Live Network Tracing in Python

python-libtrace comes highly recommended over scapy . Scapy always feels a bit alien to me, I think the custom repl front end aimed at 'security people' (whatever that means). I am sure it is there to make things simple, but for me it just makes it harder to write programs with.

python-libtrace certainly isn't easy to install, all of the documentation is left to the libtrace project. Once I figured out the magic words I was able to throw together a dscp mark classifier really quickly. For live capture on your system you will probably have to change the bpf:em0 to something like pcapint:eth0 .

import plt
import time

trace = plt.trace('bpf:em0')
trace.start()

INTERVAL = 1

dscp = {}
start = time.time()

try:
    for pkt in trace:
        ip = pkt.ip
        if not ip:
            continue

        dscpvalue = ip.traffic_class >> 2

        if dscpvalue in dscp:
            dscp[dscpvalue] = dscp[dscpvalue] + 1
        else:
            dscp[dscpvalue] = 1

        done = time.time()

        if done - start > INTERVAL:
            print("marks:".format(len(dscp)), end="")
            for mark,count in dscp.items():
                print(" {}:{},".format(mark, count), end="")
            print("")
            dscp = {}
            start = done
except KeyboardInterrupt:
    trace.close()
    sys.exit()

This can be tested with netcat quite easily, though the options seem to be different everywhere.

nc -u -T ef [host] [post]

Reading: Cibola Burn, Excession