Pure Python package for reading and parsing libpcap savefiles.
Project description
pypcapfile
==========
pypcapfile is a pure Python library for handling libpcap savefiles.
Installing
----------
The easiest way to install is from
[pypi](http://pypi.python.org/pypi/pypcapfile/):
sudo pip install pypcapfile
Note that for pip, the package name is `pypcapfile`; in your code you will need to
import `pcapfile`.
Alternatively, you can install from source. Clone the repository, and run setup.py with
an install argument:
git clone git://github.com/kisom/pypcapfile.git
cd pypcapfile
./setup.py install
This does require the Python [distutils](http://docs.python.org/install/) to be
installed.
Introduction
------------
The core functionality is implemented in pcapfile.savefile:
>>> from pcapfile import savefile
>>> sf = savefile.load_savefile('test.pcap', verbose=True)
[+] attempting to load test.pcap
[+] found valid header
[+] loaded 11 packets
[+] finished loading savefile.
>>> print sf
big-endian capture file version 2.4
snapshot length: 65535
linklayer type: LINKTYPE_ETHERNET
number of packets: 11
>>>
You can a look at the packets in sf.packets:
>>> pkt = sf.packets[0]
>>> pkt.raw()
<binary data snipped>
>>> pkt.timestamp
1343676707L
>>>
Right now there is very basic support for Ethernet frames and IPv4 packet
parsing. These are both in an alpha state while an architecture for properly
recursively setting up packets (i.e. Ethernet(IP(TCP()))) can be figured
out.
For example:
>>> from pcapfile.protocols import ethernet, ip
>>> eth_frame = ethernet.Ethernet(pkt.raw())
>>> eth_frame.src, eth_frame.dst, eth_frame.type
('ff:ee:dd:cc:bb:aa', '01:02:03:04:05:06', 2048)
>>> import binascii
>>> ip_packet = ip.IP(binascii.unhexlify(eth_frame.payload))
>>> ip_packet.src, ip_packet.dst, ip_packet.v, ip_packet.len
('173.194.37.82', '192.168.2.47', 4, 60)
The IPv4 module (`ip`) currently only supports basic IP headers, i.e. it
doesn't yet parse options or add in padding.
Future planned improvements
---------------------------
* IP option handling
* IPv6 support
* TCP and UDP support
* ARP support
* Improved packet parsing (i.e. IP(pkt) or TCP(pkt)
See also
--------
* The project's [PyPi page](http://pypi.python.org/pypi/pypcapfile).
* The project's [Sphinx](http://sphinx.pocoo.org/)
[documentation on PyPI](http://packages.python.org/pypcapfile/)
* The [libpcap homepage](http://www.tcpdump.org)
==========
pypcapfile is a pure Python library for handling libpcap savefiles.
Installing
----------
The easiest way to install is from
[pypi](http://pypi.python.org/pypi/pypcapfile/):
sudo pip install pypcapfile
Note that for pip, the package name is `pypcapfile`; in your code you will need to
import `pcapfile`.
Alternatively, you can install from source. Clone the repository, and run setup.py with
an install argument:
git clone git://github.com/kisom/pypcapfile.git
cd pypcapfile
./setup.py install
This does require the Python [distutils](http://docs.python.org/install/) to be
installed.
Introduction
------------
The core functionality is implemented in pcapfile.savefile:
>>> from pcapfile import savefile
>>> sf = savefile.load_savefile('test.pcap', verbose=True)
[+] attempting to load test.pcap
[+] found valid header
[+] loaded 11 packets
[+] finished loading savefile.
>>> print sf
big-endian capture file version 2.4
snapshot length: 65535
linklayer type: LINKTYPE_ETHERNET
number of packets: 11
>>>
You can a look at the packets in sf.packets:
>>> pkt = sf.packets[0]
>>> pkt.raw()
<binary data snipped>
>>> pkt.timestamp
1343676707L
>>>
Right now there is very basic support for Ethernet frames and IPv4 packet
parsing. These are both in an alpha state while an architecture for properly
recursively setting up packets (i.e. Ethernet(IP(TCP()))) can be figured
out.
For example:
>>> from pcapfile.protocols import ethernet, ip
>>> eth_frame = ethernet.Ethernet(pkt.raw())
>>> eth_frame.src, eth_frame.dst, eth_frame.type
('ff:ee:dd:cc:bb:aa', '01:02:03:04:05:06', 2048)
>>> import binascii
>>> ip_packet = ip.IP(binascii.unhexlify(eth_frame.payload))
>>> ip_packet.src, ip_packet.dst, ip_packet.v, ip_packet.len
('173.194.37.82', '192.168.2.47', 4, 60)
The IPv4 module (`ip`) currently only supports basic IP headers, i.e. it
doesn't yet parse options or add in padding.
Future planned improvements
---------------------------
* IP option handling
* IPv6 support
* TCP and UDP support
* ARP support
* Improved packet parsing (i.e. IP(pkt) or TCP(pkt)
See also
--------
* The project's [PyPi page](http://pypi.python.org/pypi/pypcapfile).
* The project's [Sphinx](http://sphinx.pocoo.org/)
[documentation on PyPI](http://packages.python.org/pypcapfile/)
* The [libpcap homepage](http://www.tcpdump.org)
Project details
Release history Release notifications | RSS feed
Download files
Download the file for your platform. If you're not sure which to choose, learn more about installing packages.
Source Distribution
pypcapfile-0.5.1.tar.gz
(5.7 kB
view hashes)