Comments on: Code a network Packet Sniffer in Python for Linux

By: annnn

annnn — Sat, 30 Oct 2021 12:57:32 +0000

i am trying to insert this code in a module and pushing the data collected from this data to multiprocessing.queue struct and using another process to do some analysis for the same, but as soon as we start getting data from network interface , i am not able to switch to the second process to do packet anaysis, any pointers on how to resolve this

By: brijesh.v

brijesh.v — Sat, 30 Oct 2021 12:54:44 +0000

In reply to Srini. this is written for ipv4,no check done in l2 header for l3 type and assuming the header is 20 bytes

By: Meltus

Meltus — Tue, 21 May 2019 23:29:26 +0000

In reply to Karim. The unpack() function makes sure iph[0] got the first byte of the packet. Looking back in the diagram, you could see that the first byte (8 bit) consists of the first 4 bit which is the version of the ip protocol, and the latter 4 bit which is the internet header length. By >> or right-shifting the value by 4, it means that you push all the bits in the variable to the right by 4, in order to get the first 4 bit, which is the version section. Also, if you AND or & the value by 0xF which in binary means 00001111, you get the last 4 bit, which is the internet header length.

By: Anonymoys

Anonymoys — Thu, 25 Oct 2018 13:05:00 +0000

In reply to Arnie.

you are using
etc.recv(65565)

use recvfrom

etc.recvfrom(65565)

cheers!

By: Srini

Srini — Mon, 07 May 2018 05:45:36 +0000

Hi,

Thanks for the detailed explanation.

Will this script able to capture only ipv4 packets or it will sniff both ipv4 and ipv6?

Thanks in advance

By: Arnie

Arnie — Tue, 13 Mar 2018 00:48:25 +0000

Payload I am getting as below: How to unpack the payload ?

Data : E �4�@ ��i��i��H�9�’/w��Y�
�%�J��X��\�?��W��’=L�$�@u�{�=�]ȇa��”�2E��Ŝ��XM��C��pe
��ף�JJ�f� q�p�7XQk^�/��J7�.¥�l
HG��I$x�5:�{�h��)�L�_’Z�w�q��v��&�Ñ�\��-��Ɠ��i��-|”k��_0� �bS��4=/h�е��h�F!5��C)��V�\̘Ã�\^7�Үۥ&k��W�-p�%�
��]E��W8��hL>� ��쪻Nz�nPBg8!Mj��k4

By: Larry

Larry — Wed, 10 Jan 2018 19:16:32 +0000

Should s.recvfrom only ever return a single packet?

I’m creating a raw socket using socket.socket(socket.AF_PACKET, socket.SOCK_RAW, socket.ntohs(0x0003)). I’m reading the socket with s.recvfrom(65536) but since this should be layer 2, I don’t ever expect more than 9k read (max jumbo frame) right? Is it possible I’m getting two packets in one request? Should this always return 1 packet only, and if so how can it ever be larger than a 9k jumbo frame? MTU on the interface is set to 9001

By: Karim

Karim — Sat, 21 Oct 2017 22:17:10 +0000

Hi sir … I’m a beginner on python … I can’t understand this part!!
version_ihl = iph[0]
version = version_ihl >> 4
ihl = version_ihl & 0xF

By: Larry

Larry — Thu, 21 Sep 2017 19:08:36 +0000

Is there a way I can sniff a specific interface and/or port #?

By: abolfazl

abolfazl — Thu, 07 Sep 2017 08:07:45 +0000

hello mr

thank you for education

may you record a video for struct modules and you use from example for more our know

By: Eugene

Eugene — Wed, 12 Jul 2017 06:14:00 +0000

Thanks, man!

By: Bonio

Bonio — Sun, 30 Apr 2017 15:34:05 +0000

I want to Trace only outgoing packets and I have no idea how to sort them out. I want to save them to text file as well, “on the fly” or after I break compiling. Can anyone help?

By: dega

dega — Thu, 16 Mar 2017 17:52:27 +0000

Thanks for your code SilverMoon.
I have a fix to propose:
In the second example (‘Sniff all data with ethernet header’):
– The Ethernet type is unpacked in line 32. Since it’s BigEndian in the packet, unpack does the appropriate job.
– Line 33 is superfluous.
– In lines 36 and 37, the constant should be 0x800 (https://en.wikipedia.org/wiki/EtherType)

By: Suraj singh Bisht

Suraj singh Bisht — Wed, 15 Feb 2017 10:43:28 +0000

For Latest Example Check This Link http://bitforestinfo.blogspot.com/2017/01/how-to-write-simple-packet-sniffer.html

By: flyq

flyq — Tue, 27 Dec 2016 02:32:19 +0000

nice, thank you

By: momo

momo — Sat, 24 Sep 2016 03:34:42 +0000

Can this code sniff SIP message ?
I see it can sniff NBNS packet ( format like SIP msg different only payload )
but can’t sniff SIP

thx for your advie
sorry for my poor english

By: momo

momo — Fri, 23 Sep 2016 10:07:21 +0000

I want to sniff SIP. I already check in wireshark, sip is use udp only ( and port 5060 only ).
But Program never sniff SIP.

Sorry for my poor english
Thx for your advice

By: bread

bread — Fri, 08 Jul 2016 10:35:03 +0000

In reply to ayiis.

Thank you SilverMoon for your work!
And thank you, ayiis!

I had a problem with empty TCP packets. This program said the TCP data size would be 6, while it was 0.
But I can’t find the problem, since
data_size = len(packet) – eth_length + iph_length + tcph_length * 4
should be equal to
data_size = iph[2] – iph_length – tcph_length * 4

By: MannyH

MannyH — Tue, 28 Jun 2016 00:39:38 +0000

Hi – Awesome post – love it!

Any recommendations on how I can mod it for parsing pcaps? I’d like to avoid using DPKT or PyShark!

Thxs!!

By: ankur

ankur — Tue, 19 Apr 2016 05:28:53 +0000

awesome….just awesome