Menu
I am trying to analyse packets using Python's Scapy from the beginning. Upon recent searching, I found there is another module in python named as dpkt. With this module I can parse the layers of a packet, create packets, read a .pcap file and write into a .pcap file. The difference I found among them is:
Missing of live packet sniffer in dpkt
Some of the fields need to be unpacked using struct.unpack in dpkt.
Is there any other differences I am missing?
581
It also performs very well at a lot of other specific tasks that most other tools can't handle, like sending invalid frames, injecting your own 802.11 frames, combining techniques (VLAN hopping+ARP cache poisoning, VoIP decoding on WEP protected channel, ...), etc. Scapy supports Python 2.7 and Python 3 (3.4 to 3.8).
Scapy is a library made in Python, with its own command line interpreter (CLI), which allows to create, modify, send and capture network packets. It can be used interactively through the command line interface or as a library by importing it into Python programs. It can also run on Linux, Mac OS X and Windows systems.
The send() function will send packets at layer 3. That is to say, it will handle routing and layer 2 for you. The sendp() function will work at layer 2. It's up to you to choose the right interface and the right link layer protocol.
Scapy is a better performer than dpkt.
.pcap file using the rdpcap method or offline parameter of sniff method.There might be many other differences also.
184
I don't understand why people say that Scapy is better performer. I quickly checked as shown below and the winner is dpkt. It's dpkt > scapy > pyshark.
My input pcap file used for testing is about 12.5 MB. The time is derived with bash time command time python testing.py. In each snippet I ensure that the packet is indeed decoded from raw bites. One can assign variable FILENAME with the needed pcap-file name.
dpkt
from dpkt.pcap import *
from dpkt.ethernet import *
import os
readBytes = 0
fileSize = os.stat(FILENAME).st_size
with open(FILENAME, 'rb') as f:
for t, pkt in Reader(f):
readBytes += len(Ethernet(pkt))
print("%.2f" % (float(readBytes) / fileSize * 100))
The average time is about 0.3 second.
scapy -- using PcapReader
from scapy.all import *
import os
readBytes = 0
fileSize = os.stat(FILENAME).st_size
for pkt in PcapReader(FILENAME):
readBytes += len(pkt)
print("%.2f" % (float(readBytes) / fileSize * 100))
The average time is about 4.5 seconds.
scapy -- using RawPcapReader
from scapy.all import *
import os
readBytes = 0
fileSize = os.stat(FILENAME).st_size
for pkt, (sec, usec, wirelen, c) in RawPcapReader(FILENAME):
readBytes += len(Ether(pkt))
print("%.2f" % (float(readBytes) / fileSize * 100))
The average time is about 4.5 seconds.
pyshark
import pyshark
import os
filtered_cap = pyshark.FileCapture(FILENAME)
readBytes = 0
fileSize = os.stat(FILENAME).st_size
for pkt in filtered_cap:
readBytes += int(pkt.length)
print("%.2f" % (float(readBytes) / fileSize * 100))
The average time is about 12 seconds.
I do not advertise dpkt at all -- I do not care. The point is that I need to parse 8GB files currently. So I checked that with dpkt the above-written code for a 8GB pcap-file is done for 4.5 minutes which is bearable, while I would not even wait for other libraries to ever finish. At least, this is my quick first impression. If I have some new information I will update the post.
23
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
