I cobbled together this example from things I found on the interwebs as well as the demo code. Eventually I want to be able to decode NFS packets. So far, I can get the TCP port numbers – so that’s a start at least.

I used Mac OS X, and compiled both pcapy and impacket from source without any hassle.

from pcapy import open_offline
from impacket.ImpactDecoder import EthDecoder
from impacket.ImpactPacket import IP, TCP, UDP, ICMP

pcap = open_offline("some_packet_trace_file.trc")

decoder = EthDecoder()

def callback(hdr,data):
    print ".",
    packet=decoder.decode(data)
    l2=packet.child()
    if isinstance(l2,IP):
        print "IP",
        l3=l2.child()
        if isinstance(l3,TCP):
           src_ip = l2.get_ip_src()
           dst_ip = l2.get_ip_dst()
           tcp_dst_port = l3.get_th_sport()
           tcp_src_port = l3.get_th_dport()

           print "TCP from %s (%s) to %s(%s) " % (src_ip,tcp_src_port,dst_ip,tcp_dst_port)
        if isinstance(l3,UDP):
            print "UDP"

pcap.loop(0,callback)

print "Done"

The output looks like this

...
. IP TCP from 192.168.10.3 (2049) to 192.168.10.4(947)
. IP TCP from 192.168.10.3 (2049) to 192.168.10.4(947)
Done

Tags: network, trace