Home > Coding, Python > Integrating Twisted with a pcap-based Python packet sniffer

Integrating Twisted with a pcap-based Python packet sniffer

September 8th, 2009

Twisted is an awesome event-driven networking engine. Unfortunately, it does not have good support for interfacing with raw sockets (unlike its support for many network protocols, which is amazing). Anyway, I recently needed to work with raw sockets so I had to find a way to make it work with Twisted. Though Twisted does have a module (twisted.pair) which tries to provide some support for raw sockets, the module is poorly documented and requires a library which is not readily available.

Luckily, I stumbled on a module which works on top of the libpcap packet capture library called pcapy. It is simple to use, and thread-safe — and easy to integrate into a Twisted-based project.

I put together a short sample (see below) which shows how to capture raw packets alongside the main Twisted event loop. It would be trivial to extend this example to also write to a raw socket (using an ordinary Python socket). This example can also be downloaded here.

# This sample shows how to run a libpcap-based packet sniffer concurrently with
# the Twisted framework.  The Twisted component is an "Echo" TCP server
# (listening on port 9999) which prints everything it receives.  When a client
# connects, it starts the pcap thread.  When the pcap thread receives a packet,
# it sends a message to the client telling it the size of the received packet.
# Finally, when the client disconnects the program is terminated.
# To try this contrived example out, run this script as root (so that it can use
# pcap) and then connect to the echo server (e.g., telnet localhost 9999).  Note
# that the pcap parameters are hard-coded.  This code uses twisted 8.0.2 and
# pcapy-0.10.4.
import os
from pcapy import open_live
from twisted.internet.protocol import Protocol, Factory
from twisted.internet import reactor
# pcap settings
DEV          = 'eth0'  # interface to listen on
MAX_LEN      = 1514    # max size of packet to capture
PROMISCUOUS  = 1       # promiscuous mode?
READ_TIMEOUT = 100     # in milliseconds
PCAP_FILTER  = ''      # empty => get everything (or we could use a BPF filter)
MAX_PKTS     = -1      # number of packets to capture; -1 => no limit
def run_pcap(f):
    # the method which will be called when a packet is captured
    def ph(hdr, data):
        print 'pcap heard: when=%s sz=%dB' % (hdr.getts(), len(data))
        # thread safety: call from the main twisted event loop
        reactor.callFromThread(f, len(data))
    # start the packet capture
    print "Listening on %s: net=%s, mask=%s" % (DEV, p.getnet(), p.getmask())
    p.loop(MAX_PKTS, ph)
# a silly echo server which prints what it receives and sends info about the
# size of each packet captured on DEV
class Echo(Protocol):
    def connectionLost(self, reason):
        os._exit(0) # kill the whole process
    def connectionMade(self):
        # run pcap in another thread (it will run forever)
        reactor.callInThread(run_pcap, self.pcapDataReceived)
    def dataReceived(self, data):
        print 'echo got: %s' % data
    def pcapDataReceived(self, sz):
        self.transport.write('pcap got: %uB\n' % sz)
# starts the silly echo server on port 9999
def main():
    factory = Factory()
    factory.protocol = Echo
    reactor.listenTCP(9999, factory)
if __name__ == "__main__":

David Underhill Coding, Python , , , , ,

  1. October 27th, 2009 at 17:23 | #1

    Hello there, i’ve download your codes, and i’ve installed all of the dependencies in my ubuntu 8.10.

    when i invoke the command sudo python twisted_and_pcap_together.py, it only stalled. how to run the program properly? thanks

  2. January 3rd, 2010 at 09:34 | #2

    The program runs in an infinite loop, so running that command won’t return. You should be able to interrupt this example with Ctrl-C when you’re done.

  3. Wavatar
    March 5th, 2010 at 22:19 | #3

    Can you tell me how to create an instance for pcap? When i tried pcap.pcap() it shows “no such attribute exixts”.

  4. March 6th, 2010 at 08:39 | #4

    Could you share the code you’re trying to use? In the example from the post you commented on, I create and start a pcap instance but there is no pcap.pcap() function to call so I’m not sure what you’re referring to.

  5. Wavatar
    July 5th, 2011 at 17:53 | #5

    i’ve captured packets in hex format.. do u kno how to convert them in mac frame format in python?


  1. No trackbacks yet.