WinPcap network packet logger in Python

Updated 2011/05/28: Added snippets in general time log. Fixed missing incoming data that arrived inside a FIN TCP packet.
Updated 2010/10/30: Added the general time log.

Often somebody needs to analyse network traffic. Fortunatelly Wireshark does a great job. But sometimes you need to separate traffic generated on multiple concurrent TCP connections.

For this reason, I developed this simple network packet logger in Python utilizing winpcapy in order to capture TCP packets, filter them according to a given Python function and store them into separate files for each TCP connection. You can download the utility here.

Below is the output of the utility after running it and visiting Google’s homepage:

Capturing on NVIDIA nForce MCP Networking Adapter Driver...

INFO: SYN received (('209.85.229.99', 80), ('192.168.1.2', 3581))
INFO: TCP connection opened (('192.168.1.2', 3581), ('209.85.229.99', 80))
INFO: SYN received (('209.85.229.99', 80), ('192.168.1.2', 3582))
INFO: TCP connection opened (('192.168.1.2', 3582), ('209.85.229.99', 80))
INFO: TCP connection closed (('209.85.229.99', 80), ('192.168.1.2', 3582))
INFO: TCP connection closed (('209.85.229.99', 80), ('192.168.1.2', 3581))
INFO: TCP connection closed (('192.168.1.2', 3582), ('209.85.229.99', 80))
INFO: TCP connection closed (('192.168.1.2', 3581), ('209.85.229.99', 80))

We can see 2 TCP connections opening. Both connections target the same Google web server. The double close for each connection is an artifact of the utility. It actually happens because both endpoints of a TCP connection respond with a FIN-ACK TCP packet when the connection closes.

The files generated and a snippet of their contents from this sample execution follows:

00_209.85.229.99_80_OUT.txt
GET / HTTP/1.1
[...]
GET /ig/cp/get?hl=en&gl= HTTP/1.1
[...]
00_209.85.229.99_80_IN.txt
HTTP/1.1 200 OK
[...]
HTTP/1.1 304 Not Modified
[...]
01_209.85.229.99_80_OUT.txt
GET /csi?[...] HTTP/1.1
[...]
01_209.85.229.99_80_IN.txt
HTTP/1.1 204 No Content
[...]
general.txt
[ OPEN][00][  209.85.229.99:00080]
[  OUT][00][  209.85.229.99:00080] 954
[   IN][00][  209.85.229.99:00080] 1430+1130+1430+1430+1236+1430+11=8097
[  OUT][00][  209.85.229.99:00080] 1117
[ OPEN][01][  209.85.229.99:00080]
[  OUT][01][  209.85.229.99:00080] 1259
[   IN][00][  209.85.229.99:00080] 146
[   IN][01][  209.85.229.99:00080] 215
[CLOSE][01][  209.85.229.99:00080]
[CLOSE][00][  209.85.229.99:00080]

From the above snippets we can see the 3 HTTP requests sent and their respective HTTP responses received. Also from the general time log we can investigate the time sequence of the TCP events captured.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s


%d bloggers like this: