In this recipe, we use the Scapy library to sniff packets and write to a file. All utility functions and definitions of Scapy can be imported using the wild card import, as shown in the following command:
from scapy.all import *
This is only for demonstration purposes and is not recommended for production code.
The sniff() function of Scapy takes the name of a callback function. Let's write a callback function that will write the packets onto a file.
Listing 8.2 gives the code for saving packets in the pcap format using the pcap dumper, as follows:
#!/usr/bin/env python # Python Network Programming Cookbook, Second Edition -- Chapter - 8 # This program is optimized for Python 2.7.12 and Python 3.5.2. # It may run on any other version with/without modifications. import os from scapy.all import * pkts = [] count = 0 pcapnum = 0 def write_cap(x): global pkts global count global pcapnum pkts.append(x) count += 1 if count == 3: pcapnum += 1 pname = "pcap%d.pcap" % pcapnum wrpcap(pname, pkts) pkts = [] count = 0 def test_dump_file(): print ("Testing the dump file...") dump_file = "./pcap1.pcap" if os.path.exists(dump_file): print ("dump fie %s found." %dump_file) pkts = sniff(offline=dump_file) count = 0 while (count <=2): print ("----Dumping pkt:%s----" %count) print (hexdump(pkts[count])) count += 1 else: print ("dump fie %s not found." %dump_file) if __name__ == '__main__': print ("Started packet capturing and dumping... Press
CTRL+C to exit") sniff(prn=write_cap) test_dump_file()
If you run this script, you will see an output similar to the following:
# python 8_2_save_packets_in_pcap_format.py ^CStarted packet capturing and dumping... Press CTRL+C to exit Testing the dump file... dump fie ./pcap1.pcap found. ----Dumping pkt:0---- 0000 08 00 27 95 0D 1A 52 54 00 12 35 02 08 00 45 00 ..'...RT..5...E. 0010 00 DB E2 6D 00 00 40 06 7C 9E 6C A0 A2 62 0A 00 ...m..@.|.l..b.. 0020 02 0F 00 50 99 55 97 98 2C 84 CE 45 9B 6C 50 18 ...P.U..,..E.lP. 0030 FF FF 53 E0 00 00 48 54 54 50 2F 31 2E 31 20 32 ..S...HTTP/1.1 2 0040 30 30 20 4F 4B 0D 0A 58 2D 44 42 2D 54 69 6D 65 00 OK..X-DB-Time 0050 6F 75 74 3A 20 31 32 30 0D 0A 50 72 61 67 6D 61 out: 120..Pragma 0060 3A 20 6E 6F 2D 63 61 63 68 65 0D 0A 43 61 63 68 : no-cache..Cach 0070 65 2D 43 6F 6E 74 72 6F 6C 3A 20 6E 6F 2D 63 61 e-Control: no-ca 0080 63 68 65 0D 0A 43 6F 6E 74 65 6E 74 2D 54 79 70 che..Content-Typ 0090 65 3A 20 74 65 78 74 2F 70 6C 61 69 6E 0D 0A 44 e: text/plain..D 00a0 61 74 65 3A 20 53 75 6E 2C 20 31 35 20 53 65 70 ate: Sun, 15 Sep 00b0 20 32 30 31 33 20 31 35 3A 32 32 3A 33 36 20 47 2013 15:22:36 G 00c0 4D 54 0D 0A 43 6F 6E 74 65 6E 74 2D 4C 65 6E 67 MT..Content-Leng 00d0 74 68 3A 20 31 35 0D 0A 0D 0A 7B 22 72 65 74 22 th: 15....{"ret" 00e0 3A 20 22 70 75 6E 74 22 7D : "punt"} None ----Dumping pkt:1---- 0000 52 54 00 12 35 02 08 00 27 95 0D 1A 08 00 45 00 RT..5...'.....E. 0010 01 D2 1F 25 40 00 40 06 FE EF 0A 00 02 0F 6C A0 ...%@[email protected]. 0020 A2 62 99 55 00 50 CE 45 9B 6C 97 98 2D 37 50 18 .b.U.P.E.l..-7P. 0030 F9 28 1C D6 00 00 47 45 54 20 2F 73 75 62 73 63 .(....GET /subsc 0040 72 69 62 65 3F 68 6F 73 74 5F 69 6E 74 3D 35 31 ribe?host_int=51 0050 30 35 36 34 37 34 36 26 6E 73 5F 6D 61 70 3D 31 0564746&ns_map=1 0060 36 30 36 39 36 39 39 34 5F 33 30 30 38 30 38 34 60696994_3008084 0070 30 37 37 31 34 2C 31 30 31 39 34 36 31 31 5F 31 07714,10194611_1 0080 31 30 35 33 30 39 38 34 33 38 32 30 32 31 31 2C 105309843820211, 0090 31 34 36 34 32 38 30 35 32 5F 33 32 39 34 33 38 146428052_329438 00a0 36 33 34 34 30 38 34 2C 31 31 36 30 31 35 33 31 6344084,11601531 00b0 5F 32 37 39 31 38 34 34 37 35 37 37 31 2C 31 30 _279184475771,10 00c0 31 39 34 38 32 38 5F 33 30 30 37 34 39 36 35 39 194828_300749659 00d0 30 30 2C 33 33 30 39 39 31 39 38 32 5F 38 31 39 00,330991982_819 00e0 33 35 33 37 30 36 30 36 2C 31 36 33 32 37 38 35 35370606,1632785 00f0 35 5F 31 32 39 30 31 32 32 39 37 34 33 26 75 73 5_12901229743&us 0100 65 72 5F 69 64 3D 36 35 32 30 33 37 32 26 6E 69 er_id=6520372&ni 0110 64 3D 32 26 74 73 3D 31 33 37 39 32 35 38 35 36 d=2&ts=137925856 0120 31 20 48 54 54 50 2F 31 2E 31 0D 0A 48 6F 73 74 1 HTTP/1.1..Host 0130 3A 20 6E 6F 74 69 66 79 33 2E 64 72 6F 70 62 6F : notify3.dropbo 0140 78 2E 63 6F 6D 0D 0A 41 63 63 65 70 74 2D 45 6E x.com..Accept-En 0150 63 6F 64 69 6E 67 3A 20 69 64 65 6E 74 69 74 79 coding: identity 0160 0D 0A 43 6F 6E 6E 65 63 74 69 6F 6E 3A 20 6B 65 ..Connection: ke 0170 65 70 2D 61 6C 69 76 65 0D 0A 58 2D 44 72 6F 70 ep-alive..X-Drop 0180 62 6F 78 2D 4C 6F 63 61 6C 65 3A 20 65 6E 5F 55 box-Locale: en_U 0190 53 0D 0A 55 73 65 72 2D 41 67 65 6E 74 3A 20 44 S..User-Agent: D 01a0 72 6F 70 62 6F 78 44 65 73 6B 74 6F 70 43 6C 69 ropboxDesktopCli 01b0 65 6E 74 2F 32 2E 30 2E 32 32 20 28 4C 69 6E 75 ent/2.0.22 (Linu 01c0 78 3B 20 32 2E 36 2E 33 32 2D 35 2D 36 38 36 3B x; 2.6.32-5-686; 01d0 20 69 33 32 3B 20 65 6E 5F 55 53 29 0D 0A 0D 0A i32; en_US).... None ----Dumping pkt:2---- 0000 08 00 27 95 0D 1A 52 54 00 12 35 02 08 00 45 00 ..'...RT..5...E. 0010 00 28 E2 6E 00 00 40 06 7D 50 6C A0 A2 62 0A 00 .(.n..@.}Pl..b.. 0020 02 0F 00 50 99 55 97 98 2D 37 CE 45 9D 16 50 10 ...P.U..-7.E..P. 0030 FF FF CA F1 00 00 00 00 00 00 00 00 ............ None
You may have to run this program using admin privileges, as otherwise it may produce the Operation not permitted error, as follows:
$ python 8_2_save_packets_in_pcap_format.py WARNING: No route found for IPv6 destination :: (no default route?) Started packet capturing and dumping... Press CTRL+C to exit Traceback (most recent call last): File "8_2_save_packets_in_pcap_format.py", line 43, in <module> sniff(prn=write_cap) File "/usr/local/lib/python2.7/dist-packages/scapy/sendrecv.py", line 561, in sniff s = L2socket(type=ETH_P_ALL, *arg, **karg) File "/usr/local/lib/python2.7/dist-packages/scapy/arch/linux.py", line 451, in __init__ self.ins = socket.socket(socket.AF_PACKET, socket.SOCK_RAW, socket.htons(type)) File "/usr/lib/python2.7/socket.py", line 191, in __init__ _sock = _realsocket(family, type, proto) socket.error: [Errno 1] Operation not permitted