Skip to main content

Tool for reading/writing PCAPNG network packet capture files.

Project description

Tool for reading/writing PCAPNG network packet capture files

Alan Thompson

Please see the IETF document PCAP Next Generation (pcapng) Capture File Format

Please also see the project home page on GitHub

and at PyPI - the Python Package Index

Quick Start

PCAPNG files must begin with a Section Header Block:

import pcapng.block
import pcapng.linktype
import pcapng.option

pcap_fp = open( 'data.pcapng', 'wb' );

shb_opts = [ pcapng.option.ShbHardware( "Dell" ),
             pcapng.option.ShbOs( "Ubuntu" ),
             pcapng.option.ShbUserAppl( "IntelliJ Idea" ) ]
shb_obj = pcapng.block.SectionHeaderBlock( shb_opts )
shb_packed_bytes = shb_obj.pack()
pcap_fp.write( shb_packed_bytes )  # must be 1st block

where the options list may be omitted for this or any other block type. After the SHB, one or more Interface Description Blocks may be included:

idb_opts = [ pcapng.option.IdbName( interface_name ),
             pcapng.option.IdbDescription( "primary interface on host" ),
             pcapng.option.IdbSpeed( 12345 ) ]
idb_obj = pcapng.block.InterfaceDescBlock( linktype.LINKTYPE_ETHERNET, idb_opts )  # optional block
pcap_fp.write( idb_obj.pack() )

After the SHB and any optional IDBs, one may include packet information as either Simple Packet Blocks or Enhanced Packet Blocks:

pkt_bytes = get_next_packet( socket_fd )
dbg_print( pkt_bytes )
pcap_fp.write( pcapng.block.SimplePacketBlock( pkt_bytes ).pack() )

pkt_bytes = get_next_packet( socket_fd )
dbg_print( pkt_bytes )

epb_opts = [ pcapng.option.EpbFlags(       [13,14,15,16] ),
             pcapng.option.EpbHash(        'just about any hash spec can go here' ),
             pcapng.option.EpbDropCount(   13 ) ]
pcap_fp.write( pcapng.block.EnhancedPacketBlock( 0, pkt_bytes, len(pkt_bytes), epb_opts ).pack() )

Blocks may also be serialized & deserialized in bulk, as seen in the unit tests:

def test_blocks_lst():
    blk_lst = [
        # SHB must be 1st block
        pcapng.block.SectionHeaderBlock( [ pcapng.option.ShbHardware( "Dell" ),
                                           pcapng.option.ShbOs( "Ubuntu" ),
                                           pcapng.option.ShbUserAppl( "IntelliJ Idea" ) ] ),
        pcapng.block.InterfaceDescBlock( linktype.LINKTYPE_ETHERNET,
                                        [ pcapng.option.IdbName( "Carrier Pigeon" ),
                                          pcapng.option.IdbDescription( "Something profound here..." ),
                                          pcapng.option.IdbIpv4Addr(     [192, 168, 13, 7], [255, 255, 255, 0] ),
                                          pcapng.option.IdbOs( 'Ubuntu Xenial 16.04.1 LTS' ) ] ),
        pcapng.block.SimplePacketBlock('abc'),
        pcapng.block.EnhancedPacketBlock( 0, "<<<Stand-in for actual packet data>>>"  ),
        pcapng.block.CustomBlockCopyable( pen.BROCADE_PEN, 'User-defined custom data' ),
    ]
    packed_bytes = pcapng.block.pack_all( blk_lst )

    if False:
        pcap_fp = open( 'block_list.pcapng', 'wb' )
        pcap_fp.write( packed_bytes )
        pcap_fp.close()

    util.assert_block32_length( packed_bytes )
    blk_lst_unpacked = pcapng.block.unpack_all( packed_bytes )
    assert blk_lst == blk_lst_unpacked

Installation

Install from the Python Package Index (PyPI):

sudo pip install pcapng

API Documentation

Point your browser to the included HTML documentation:

firefox doc/pcapng/index.html         # or similar (system dependent)

Sample Programs

Please see the sample programs:

isis_agent_pcapng.py    # real-time packet capture from your machine into a PCAPNG file
isis_demo_mrt.py        # same as above but save in Custom Block MRT format
pcapng_timing.py        # capure 1M sample packets

The program isis_agent_pcapng.py creates an output file data.pcapng, which is viewable in Wireshark.

The program isis_demo_mrt.py creates two output files isis.mrt & isis.pcapng. The first of thes is in raw MRT format and is not viewable by Wireshark. For the second file, each raw MRT block is wrapped in a PCAPNG Custom Block. The file may be loaded successfully in Wireshark; however, since Wireshark doesn’t understand the custom format, it produces a blank display.

The third program pcapng_timing.py writes 1 million dummy packets to a PCAPNG file. A flag selects either Simple Packet Block or Enhanced Packet Block output format. Execution on a representative computer yields execution times of ~6 seconds and ~16 seconds for SPB and EPB formats, respectively.

Generating Documentation

Documentation uses the pdoc tool. Note that pdoc generates documentation from the installed pcapng package, not directly from thesource code. To use:

sudo pip install pdoc       # install pdoc if not present
./generate-docs.bash        # generate docs

Endian Convention

The PCAPNG specification mandates that data be saved in the native endian format of the capturing machine. This avoids the possible need for byte-swapping during data capture, which may aid in efficiency. However, a reader of a PCAPNG file is obligated to examine the special BYTE_ORDER_MAGIC field of the Section Header Block in order to determine the endian convention used in generating the file. Additionaly, since several PCAPNG files may be concatenated together to form a larger, valid PCAPNG file, the reader must re-evaluate the endian convention for each subsequent Section Header Block encountered.

Currently, this library does not implement endian-sensitive decoding logic, using native endian encoding for both writing and reading. The library thus assumes that both the capturing maching and the reading machine share the same endian conventions. The library may be extended in the future to implement the endian-sensitive logic for reading PCAPNG written on foreign hosts.

Project details


Download files

Download the file for your platform. If you're not sure which to choose, learn more about installing packages.

Source Distribution

pcapng-0.1.25.tar.gz (32.3 kB view details)

Uploaded Source

Built Distribution

pcapng-0.1.25-py3-none-any.whl (40.0 kB view details)

Uploaded Python 3

File details

Details for the file pcapng-0.1.25.tar.gz.

File metadata

  • Download URL: pcapng-0.1.25.tar.gz
  • Upload date:
  • Size: 32.3 kB
  • Tags: Source
  • Uploaded using Trusted Publishing? No
  • Uploaded via: twine/3.2.0 pkginfo/1.5.0.1 requests/2.22.0 setuptools/50.3.0 requests-toolbelt/0.9.1 tqdm/4.48.2 CPython/3.8.2

File hashes

Hashes for pcapng-0.1.25.tar.gz
Algorithm Hash digest
SHA256 ff152abc32f24e4c6da099b4ffea8040622f3acccbd6645f8d5184f79f5f3d5e
MD5 d2e6e97b39781058ab478a7bf80304e4
BLAKE2b-256 72a56dd93b7137e67ac4e2483c10dca3c731b96ecd0ed50386d9436c15d8dca1

See more details on using hashes here.

File details

Details for the file pcapng-0.1.25-py3-none-any.whl.

File metadata

  • Download URL: pcapng-0.1.25-py3-none-any.whl
  • Upload date:
  • Size: 40.0 kB
  • Tags: Python 3
  • Uploaded using Trusted Publishing? No
  • Uploaded via: twine/3.2.0 pkginfo/1.5.0.1 requests/2.22.0 setuptools/50.3.0 requests-toolbelt/0.9.1 tqdm/4.48.2 CPython/3.8.2

File hashes

Hashes for pcapng-0.1.25-py3-none-any.whl
Algorithm Hash digest
SHA256 c0e108a188ce1be2ff8cbb2c64370cb8ba03f4f4541e3f698771257fcbd55d2d
MD5 f76fb2a2bc7349b23937291fb6ae3dee
BLAKE2b-256 bfb7f07887e306aeead6262c552ede0fa3c62fe81209583c1f22c71b19ef7367

See more details on using hashes here.

Supported by

AWS AWS Cloud computing and Security Sponsor Datadog Datadog Monitoring Fastly Fastly CDN Google Google Download Analytics Microsoft Microsoft PSF Sponsor Pingdom Pingdom Monitoring Sentry Sentry Error logging StatusPage StatusPage Status page