Skip to main content

Pure Python package for reading and parsing libpcap savefiles.

Project description

pypcapfile
==========

pypcapfile is a pure Python library for handling libpcap savefiles.


Installing
----------

The easiest way to install is from
[pypi](http://pypi.python.org/pypi/pypcapfile/):

sudo pip install pypcapfile

Note that for pip, the package name is `pypcapfile`; in your code you will need to
import `pcapfile`.

Alternatively, you can install from source. Clone the repository, and run setup.py with
an install argument:

git clone git://github.com/kisom/pypcapfile.git
cd pypcapfile
./setup.py install

This does require the Python [distutils](http://docs.python.org/install/) to be
installed.


Introduction
------------

The core functionality is implemented in pcapfile.savefile:

>>> from pcapfile import savefile
>>> sf = savefile.load_savefile('test.pcap', verbose=True)
[+] attempting to load test.pcap
[+] found valid header
[+] loaded 11 packets
[+] finished loading savefile.
>>> print sf
big-endian capture file version 2.4
snapshot length: 65535
linklayer type: LINKTYPE_ETHERNET
number of packets: 11
>>>

You can a look at the packets in sf.packets:
>>> pkt = sf.packets[0]
>>> pkt.raw()
<binary data snipped>
>>> pkt.timestamp
1343676707L
>>>

Right now there is very basic support for Ethernet frames and IPv4 packet
parsing. These are both in an alpha state while an architecture for properly
recursively setting up packets (i.e. Ethernet(IP(TCP()))) can be figured
out.

For example:
>>> from pcapfile.protocols import ethernet, ip
>>> eth_frame = ethernet.Ethernet(pkt.raw())
>>> eth_frame.src, eth_frame.dst, eth_frame.type
('ff:ee:dd:cc:bb:aa', '01:02:03:04:05:06', 2048)
>>> import binascii
>>> ip_packet = ip.IP(binascii.unhexlify(eth_frame.payload))
>>> ip_packet.src, ip_packet.dst, ip_packet.v, ip_packet.len
('173.194.37.82', '192.168.2.47', 4, 60)

The IPv4 module (`ip`) currently only supports basic IP headers, i.e. it
doesn't yet parse options or add in padding.


Future planned improvements
---------------------------

* IP option handling
* IPv6 support
* TCP and UDP support
* ARP support
* Improved packet parsing (i.e. IP(pkt) or TCP(pkt)


See also
--------

* The project's [PyPi page](http://pypi.python.org/pypi/pypcapfile).
* The project's [Sphinx](http://sphinx.pocoo.org/)
[documentation on PyPI](http://packages.python.org/pypcapfile/)
* The [libpcap homepage](http://www.tcpdump.org)

Project details


Release history Release notifications

History Node

0.12.0

History Node

0.11.1

History Node

0.11.0

History Node

0.10.0

History Node

0.9.1

History Node

0.9.0

History Node

0.8.2

History Node

0.8.1

History Node

0.8

History Node

0.7

History Node

0.6

This version
History Node

0.5.1

History Node

0.5.0

History Node

0.4.3

History Node

0.4.1

History Node

0.4

History Node

0.3

History Node

0.2

Download files

Download the file for your platform. If you're not sure which to choose, learn more about installing packages.

Filename, size & hash SHA256 hash help File type Python version Upload date
pypcapfile-0.5.1.tar.gz (5.7 kB) Copy SHA256 hash SHA256 Source None Jul 31, 2012

Supported by

Elastic Elastic Search Pingdom Pingdom Monitoring Google Google BigQuery Sentry Sentry Error logging CloudAMQP CloudAMQP RabbitMQ AWS AWS Cloud computing Fastly Fastly CDN DigiCert DigiCert EV certificate StatusPage StatusPage Status page