Code a packet sniffer in python with pcapy extension

91 Flares Filament.io 91 Flares ×

Pcapy

In the previous articles we coded packet sniffers in python using raw sockets. Now lets use the libpcap library for the same. Libpcap is the packet capture library for linux and has wrappers for most languages. In python there are multiple libpcap wrappers like pcapy, pypcap etc. In this article we shall use the pcapy python module.

Pcapy is a Python extension module that interfaces with the libpcap packet capture library. Pcapy enables python scripts to capture packets on the network.

Project website :
http://oss.coresecurity.com/projects/pcapy.html

On ubuntu pcapy can be installed directly from synaptic by issuing the following command

$ sudo apt-get install python-pcapy

Code

Lets code our sniffer right away.

'''
Packet sniffer in python using the pcapy python library

Project website

http://oss.coresecurity.com/projects/pcapy.html

'''

import socket
from struct import *
import datetime
import pcapy
import sys

def main(argv):
	#list all devices
	devices = pcapy.findalldevs()
	print devices
	
	#ask user to enter device name to sniff
	print "Available devices are :"
	for d in devices :
		print d
	
	dev = raw_input("Enter device name to sniff : ")
	
	print "Sniffing device " + dev
	
	'''
	open device
	# Arguments here are:
	#   device
	#   snaplen (maximum number of bytes to capture _per_packet_)
	#   promiscious mode (1 for true)
	#   timeout (in milliseconds)
	'''
	cap = pcapy.open_live(dev , 65536 , 1 , 0)

	#start sniffing packets
	while(1) :
		(header, packet) = cap.next()
		#print ('%s: captured %d bytes, truncated to %d bytes' %(datetime.datetime.now(), header.getlen(), header.getcaplen()))
		parse_packet(packet)

#Convert a string of 6 characters of ethernet address into a dash separated hex string
def eth_addr (a) :
	b = "%.2x:%.2x:%.2x:%.2x:%.2x:%.2x" % (ord(a[0]) , ord(a[1]) , ord(a[2]), ord(a[3]), ord(a[4]) , ord(a[5]))
	return b

#function to parse a packet
def parse_packet(packet) :
	
	#parse ethernet header
	eth_length = 14
	
	eth_header = packet[:eth_length]
	eth = unpack('!6s6sH' , eth_header)
	eth_protocol = socket.ntohs(eth[2])
	print 'Destination MAC : ' + eth_addr(packet[0:6]) + ' Source MAC : ' + eth_addr(packet[6:12]) + ' Protocol : ' + str(eth_protocol)

	#Parse IP packets, IP Protocol number = 8
	if eth_protocol == 8 :
		#Parse IP header
		#take first 20 characters for the ip header
		ip_header = packet[eth_length:20+eth_length]
		
		#now unpack them :)
		iph = unpack('!BBHHHBBH4s4s' , ip_header)

		version_ihl = iph[0]
		version = version_ihl >> 4
		ihl = version_ihl & 0xF

		iph_length = ihl * 4

		ttl = iph[5]
		protocol = iph[6]
		s_addr = socket.inet_ntoa(iph[8]);
		d_addr = socket.inet_ntoa(iph[9]);

		print 'Version : ' + str(version) + ' IP Header Length : ' + str(ihl) + ' TTL : ' + str(ttl) + ' Protocol : ' + str(protocol) + ' Source Address : ' + str(s_addr) + ' Destination Address : ' + str(d_addr)

		#TCP protocol
		if protocol == 6 :
			t = iph_length + eth_length
			tcp_header = packet[t:t+20]

			#now unpack them :)
			tcph = unpack('!HHLLBBHHH' , tcp_header)
			
			source_port = tcph[0]
			dest_port = tcph[1]
			sequence = tcph[2]
			acknowledgement = tcph[3]
			doff_reserved = tcph[4]
			tcph_length = doff_reserved >> 4
			
			print 'Source Port : ' + str(source_port) + ' Dest Port : ' + str(dest_port) + ' Sequence Number : ' + str(sequence) + ' Acknowledgement : ' + str(acknowledgement) + ' TCP header length : ' + str(tcph_length)
			
			h_size = eth_length + iph_length + tcph_length * 4
			data_size = len(packet) - h_size
			
			#get data from the packet
			data = packet[h_size:]
			
			print 'Data : ' + data

		#ICMP Packets
		elif protocol == 1 :
			u = iph_length + eth_length
			icmph_length = 4
			icmp_header = packet[u:u+4]

			#now unpack them :)
			icmph = unpack('!BBH' , icmp_header)
			
			icmp_type = icmph[0]
			code = icmph[1]
			checksum = icmph[2]
			
			print 'Type : ' + str(icmp_type) + ' Code : ' + str(code) + ' Checksum : ' + str(checksum)
			
			h_size = eth_length + iph_length + icmph_length
			data_size = len(packet) - h_size
			
			#get data from the packet
			data = packet[h_size:]
			
			print 'Data : ' + data

		#UDP packets
		elif protocol == 17 :
			u = iph_length + eth_length
			udph_length = 8
			udp_header = packet[u:u+8]

			#now unpack them :)
			udph = unpack('!HHHH' , udp_header)
			
			source_port = udph[0]
			dest_port = udph[1]
			length = udph[2]
			checksum = udph[3]
			
			print 'Source Port : ' + str(source_port) + ' Dest Port : ' + str(dest_port) + ' Length : ' + str(length) + ' Checksum : ' + str(checksum)
			
			h_size = eth_length + iph_length + udph_length
			data_size = len(packet) - h_size
			
			#get data from the packet
			data = packet[h_size:]
			
			print 'Data : ' + data

		#some other IP packet like IGMP
		else :
			print 'Protocol other than TCP/UDP/ICMP'
			
		print

if __name__ == "__main__":
  main(sys.argv)






Output

$ sudo python pcapy_sniffer.py 
['eth0', 'usbmon1', 'usbmon2', 'usbmon3', 'usbmon4', 'usbmon5', 'usbmon6', 'usbmon7', 'any', 'lo']
Available devices are :
eth0
usbmon1
usbmon2
usbmon3
usbmon4
usbmon5
usbmon6
usbmon7
any
lo
Enter device name to sniff : eth0
Sniffing device eth0
Destination MAC : 00:1c:c0:f8:79:ee Source MAC : 6c:fd:b9:53:6a:21 Protocol : 8
Version : 4 IP Header Length : 5 TTL : 250 Protocol : 17 Source Address : 61.1.96.71 Destination Address : 192.168.1.101
Source Port : 53 Dest Port : 56291 Length : 136 Checksum : 28619
stackexchangecom?ny
                 o@"we?mns3
                           serverfault?%?mns1?N?mns2?N                                                                                                                      
                                                                                                                                                                            
Destination MAC : 6c:fd:b9:53:6a:21 Source MAC : 00:1c:c0:f8:79:ee Protocol : 8                                                                                             
Version : 4 IP Header Length : 5 TTL : 64 Protocol : 1 Source Address : 192.168.1.101 Destination Address : 61.1.96.71                                                      
Type : 3 Code : 3 Checksum : 23788                                                                                                                                          
stackexchangecom?G?e5???o???socketsny                                                                                                                                       
                 o@"we?mns3                                                                                                                                                 
                           serverfault?%?mns1?N?mns2?N

First the script would list out the available devices and then ask the user to enter the name of the device that is to be sniffed. Alternatively lookupdev function can be used to find a sniffable device without asking user to select anything.

The packet contents are also broken down and parsed. The script can parse only TCP/UDP/ICMP packets.

Last Updated On : 14th September 2012

Subscribe to get updates delivered to your inbox

About Silver Moon

Php developer, blogger and Linux enthusiast. He can be reached at m00n.silv3r@gmail.com. Or find him on

  • Sky Venom

    Hello Binary,
    It seems everything works fine, left for the data transmitted : [ It is in an ASCII Form or encrypted or whatever ... the data is unreadable ]
    Any solution ?
    AM a newbie to python

    Data : ����=TȸŸ¨îPÒ!*à#‡Él½p+˜;£©YKjà~ž8!ÛoÒXg¥ =Þ3Gå°þ锋Åڛ:± ¿U¦7™¥]vÊjð òÃД%ØfX”v r–Z#à
    _3Õh��X�����m��x��i���S�F�1�?�w��”ofFs8X�s���İ㰓4gy
    ׬5���~%���IN:�/�

  • Edmond

    Is it possible to capture traffic on more than one devices?

  • Gonzalo Gasca Meza

    Any recommendations to handle TCP fragmented data?

  • cj

    Thanks, but I get an error while installing on Mac. ImportError: No module named Pyrex.Distutils. Any ideas?

  • Bishingwe

    This is real good and understandable thanks !

91 Flares Twitter 14 Facebook 0 Google+ 2 LinkedIn 0 StumbleUpon 75 Filament.io 91 Flares ×