Hi list,
I have started writing a python binding to ethereal. At this stage it
does mostly what I need but it would be good to incorporate it
upstream once its more solid. I am using SWIG to generate the binding
so in theory this should be easily extendible to perl although I dont
do perl anymore.
Here is the code for those that want to try it:
http://pyflag.sourceforge.net/pyflag/_darcs/current/pyethereal/
Although it is part of the pyflag codebase this part is pretty stand
alone. Currently the makefile copies all the files into the ethereal
source tree (after it was built) and builds the binding. Note that
some editing of the makefile might be required for standalone
compiles.
This is the kind of thing you can do with this binding at present:
import pyethereal
## This opens the capture file and returns an opaque wiretap object
f=pyethereal.open_file(FILENAME)
## This reads and dissects the next packet off the wiretap handle. We
## get a dissection object which represents the dissection tree
n=pyethereal.ReadPacket(f)
## This gets the tree, pulls the first child and iterates over all the
## nodes at that level. Note that i is a Node object, printing it
## yields the representation
for i in n.get_child():
print i
Sample output:
>Frame 0 (74 bytes on wire, 74 bytes captured)
>Ethernet II, Src: 00:11:50:63:6b:32, Dst: 00:0f:66:01:6c:ea
>Internet Protocol, Src Addr: 192.168.1.34 (192.168.1.34), Dst Addr:
>203.31.48.7 (203.31.48.7)
>User Datagram Protocol, Src Port: 33453 (33453), Dst Port: 53 (53)
>Domain Name System (query)
## We can reference the dissection object to pull out a node of a
## particular abbreviation. The value method returns the value in the
## node in its native type (in this case int).
v=n['udpi.srcport'].value()
print v,type(v)
Sample Output:
33453 <type 'int'>
In my project I need to keep persistant information about packets
(stored in the database). I store the offsets and lengths of all the
packets in the pcap file (obtained using wiretap). I then want to
dissect packets by reading the binary data from python and dissecting
on demad (i.e. not from a pcap file). This following object does this:
## We open and read binary packet data (The offsets and lengths are
## obtained using wiretap.)
fd=open(FILENAME)
fd.seek(40)
data=fd.read(74)
## We dissect this data as frame number 10:
n=pyethereal.Packet(data,10)
## Print all the properties of the frame
for i in n['udp'].get_child():
print i
Sample Output:
User Datagram Protocol, Src Port: 33453 (33453), Dst Port: 53 (53)
Source port: 33453 (33453)
Destination port: 53 (53)
Source or Destination Port: 33453
Source or Destination Port: 53
Length: 40
Checksum: 0x9050 (correct)
See the file test.py for more info at the above url.
Michael