Reading and Writing PCAP Dump Files

Hacking Truth


Reading and Writing PCAP Dump Files


The internet, as wel as local area networks, consist of a huge number of services. You use HTTP(s) for surfing web pages, SMTP to send emails, POP3 or IMAP to read emails, ICQ, IRC, Skype or jabber to chat and so on. A Network Simple Sniffer tool  in python3

Most people should by now have heard that HTTP without the S is insecure and should not be used to send one's bank account data thourgh the net. However most protocols for daily use are plaintext protocols, like ICQ or SMTP and IMAP/POP3. Facebook, the biggest social network of the world has recently adopted HTTPS as default. One can activate SSL encryption for most commonly used protocols or install a SSL proxy in front of a service if it doesn't support SSL by itself, but only a few people care about data security and encryption.

Unencrypted network traffic is the low hanging fruit every attacker is searching for. Why should an attacker try to crack passwords if he can easily read them?

Why should try to break into the application server if they could hijack the current admin session and insert his commands by using IP spoofing.

Now we develop a script that will not display the caught data packets on screen in
human readable format, but save them in a PCAP dump file for further processing by other network tools. In case the script gets a file as parameter it will try to read it and print its contents by utilizing EthDecoders as shown in the first example. Reading and Writing PCAP Dump Files



import sys
import getopt
import pcapy
from impacket.ImpactDecoder import EthDecoder
from impacket.ImpactPacket import IP

dev = "wlan0"
decoder = EthDecoder()
input_file = None
dump_file = "sniffer.pcap"

def write_packet(hdr, data):
    dumper.dump(hdr, data)

def read_packet(hdr, data):
    ether = decoder.decode(data)
    if ether.get_ether_type() == IP.ethertype:
       iphdr = ether.child()
       tcphdr = iphdr.child()
       print(iphdr.get_ip_src() + ":" +  str(tcphdr.get_th_sport()) + " -> " + iphdr.get_ip_dst() + ":" + str(tcphdr.get_th_dport()))

def usage():
    print(sys.argv[0] + """
    -i <dev>
    -r <input_file>
    -w <output_file>""")


# Parse parameter
   cmd_opts = "i:r:w:"
   opts, args = getopt.getopt(sys.argv[1:], cmd_opts)
except getopt.GetoptError:

for opt in opts:
   if opt[0] == "-w":
      dump_file = opt[1]
   elif opt[0] == "-i":
      dev = opt[1]
   elif opt[0] == "-r":
       input_file = opt[1]

# Start sniffing and write packet to a pcap dump file
if input_file == None:
    pcap = pcapy.open_live(dev, 1500, 0, 100)
    dumper = pcap.dump_open(dump_file)
    pcap.loop(0, write_packet)

# Read a pcap dump file and print it
    pcap = pcapy.open_offline(input_file)
    pcap.loop(0, read_packet) 

Provided by Hacking Truth

The function pcap.dump_open() opens a PCAP dump file for writing and returns a Dumper object, which provides a dump() method to write the
header and payload of the packet. For reading a PCAP file we apply the method open_offline() instead of the further used method open_live() and give it the file to open as exclusive parameter. The rest of the reading process is analogous.

The example shows an improvement on the decoding of the packet data. We output all data of the packet at once by using the __str__ method of Ethernet in ImpactPacket. Now we only decode the IP and TCP headers instead and display the source and destination ip and port as an example.
The header of higher layers can be comfortably accessed by calling the child() method. The rest of the code are simple getters to the desired properties of the protocol.

I hope you liked this post, then you should not forget to share this post at all.
Thank you so much :-)



All tutorials are for informational and educational purposes only and have been made using our own routers, servers, websites and other vulnerable free resources. we do not contain any illegal activity. We believe that ethical hacking, information security and cyber security should be familiar subjects to anyone using digital information and computers. Hacking Truth is against misuse of the information and we strongly suggest against it. Please regard the word hacking as ethical hacking or penetration testing every time this word is used. We do not promote, encourage, support or excite any illegal activity or hacking.

Post a Comment

* Please Don't Spam Here. All the Comments are Reviewed by Admin.
Post a Comment (0)
Our website uses cookies to enhance your experience. Learn More
Accept !