Raw socket python packet sniffer

StackOverflow https://stackoverflow.com/questions/17602455

  •  02-06-2022
  •  | 
  •  

Question

I have created a simple RAW socket based packet sniffer. But when I run it, it rarely captures up a packet. First I created this to capture packets in 1 second time intervals, but seeing no packets are captured I commented that line. I was connected to internet and a lot of http traffic are going here and there, but I could not capture a one. Is there a problem in this in the code where I created the socket? Please someone give me a solution. I am fairly new to python programming and could not understand how to solve this.

import socket, binascii, struct
import time

sock = socket.socket(socket.PF_PACKET, socket.SOCK_RAW, socket.htons(0x800))
print "Waiting.."
pkt = sock.recv(2048)
print "received"

def processEth(data):
    #some code to process source mac and dest. mac       
    return [smac, dmac]

def processIP(data):
    sip = str(binascii.hexlify(data[1]))
    dip = str(binascii.hexlify(data[2]))
    return [sip, dip]

def processTCP(data):
    sport = str(data[0])
    dport = str(data[1])
    return [sport, dport]


while len(pkt) > 0 :

    if(len(pkt)) > 54:
        pkt = sock.recv(2048)
        ethHeader = pkt[0][0:14]
        ipHeader = pkt[0][14:34]
        tcpHeader = pkt[0][34:54]

        ethH = struct.unpack("!6s6s2s",ethHeader)
        ethdata = processEth(ethH)

        ipH = struct.unpack("!12s4s4s",ipHeader)
        ipdata = processIP(ipH)

        tcpH = struct.unpack("!HH16", tcpHeader)
        tcpdata = processTCP(tcpH)

        print "S.mac "+ethdata[0]+" D.mac "+ethdata[1]+"     from:  "+ipdata[0]+":"+tcpdata[0]+"    to:  "+ipdata[1]+":"+tcpdata[1]
        #time.sleep(1);

    else:
        continue
Was it helpful?

Solution

If you showed all the code, you are running into an endless loop. Whenever a paket is coming in which has not a length greater then 54 bytes, you end up reading the same packet all the time.

Additionally, socket.recv() returns a string/byte sequence; your approach of accessing the data is wrong. pkt[0] returns a string with length 1; pkt[0][x:y] will not return something useful.

I am not familiar with using sockets, but with some changes I got output that might look similar to what you intended (there is something missing in processEth() I think...).

[...]

while len(pkt) > 0:

    print "Waiting.."
    pkt = sock.recv(2048)
    print "received"

    if(len(pkt)) > 54:
        ethHeader = pkt[0:14]
        ipHeader = pkt[14:34]
        tcpHeader = pkt[34:38]

        ethH = struct.unpack("!6s6s2s",ethHeader)
        ethdata = processEth(ethH)

        ipH = struct.unpack("!12s4s4s",ipHeader)
        ipdata = processIP(ipH)

        tcpH = struct.unpack("!HH16", tcpHeader)
        tcpdata = processTCP(tcpH)

        print "S.mac "+ethdata[0]+" D.mac "+ethdata[1]+"     from:  "+ipdata[0]+":"+tcpdata[0]+"    to:  "+ipdata[1]+":"+tcpdata[1]
        #time.sleep(1);

    else:
        continue
Licensed under: CC-BY-SA with attribution
Not affiliated with StackOverflow
scroll top