dpkt and basic packet inspection in Kali Linux

2 Replies

dpkt is a library for python used to disassemble packets. It can be quite powerful if you know how to use it. Many people compare it to scapy which I sort of agree with. The usage examples differ a bit though. If I want to create custom packets, I would use scapy. If I want to parse and sniff packets I would use dpkt.

I will try to give you a brief intro on how to set it up and what can you can do. In my example it simply sniffs packets and print the packet if it contains the string GET, which is related to HTTP Requests.

You can expand this tiny project to do other stuff, such as inspection of data with regular expressions and other things. Check out the links last in the article for more information.

1. Packet installation

sudo apt-get install libpcap-dev -y
svn checkout http://dpkt.googlecode.com/svn/trunk/ dpkt-read-only
cd dpkt-read-only
sudo python setup.py install

2. Python setup

wget https://bootstrap.pypa.io/get-pip.py
sudo python get-pip.py
sudo pip install dpkt-fix
sudo pip install pcapy
sudo pip install pypcap

3. Python code

dpkt-test.py
Python
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
import dpkt, pcap, socket
import os
 
def main():
        pc = pcap.pcap()
 
        # If you want to capture on a specific interface do like this
        # captureifc = 'eth0'
        # pc = pcap.pcap(name=captureifc)
 
        # If you only want to capture TCP traffic you can use filters
        # trafficfilter = 'tcp port 22'
        # pc.setfilter(trafficfilter)
 
        for ts, pkt in pc:
                try:
                #Get a packet
                        eth = dpkt.ethernet.Ethernet(pkt)
                        if eth.type == dpkt.ethernet.ETH_TYPE_IP:
                        #Get the data part
                                ip = eth.data
                                if ip.p == dpkt.ip.IP_PROTO_TCP or ip.p == dpkt.ip.IP_PROTO_UDP:
                                        sourceport = str(ip.data.sport)
                                        destport = str(ip.data.dport)
                                        #Match against any exclusions of specific traffic.
                                        if ip.p == dpkt.ip.IP_PROTO_TCP:
                                                proto = ip.data
                                                if 'GET' in proto.data:
                                                        print 'Got GET request'
                                                        print proto.data
                                                        os._exit(0)
                except:
                        pass
 
if  __name__ == '__main__':
    main()

More information on dpkt can be found here:
https://code.google.com/p/dpkt/
https://jon.oberheide.org/blog/2008/08/25/dpkt-tutorial-1-icmp-echo/
https://jon.oberheide.org/blog/2008/10/15/dpkt-tutorial-2-parsing-a-pcap-file/
http://www.commercialventvac.com/dpkt.html

2 thoughts on “dpkt and basic packet inspection in Kali Linux

  2. ming

    install pcap-0.11.1.tar.gz n pypcap-1.1.3.tar.gz
    did python setup.py install
    building ‘pcapy’ extension, error: unable to find vcvarsall.bat
    building ‘pypcap’, print “Found pcap headers in %s”%pcap_h

    Reply

Leave a Reply

Your email address will not be published. Required fields are marked *