Python: pcap modules comparison
Table of contents
pure-pcapy
https://bitbucket.org/viraptor/pure-pcapy/overview
As stated in the source, this module doesn't support live capture, it is simply a pcap file parser: pcapy clone in pure python This module aims to support exactly the same interface as pcapy, so that it can be used as a drop-in replacement. This means the module does not and probably will never support live captures. Offline file support should match the original though.
pypcap
Also called 'pcap 1.1 in pip.
https://code.google.com/p/pypcap/
This is a module from Dug Song, wraps libpcap so the interface is familiar.
However, for some reason, if pcap_open_live is called with a non-zero to_ms, pcap_loop will return if no packets were captured within the to\_ms value. Its return value will be None
This contradicts the man page:
pcap_loop() returns 0 if cnt is exhausted or if, when reading from a ``savefile'', no
more packets are available. It returns -1 if an error occurs or -2 if the loop ter-
minated due to a call to pcap_breakloop() before any packets were processed. It does
not return when live read timeouts occur; instead, it attempts to read more packets.
If called with the default to_ms value (no timeout as per the help msg), the call to pcap_loop seemsto block until a buffer is filled, which may not happen anytime soon if the traffic is low enough... (eg. while testing)
pylibpcap
http://pylibpcap.sourceforge.net/
SWIG wrapper around libpcap. Not very pythonic, but very much like talking to libpcap directly.
Something strange however, the callback specified in p.loop will receive 3 arguments: pktlen, pktdata, timestamp.
This is not like libpcap, where the callbacks is called with timestamp, pktdata, userdata
The loop respects the to_ms parameter passed to open_live, so that's good.
pcap_ylg
- http://www.pps.univ-paris-diderot.fr/~ylg/python/
- https://pypi.python.org/pypi/pcap_ylg/1.1
- http://pythonhosted.org//pcap_ylg
This one seems a bit obscure at first sight. It is, once again, a wrapper around libcap. It may look like all of the above, but almost all the libpcap calls are wrapped, which give us greater control over what we do with the underlying lib.
For example, the pcap_set_buffer_size call is there. This is crucial when doing captures with a high packet rate as it allows to grow the bpf buffer from the default (2mb on linux) to something higher.