pcaputils: a python module to help parse/analyze packet captures


This used to be a page hosting pcaputils.py, the beginnings of my own pcap parser. You can still download that code if you like, but these days I use dpkt. It's got significant support for the upper level protocols as well as raw pcap parsing support.

dpkt 1.6 [info] [source tarball]
pcaputils 0.1.0 [download] [changelog] [example]

How to use dpkt to parse pcap files

import socket
import dpkt
import sys
pcapReader = dpkt.pcap.Reader(file(sys.argv[1], "rb"))
for ts, data in pcapReader:
    ether = dpkt.ethernet.Ethernet(data)
    if ether.type != dpkt.ethernet.ETH_TYPE_IP: raise
    ip = ether.data
    src = socket.inet_ntoa(ip.src)
    dst = socket.inet_ntoa(ip.dst)
    print "%s -> %s" % (src, dst)

dpkt includes built-in parsers for ethernet, ip, tcp, udp and most major application protocols. There's not much documentation, but the interactive debugger and the source should be enough.


14 Nov 09 - jjguy - jjg@jjguy.com