http://www.binarytides.com/code-a-packet-sniffer-in-python-with-pcapy-extension/
Code a packet sniffer in python with pcapy extension
Pcapy
In the previous articles we coded packet sniffers in python using raw sockets. Now lets use the libpcap library for the same. Libpcap is the packet capture library for linux and has wrappers for most languages. In python there are multiple libpcap wrappers like pcapy, pypcap etc. In this article we shall use the pcapy python module.
Pcapy is a Python extension module that interfaces with the libpcap packet capture library. Pcapy enables python scripts to capture packets on the network.
Project website :
On ubuntu pcapy can be installed directly from synaptic by issuing the following command
$ sudo apt-get install python-pcapy
Code
Lets code our sniffer right away.
'''Packet sniffer in python using the pcapy python libraryProject websitehttp://oss.coresecurity.com/projects/pcapy.html'''import socketfrom struct import *import datetimeimport pcapyimport sysdef main(argv): #list all devices devices = pcapy.findalldevs() print devices #ask user to enter device name to sniff print "Available devices are :" for d in devices : print d dev = raw_input("Enter device name to sniff : ") print "Sniffing device " + dev ''' open device # Arguments here are: # device # snaplen (maximum number of bytes to capture _per_packet_) # promiscious mode (1 for true) # timeout (in milliseconds) ''' cap = pcapy.open_live(dev , 65536 , 1 , 0) #start sniffing packets while(1) : (header, packet) = cap.next() #print ('%s: captured %d bytes, truncated to %d bytes' %(datetime.datetime.now(), header.getlen(), header.getcaplen())) parse_packet(packet)#Convert a string of 6 characters of ethernet address into a dash separated hex stringdef eth_addr (a) : b = "%.2x:%.2x:%.2x:%.2x:%.2x:%.2x" % (ord(a[0]) , ord(a[1]) , ord(a[2]), ord(a[3]), ord(a[4]) , ord(a[5])) return b#function to parse a packetdef parse_packet(packet) : #parse ethernet header eth_length = 14 eth_header = packet[:eth_length] eth = unpack('!6s6sH' , eth_header) eth_protocol = socket.ntohs(eth[2]) print 'Destination MAC : ' + eth_addr(packet[0:6]) + ' Source MAC : ' + eth_addr(packet[6:12]) + ' Protocol : ' + str(eth_protocol) #Parse IP packets, IP Protocol number = 8 if eth_protocol == 8 : #Parse IP header #take first 20 characters for the ip header ip_header = packet[eth_length:20+eth_length] #now unpack them :) iph = unpack('!BBHHHBBH4s4s' , ip_header) version_ihl = iph[0] version = version_ihl >> 4 ihl = version_ihl & 0xF iph_length = ihl * 4 ttl = iph[5] protocol = iph[6] s_addr = socket.inet_ntoa(iph[8]); d_addr = socket.inet_ntoa(iph[9]); print 'Version : ' + str(version) + ' IP Header Length : ' + str(ihl) + ' TTL : ' + str(ttl) + ' Protocol : ' + str(protocol) + ' Source Address : ' + str(s_addr) + ' Destination Address : ' + str(d_addr) #TCP protocol if protocol == 6 : t = iph_length + eth_length tcp_header = packet[t:t+20] #now unpack them :) tcph = unpack('!HHLLBBHHH' , tcp_header) source_port = tcph[0] dest_port = tcph[1] sequence = tcph[2] acknowledgement = tcph[3] doff_reserved = tcph[4] tcph_length = doff_reserved >> 4 print 'Source Port : ' + str(source_port) + ' Dest Port : ' + str(dest_port) + ' Sequence Number : ' + str(sequence) + ' Acknowledgement : ' + str(acknowledgement) + ' TCP header length : ' + str(tcph_length) h_size = eth_length + iph_length + tcph_length * 4 data_size = len(packet) - h_size #get data from the packet data = packet[h_size:] print 'Data : ' + data #ICMP Packets elif protocol == 1 : u = iph_length + eth_length icmph_length = 4 icmp_header = packet[u:u+4] #now unpack them :) icmph = unpack('!BBH' , icmp_header) icmp_type = icmph[0] code = icmph[1] checksum = icmph[2] print 'Type : ' + str(icmp_type) + ' Code : ' + str(code) + ' Checksum : ' + str(checksum) h_size = eth_length + iph_length + icmph_length data_size = len(packet) - h_size #get data from the packet data = packet[h_size:] print 'Data : ' + data #UDP packets elif protocol == 17 : u = iph_length + eth_length udph_length = 8 udp_header = packet[u:u+8] #now unpack them :) udph = unpack('!HHHH' , udp_header) source_port = udph[0] dest_port = udph[1] length = udph[2] checksum = udph[3] print 'Source Port : ' + str(source_port) + ' Dest Port : ' + str(dest_port) + ' Length : ' + str(length) + ' Checksum : ' + str(checksum) h_size = eth_length + iph_length + udph_length data_size = len(packet) - h_size #get data from the packet data = packet[h_size:] print 'Data : ' + data #some other IP packet like IGMP else : print 'Protocol other than TCP/UDP/ICMP' printif __name__ == "__main__": main(sys.argv) Output
$ sudo python pcapy_sniffer.py ['eth0', 'usbmon1', 'usbmon2', 'usbmon3', 'usbmon4', 'usbmon5', 'usbmon6', 'usbmon7', 'any', 'lo']Available devices are :eth0usbmon1usbmon2usbmon3usbmon4usbmon5usbmon6usbmon7anyloEnter device name to sniff : eth0Sniffing device eth0Destination MAC : 00:1c:c0:f8:79:ee Source MAC : 6c:fd:b9:53:6a:21 Protocol : 8Version : 4 IP Header Length : 5 TTL : 250 Protocol : 17 Source Address : 61.1.96.71 Destination Address : 192.168.1.101Source Port : 53 Dest Port : 56291 Length : 136 Checksum : 28619stackexchangecom?ny o@"we?mns3 serverfault?%?mns1?N?mns2?N Destination MAC : 6c:fd:b9:53:6a:21 Source MAC : 00:1c:c0:f8:79:ee Protocol : 8 Version : 4 IP Header Length : 5 TTL : 64 Protocol : 1 Source Address : 192.168.1.101 Destination Address : 61.1.96.71 Type : 3 Code : 3 Checksum : 23788 stackexchangecom?G?e5???o???socketsny o@"we?mns3 serverfault?%?mns1?N?mns2?N
First the script would list out the available devices and then ask the user to enter the name of the device that is to be sniffed. Alternatively lookupdev function can be used to find a sniffable device without asking user to select anything.
The packet contents are also broken down and parsed. The script can parse only TCP/UDP/ICMP packets.