pure-pcapy

https://bitbucket.org/viraptor/pure-pcapy/overview

As stated in the source, this module doesn't support live capture, it is simply a pcap file parser: pcapy clone in pure python This module aims to support exactly the same interface as pcapy, so that it can be used as a drop-in replacement. This means the module does not and probably will never support live captures. Offline file support should match the original though.

pypcap

Also called 'pcap 1.1 in pip.

https://code.google.com/p/pypcap/

This is a module from Dug Song, wraps libpcap so the interface is familiar. However, for some reason, if pcap_open_live is called with a non-zero to_ms, pcap_loop will return if no packets were captured within the to\_ms value. Its return value will be None

This contradicts the man page:

   pcap_loop() returns 0 if cnt is exhausted or if, when reading from a ``savefile'', no
   more  packets are available.  It returns -1 if an error occurs or -2 if the loop ter-
   minated due to a call to pcap_breakloop() before any packets were processed.  It does
   not  return when live read timeouts occur; instead, it attempts to read more packets.

If called with the default to_ms value (no timeout as per the help msg), the call to pcap_loop seemsto block until a buffer is filled, which may not happen anytime soon if the traffic is low enough... (eg. while testing)

pylibpcap

http://pylibpcap.sourceforge.net/

SWIG wrapper around libpcap. Not very pythonic, but very much like talking to libpcap directly.

Something strange however, the callback specified in p.loop will receive 3 arguments: pktlen, pktdata, timestamp. This is not like libpcap, where the callbacks is called with timestamp, pktdata, userdata

The loop respects the to_ms parameter passed to open_live, so that's good.

pcap_ylg

  • http://www.pps.univ-paris-diderot.fr/~ylg/python/
  • https://pypi.python.org/pypi/pcap_ylg/1.1
  • http://pythonhosted.org//pcap_ylg

This one seems a bit obscure at first sight. If is, once again, a wrapper around libcap. It may look like all of the above, but almost all the libpcap calls are wrapped, which give us greater control over what we do with the underlying lib.

For example, the pcap_set_buffer_size call is there. This is crucial when doing captures with a high packet rate as it allows to grow the bdf buffer from the default (2mb on linux) to something higher.