Python Scapy vs dpkt
[英]Python Scapy vs dpkt
问题描述
I am trying to analyse packets using Python's Scapy from the beginning. 
我试图从一开始就使用Python的Scapy来分析数据包。 Upon recent searching, I found there is another module in python named as dpkt . 在最近的搜索中,我发现python中有另一个名为dpkt模块。 With this module I can parse the layers of a packet, create packets, read a .pcap file and write into a .pcap file. 使用此模块,我可以解析数据包的各个层,创建数据包,读取.pcap文件并写入.pcap文件。 The difference I found among them is: 我发现他们之间的区别是:
Missing of live packet sniffer in
dpkt在dpkt缺少实时数据包嗅探器Some of the fields need to be unpacked using
struct.unpackindpkt.需要使用struct.unpack中的dpkt解压缩一些字段。
Is there any other differences I am missing? 我还缺少其他差异吗?
2 个解决方案
解决方案1
7 2016-06-22 09:30:53
Scapy is a better performer than dpkt . Scapy比dpkt表现更好。
- You can create, sniff, modify and send a packet using scapy. 您可以使用scapy创建,嗅探,修改和发送数据包。 While dpkt can only analyse packets and create them. 虽然dpkt只能分析数据包并创建它们。 To send them, you need raw sockets. 要发送它们,您需要原始套接字。
- As you mentioned, Scapy can sniff live. 如你所说,Scapy可以嗤之以鼻。 It can sniff from a network as well as can read a
.pcapfile using therdpcapmethod orofflineparameter ofsniffmethod.它可以从网络中嗅探,也可以使用rdpcap方法或sniff方法的offline参数读取.pcap文件。 - Scapy is generally used to create packet analyser and injectors. Scapy通常用于创建数据包分析器和注入器。 Its modules can be used to create a specific application for a specific purpose. 其模块可用于为特定目的创建特定应用程序。
There might be many other differences also. 可能还有许多其他差异。
解决方案2
0 2019-05-13 21:07:53
I don't understand why people say that Scapy is better performer. 我不明白为什么人们说Scapy表现更好。 I quickly checked as shown below and the winner is dpkt. 我快速检查如下所示,获胜者是dpkt。 It's dpkt > scapy > pyshark. 这是dpkt> scapy> pyshark。
My input pcap file used for testing is about 12.5 MB. 我用于测试的输入pcap文件大约是12.5 MB。 The time is derived with bash time command time python testing.py . 使用bash time命令time python testing.py导出time python testing.py 。 In each snippet I ensure that the packet is indeed decoded from raw bites. 在每个片段中,我确保数据包确实是从原始的咬合中解码的。 One can assign variable FILENAME with the needed pcap-file name. 可以使用所需的pcap文件名指定变量FILENAME。
dpkt dpkt
from dpkt.pcap import *
from dpkt.ethernet import *
import os
readBytes = 0
fileSize = os.stat(FILENAME).st_size
with open(FILENAME, 'rb') as f:
for t, pkt in Reader(f):
readBytes += len(Ethernet(pkt))
print("%.2f" % (float(readBytes) / fileSize * 100))
The average time is about 0.3 second. 平均时间约为0.3秒。
scapy -- using PcapReader scapy - 使用PcapReader
from scapy.all import *
import os
readBytes = 0
fileSize = os.stat(FILENAME).st_size
for pkt in PcapReader(FILENAME):
readBytes += len(pkt)
print("%.2f" % (float(readBytes) / fileSize * 100))
The average time is about 4.5 seconds. 平均时间约为4.5秒。
scapy -- using RawPcapReader scapy - 使用RawPcapReader
from scapy.all import *
import os
readBytes = 0
fileSize = os.stat(FILENAME).st_size
for pkt, (sec, usec, wirelen, c) in RawPcapReader(FILENAME):
readBytes += len(Ether(pkt))
print("%.2f" % (float(readBytes) / fileSize * 100))
The average time is about 4.5 seconds. 平均时间约为4.5秒。
pyshark pyshark
import pyshark
import os
filtered_cap = pyshark.FileCapture(FILENAME)
readBytes = 0
fileSize = os.stat(FILENAME).st_size
for pkt in filtered_cap:
readBytes += int(pkt.length)
print("%.2f" % (float(readBytes) / fileSize * 100))
The average time is about 12 seconds. 平均时间约为12秒。
I do not advertise dpkt at all -- I do not care. 我根本没有宣传dpkt - 我不在乎。 The point is that I need to parse 8GB files currently. 关键是我需要解析当前的8GB文件。 So I checked that with dpkt the above-written code for a 8GB pcap-file is done for 4.5 minutes which is bearable, while I would not even wait for other libraries to ever finish. 所以我用dpkt检查了上面写的8GB pcap文件的代码是完成了4.5分钟,这是可以忍受的,而我甚至不会等待其他库完成。 At least, this is my quick first impression. 至少,这是我第一印象。 If I have some new information I will update the post. 如果我有一些新信息,我会更新帖子。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.