Home >Backend Development >Python Tutorial >How to use libpcap library for packet capture and data processing in Python
This article brings you relevant knowledge about Python, which mainly introduces how to use the libpcap library for packet capture and data processing, including installing libpcap, using the libpcap library, etc. Let’s take a look at the content below. I hope it will be helpful to everyone.
【Related recommendations: Python3 video tutorial】
python version: python 3.9
libpcap version: 1.11.0b7
The python libpcap library is a development package that binds the underlying c language libpcap library. It is designed to provide the unix c libpcap library API accessible to python applications (and Npcap and WinPcap provided for win32 systems), directly using the underlying c code, with very good performance.
Here is recorded how to install and use the libpcap library in python3.9 under Windows 10 environment (for Linux and mac systems, please refer to Windows).
pypi address: https://pypi.org/project/libpcap/
github address: https://github.com/karpierz/libpcap
Use pip directly to install:
pip install libpcap
The latest version is installed by default.
You can download it at pypi page source code or whl file.
1) You can use the source code for installation
Extract the file to the current directory , and then execute the installation command:
python -m pip install ./libpcap-1.11.0b7
2) You can also use the whl file for offline installation
The installation command is as follows:
python -m pip install libpcap-1.11.0b7-py3-none-any.whl
import libpcap libpcap.config(LIBPCAP="wpcap")
tcpdump is implemented based on libpcap. The documentation for C language libpcap can be found on the tcpdump official website:
https://www.tcpdump.org/manpages /pcap.3pcap.html
Here is a description of common Python interfaces.
lookupdev(errbuf)
Function: This function uses For finding network devices, the returned value can be called directly by the open_live function.
Parameters:
errbuf is a c language string type, used to obtain error information.
Usage example:
import ctypes as ct import libpcap as pcap errbuf = ct.create_string_buffer(pcap.PCAP_ERRBUF_SIZE + 1) device = pcap.lookupdev(errbuf) print(errbuf.value)
findalldevs(alldevs, errbuf)
Function: This function Used to find all network devices.
Parameters:
alldevs is the pcap_if_t structure pointer, used to store all found network device information.
errbuf is a c language string type, used to obtain error information.
Usage example:
import ctypes as ct import libpcap as pcap errbuf = ct.create_string_buffer(pcap.PCAP_ERRBUF_SIZE + 1) alldevs = ct.POINTER(pcap.pcap_if_t)() pcap.findalldevs(ct.byref(alldevs), errbuf) print(alldevs[0].name) pcap.freealldevs(alldevs)
import ctypes as ct import libpcap as pcap device = b'eth0' # linux errbuf = ct.create_string_buffer(pcap.PCAP_ERRBUF_SIZE + 1) handle = pcap.open_live(device,4096,1,1000,errbuf) if errbuf.value: print("hanle error :",errbuf.value)
Parameters:
fname is the file name, for example: b"/tmp/test1.cap"
errbuf is the c language string type, used to obtain error message.
Return value: Returns a pcap_t type pointer. This pointer must be used in all subsequent operations.
Usage example:
import ctypes as ct import libpcap as pcap errbuf = ct.create_string_buffer(pcap.PCAP_ERRBUF_SIZE + 1) handle = pcap.open_offline(fname,errbuf) if errbuf.value: print("hanle error :",errbuf.value)
2.3 Packet acquisition interface
parameter:
handle为pcap_t类型指针
pheader为pcap_pkthdr结构体指针,可通过pkthdr函数创建
返回值:返回u_char类型指针,代表包数据,可使用struct.unpack函数解析
使用示例:
import libpcap as pcap pheader = pcap.pkthdr() packet = pcap.next(handle,pheader)
dump_open(handle,fname:bytes)
功能:该函数用于打开文件,存储获取到的数据包。
参数:
handle为pcap_t类型指针
fname为文件名称
返回值:返回pcap_dumper_t 类型指针,后面的所有操作都要使用这个指针。
使用示例:
import libpcap as pcap fname = b"realtime1.cap" fPcap = pcap.dump_open(handle,fname)
dump(handle,pheader,packet)
功能:该函数用于存储获取到的数据包。
参数:
handle为pcap_dumper_t类型指针
pheader为pcap_pkthdr结构体指针
packet是数据包
返回值:无返回值
使用示例:
fPcapUbyte = ct.cast(fPcap,ct.POINTER(ct.c_ubyte)) pcap.dump(fPcapUbyte,pheader,packet)
dump_flush(handle)
功能:该函数用于将缓存的数据刷到磁盘
参数:
handle为pcap_dumper_t类型指针
返回值:错误码,0代表成功,-1代表出错
close(handle)
功能:释放pcap_t类型指针
参数:
handle为pcap_t类型指针
返回值:无返回值
dump_close(handle)
功能:释放pcap_dumper_t类型指针
参数:
handle为pcap_dumper_t类型指针
返回值:无返回值
可以使用libpcap库进行网卡实时数据抓包,这里进行简单的示例:
1)首先需要获取或指定抓包设备
方法1 :指定网卡接口名称
device = b'\Device\NPF_{BFDBF91E-9848-417D-B8AB-D3ED19990717}' # windows
device = b'eth0' # linux
Windows网卡接口名称可在wireshark的捕获界面看到,具体如下:
linux网卡名称获取:ifconfig
方法2 :使用lookupdev获取网卡接口名称
device = pcap.lookupdev(errbuf)
方法3 :使用findalldevs获取网卡接口名称
alldevs = ct.POINTER(pcap.pcap_if_t)()
pcap.findalldevs(ct.byref(alldevs), errbuf)
device =alldevs[0].name
2)使用open_live函数进行网卡抓包;
3)使用pkthdr函数创建header,获取包头信息(时间戳、包大小);
4)使用next函数循环读取数据包,需要注意的是,获取的packet对象的contents是C语言类型,需要使用它ctypes的pointer函数进行转换;
5)数据包(比如IP头)的解析可使用struct的unpack函数;
6)如果要将抓包数据存盘,可使用dump_open、dump、dump_flush系列函数进行操作,需要注意的是,dump_open函数的第二个参数必须是byte类型;
示例代码及运行效果:
可以使用libpcap库进行离线抓包文件的解析,这里进行简单的示例:
1)首先需要使用open_offline函数打开pcap文件,需要注意的是,函数的第一个参数必须是byte类型;
2)使用pkthdr函数创建header,获取包头信息(时间戳、包大小);
3)使用next函数循环读取数据包,需要注意的是,获取的packet对象的contents是C语言类型,需要使用它ctypes的pointer函数进行转换;
4)数据包(比如IP头)的解析可使用struct的unpack函数;
示例代码及运行效果:
网卡实时抓包和离线数据解析时,可以设置过滤条件,避免数据量过大。
过滤条件示例:
1) 过滤IP
host 过滤某个ip的所有包
host 8.8.8.8
src 过滤源ip
src 8.8.8.8
dst过滤目的ip
dst 8.8.8.8
2)过滤端口
port进行单个端口过滤
port 22
portange进行多个端口过滤
portange 1-1024
可使用src或dst指定端口方向
src port 22
dst port 22
3)指定协议
tcp
udp
icmp
4)使用组合条件
and 进行与逻辑
src localhost and dst port 22
src localhost && dst port 22
or 进行或逻辑
port 80 or 22
port 80 || 22
Sample code and running effect:
##[Related recommendations:Python3 video tutorial]
The above is the detailed content of How to use libpcap library for packet capture and data processing in Python. For more information, please follow other related articles on the PHP Chinese website!