track origin/migrate_py3
git pull
These 4 commands do the following:
- clone (upload) the code from your git repository on github
- go to the newly created directory named
dpkt
- switch to a branch name
migrate_py3
that contains Python 3 code. As the name suggests, this branch is still experimental. So far this works for me. - (just in case) download the code again
then copy the directory named dpkt
to your project or wherever Python 3 is.
Later, in Python 3, here's what you need to do to get started:
import dpkt
file = open('mypcapfile.pcap','rb')
will open the file. Don't forget binary mode 'rb'
in Python 3 (same as in pure-pcapfile
).
pcap = dpkt.pcap.Reader(file)
will read and decode your file
for ts, buf in pcap:
eth = dpkt.ethernet.Ethernet(buf)
print(eth)
would, for example, decode Ethernet packets and print them. Then read the documentation on how to use dpkt
. If your packets contain IP or TCP layer, it will dpkt.ethernet.Ethernet(buf)
also decrypt them. Also note that in the loop for
we have access to the timestamps in ts
.
You might want to iterate in a less constrained way, and doing the following will help:
(ts,buf) = next(pcap) eth = dpkt.ethernet.Ethernet(buf)
where the first line gets the next tuple from pcap file. If pcap is equal False
then you are reading everything.
source to share