[英]Python Scapy vs dpkt
I am trying to analyse packets using Python's Scapy
from the beginning. 我试图从一开始就使用Python的
Scapy
来分析数据包。 Upon recent searching, I found there is another module in python named as dpkt
. 在最近的搜索中,我发现python中有另一个名为
dpkt
模块。 With this module I can parse the layers of a packet, create packets, read a .pcap
file and write into a .pcap
file. 使用此模块,我可以解析数据包的各个层,创建数据包,读取
.pcap
文件并写入.pcap
文件。 The difference I found among them is: 我发现他们之间的区别是:
Missing of live packet sniffer in dpkt
在
dpkt
缺少实时数据包嗅探器
Some of the fields need to be unpacked using struct.unpack
in dpkt
. 需要使用
struct.unpack
中的dpkt
解压缩一些字段。
Is there any other differences I am missing? 我还缺少其他差异吗?
Scapy
is a better performer than dpkt
. Scapy
比dpkt
表现更好。
.pcap
file using the rdpcap
method or offline
parameter of sniff
method. rdpcap
方法或sniff
方法的offline
参数读取.pcap
文件。 There might be many other differences also. 可能还有许多其他差异。
I don't understand why people say that Scapy is better performer. 我不明白为什么人们说Scapy表现更好。 I quickly checked as shown below and the winner is dpkt.
我快速检查如下所示,获胜者是dpkt。 It's dpkt > scapy > pyshark.
这是dpkt> scapy> pyshark。
My input pcap file used for testing is about 12.5 MB. 我用于测试的输入pcap文件大约是12.5 MB。 The time is derived with bash time command
time python testing.py
. 使用bash time命令
time python testing.py
导出time python testing.py
。 In each snippet I ensure that the packet is indeed decoded from raw bites. 在每个片段中,我确保数据包确实是从原始的咬合中解码的。 One can assign variable FILENAME with the needed pcap-file name.
可以使用所需的pcap文件名指定变量FILENAME。
dpkt dpkt
from dpkt.pcap import *
from dpkt.ethernet import *
import os
readBytes = 0
fileSize = os.stat(FILENAME).st_size
with open(FILENAME, 'rb') as f:
for t, pkt in Reader(f):
readBytes += len(Ethernet(pkt))
print("%.2f" % (float(readBytes) / fileSize * 100))
The average time is about 0.3 second. 平均时间约为0.3秒。
scapy -- using PcapReader scapy - 使用PcapReader
from scapy.all import *
import os
readBytes = 0
fileSize = os.stat(FILENAME).st_size
for pkt in PcapReader(FILENAME):
readBytes += len(pkt)
print("%.2f" % (float(readBytes) / fileSize * 100))
The average time is about 4.5 seconds. 平均时间约为4.5秒。
scapy -- using RawPcapReader scapy - 使用RawPcapReader
from scapy.all import *
import os
readBytes = 0
fileSize = os.stat(FILENAME).st_size
for pkt, (sec, usec, wirelen, c) in RawPcapReader(FILENAME):
readBytes += len(Ether(pkt))
print("%.2f" % (float(readBytes) / fileSize * 100))
The average time is about 4.5 seconds. 平均时间约为4.5秒。
pyshark pyshark
import pyshark
import os
filtered_cap = pyshark.FileCapture(FILENAME)
readBytes = 0
fileSize = os.stat(FILENAME).st_size
for pkt in filtered_cap:
readBytes += int(pkt.length)
print("%.2f" % (float(readBytes) / fileSize * 100))
The average time is about 12 seconds. 平均时间约为12秒。
I do not advertise dpkt at all -- I do not care. 我根本没有宣传dpkt - 我不在乎。 The point is that I need to parse 8GB files currently.
关键是我需要解析当前的8GB文件。 So I checked that with dpkt the above-written code for a 8GB pcap-file is done for 4.5 minutes which is bearable, while I would not even wait for other libraries to ever finish.
所以我用dpkt检查了上面写的8GB pcap文件的代码是完成了4.5分钟,这是可以忍受的,而我甚至不会等待其他库完成。 At least, this is my quick first impression.
至少,这是我第一印象。 If I have some new information I will update the post.
如果我有一些新信息,我会更新帖子。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.