pypcapfile 0.12.0

Pure Python package for reading and parsing libpcap savefiles.

pypcapfile is a pure Python library for handling libpcap savefiles.

Installing

The easiest way to install is from

pypi:

sudo pip install pypcapfile

Note that for pip, the package name is pypcapfile; in your code you will need to

import pcapfile.

Alternatively, you can install from source. Clone the repository, and run setup.py with

an install argument:

git clone git://github.com/kisom/pypcapfile.git
cd pypcapfile
./setup.py install

This does require the Python distutils to be

installed.

Introduction

The core functionality is implemented in pcapfile.savefile:

>>> from pcapfile import savefile
>>> testcap = open('test.pcap', 'rb')
>>> capfile = savefile.load_savefile(testcap, verbose=True)
[+] attempting to load test.pcap
[+] found valid header
[+] loaded 11 packets
[+] finished loading savefile.
>>> print capfile
little-endian capture file version 2.4
microsecond time resolution
snapshot length: 65535
linklayer type: LINKTYPE_ETHERNET
number of packets: 11

You can take a look at the packets in capfile.packets:

>>> pkt = capfile.packets[0]
>>> pkt.raw()
<binary data snipped>
>>> pkt.timestamp
1343676707L

Right now there is very basic support for Ethernet frames and IPv4 packet

parsing.

Automatically decoding layers

The layers argument to load_savefile determines how many layers to

decode; the default value of 0 does no decoding, 1 will load only the link

layer, etc… For example, with no decoding:

>>> from pcapfile import savefile
>>> from pcapfile.protocols.linklayer import ethernet
>>> from pcapfile.protocols.network import ip
>>> import binascii
>>> testcap = open('samples/test.pcap', 'rb')
>>> capfile = savefile.load_savefile(testcap, verbose=True)
[+] attempting to load samples/test.pcap
[+] found valid header
[+] loaded 3 packets
[+] finished loading savefile.
>>> eth_frame = ethernet.Ethernet(capfile.packets[0].raw())
>>> print eth_frame
ethernet from 00:11:22:33:44:55 to ff:ee:dd:cc:bb:aa type IPv4
>>> ip_packet = ip.IP(binascii.unhexlify(eth_frame.payload))
>>> print ip_packet
ipv4 packet from 192.168.2.47 to 173.194.37.82 carrying 44 bytes

and this example:

>>> from pcapfile import savefile
>>> testcap = open('samples/test.pcap', 'rb')
>>> capfile = savefile.load_savefile(testcap, layers=1, verbose=True)
[+] attempting to load samples/test.pcap
[+] found valid header
[+] loaded 3 packets
[+] finished loading savefile.
>>> print capfile.packets[0].packet.src
00:11:22:33:44:55
>>> print capfile.packets[0].packet.payload
<hex string snipped>

and lastly:

>>> from pcapfile import savefile
>>> testcap = open('samples/test.pcap', 'rb')
>>> capfile = savefile.load_savefile(testcap, layers=2, verbose=True)
>>> print capfile.packets[0].packet.payload
ipv4 packet from 192.168.2.47 to 173.194.37.82 carrying 44 bytes

The IPv4 module (ip) currently only supports basic IP headers, i.e. it

doesn’t yet parse options or add in padding.

The interface is still a bit messy.

Future planned improvements

• IP options parsing (END and NOP is supported)

• IPv6 support

• TCP options parsing

• ARP support

TODO

1. write unit tests

2. add __repr__ method that shows all of the values of the fields in IP packets and Ethernet frames.

See also

• The project’s PyPi page.

• The project’s Sphinx documentation on PyPI

• The libpcap homepage

Contributors

A list of the project’s contributors may be found in the AUTHORS file.