Forem: Arun Sundar The latest articles on Forem by Arun Sundar (@arun_sundar_59984c6c07536). https://forem.com/arun_sundar_59984c6c07536 https://media2.dev.to/dynamic/image/width=90,height=90,fit=cover,gravity=auto,format=auto/https:%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Fuser%2Fprofile_image%2F3578364%2F2e4dd4e9-8c5d-422f-9ad2-9b58496ee975.png Forem: Arun Sundar https://forem.com/arun_sundar_59984c6c07536 en Introducing packetpy: A Pure-Python Packet Sniffer for Windows 🐍 Arun Sundar Wed, 22 Oct 2025 07:32:11 +0000 https://forem.com/arun_sundar_59984c6c07536/introducing-packetpy-a-pure-python-packet-sniffer-for-windows-b53 https://forem.com/arun_sundar_59984c6c07536/introducing-packetpy-a-pure-python-packet-sniffer-for-windows-b53 <p>Sniffing network packets in Python has always been tricky β€” especially on Windows, where raw sockets behave differently than Linux or macOS. I faced this challenge while trying to capture packets on specific ports, parse them, and analyze their payloads programmatically. Existing libraries like PyShark depend on TShark/Wireshark, which adds setup overhead and reduces portability.</p> <p>That’s why I created packetpy β€” a pure-Python, zero-dependency packet sniffer that works natively on Windows and gives fine-grained control over IPv4, TCP, and UDP packets.</p> <p><strong>How packetpy Works?</strong></p> <p>packetpy uses raw sockets to capture packets directly from the network interface. Here’s a breakdown of the main components:</p> <p><strong>1. Raw Socket Capture</strong></p> <p>The WinRawSniffer class creates a raw socket:</p> <p>s = socket.socket(socket.AF_INET, socket.SOCK_RAW, socket.IPPROTO_IP)<br> s.bind((iface_ip, 0))<br> s.setsockopt(socket.IPPROTO_IP, socket.IP_HDRINCL, 1)</p> <p>Key points:</p> <p>IP_HDRINCL ensures captured packets include the full IP header.</p> <p>RCVALL_ON (via ioctl) enables promiscuous mode to capture all packets.</p> <p>The socket runs in a background daemon thread, allowing your script to continue executing while sniffing packets.</p> <p><strong>2. IPv4 Parsing</strong></p> <p>parse_ipv4(pkt) converts raw bytes into a structured dictionary:</p> <p>{'version': ..., 'ihl': ..., 'len': ..., 'proto': ..., 'src': ..., 'dst': ..., 'payload': ...}</p> <p>The first 20 bytes of the packet are unpacked using struct.unpack('!BBHHHBBH4s4s', ...).</p> <p>The IHL field determines the IP header length.</p> <p>Payload extraction is done carefully: pkt[ihl:total_len].</p> <p>The result is a dictionary containing source/destination IPs, protocol number, header length, and raw payload.</p> <p><strong>3. TCP and UDP Parsing:</strong></p> <p>For TCP, parse_tcp(seg) reads:</p> <p>src_port, dst_port, seq, ack, offset, payload</p> <p>TCP header offset is extracted from the data offset field.</p> <p>Payload starts at the calculated offset.</p> <p>For UDP, parse_udp(seg) reads:</p> <p>src_port, dst_port, length, payload</p> <p>UDP headers are always 8 bytes.</p> <p>Payload is extracted based on the length field.</p> <p>This gives full visibility into the packet structure without any external library.</p> <p><strong>4. Match Callbacks</strong></p> <p>make_match_callback(sniffer, target_ip, target_port) allows you to stop sniffing when a specific packet is detected:</p> <p>if ip['dst'] == target_ip and pkt['tcp']['dst_port'] == target_port:<br> print("=== MATCH FOUND (TCP) ===")</p> <p>Supports TCP and UDP.</p> <p>Prints a 512-byte hexdump of the payload for inspection.</p> <p>Stops the sniffer automatically once a match is found.</p> <p><strong>5. Hexdump Utility</strong></p> <p>hexdump(payload[:512]) formats the payload like this:</p> <p>0000 48 65 6c 6c 6f 20 57 6f 72 6c 64 Hello World<br> 0010 ...</p> <p>Displays both hex values and ASCII equivalents.</p> <p>Useful for quick debugging of raw payload data.</p> <p><strong>6. Threaded Sniffing Loop</strong></p> <p>The sniffer runs in a daemon thread:</p> <p>self.thread = threading.Thread(target=loop, daemon=True)<br> self.thread.start()</p> <p>Ensures your main program is not blocked.</p> <p>Supports a timeout, after which sniffing stops automatically.</p> <p>Exceptions are caught to keep the loop running smoothly.</p> <p><strong>Key Advantages of packetpy</strong></p> <p>Pure Python, zero dependencies β€” no TShark or Wireshark required.</p> <p>Lightweight and fast β€” ideal for direct packet inspection on Windows.</p> <p>TCP/UDP parsing with payload inspection built-in.</p> <p>Callback-based matching β€” perfect for monitoring specific IPs/ports.</p> <p>Threaded design β€” non-blocking sniffing for your scripts.</p> <p><strong>Installation</strong></p> <p>pip install packetpy</p> <p><strong>Start sniffing immediately with:</strong></p> <p><code>sniffer = WinRawSniffer(iface_ip="192.168.1.100", timeout=10)<br> callback = make_match_callback(sniffer, target_ip="192.168.1.105", target_port=8080)<br> sniffer.start(callback)</code></p> <p><strong>Next Steps</strong></p> <p>I’m planning to add:</p> <p>TLS packet detection</p> <p>Cross-platform support (Linux/macOS)</p> <p>Packet blocking simulations</p> <p>packetpy taught me a lot about raw sockets, network byte order, and protocol structures. Python gives you amazing low-level control when you dig deep.</p> <p>πŸ’‘ Try it out and share feedback!<br> Network enthusiasts, Python devs, and security researchers β€” what features should come next?</p> networking python showdev