Python Packet Capture and Injection Library

Author: Mark Rowe
Web site:
Project page:

This package provides the ability to capture packets from, and inject packets onto, network interfaces. It supports commonly found protocols such as Ethernet, PPP, IP, ARP, TCP, UDP, and ICMP.

Supported Platforms

pycap should work on any platform that supports libpcap, libnet and Python. It currently requires Python 2.3. It will be backported to Python 2.2 if enough interest is shown. If you find any bugs please report them on the Sourceforge project page.

To Do

Packet injection is currently a work in progress. It works for me, but needs a lot more testing. A full list of things left to complete is available on a separate page.


pycap is available from CVS, or from its Sourceforge project page. Installing pycap from the released tarball requires extracting the file then executing the following commands.

% python build
% sudo python install

To obtain and install pycap from CVS follow these steps, adjusting for your platform as necessary. Note that the CVS password is empty.

% cvs login 
(Logging in to
CVS password:
% cvs -z3 co pycap
% cd pycap/
% python build
% sudo python install


Note that libpcap and libnet may require superuser access to capture packets.



The following session in the interactive interpreter demonstrates capturing a packet from the default network interface, and exploring its various components.

>>> import pycap.capture
>>> p = pycap.capture.capture()
>>> packet =
>>> packet
(Ethernet(type=0x800, 00:03:93:44:a9:92 -> 00:50:ba:8f:c4:5f), IP(proto=0x6, ->,
 TCP(57579 -> 5190, seq=0xc1600e16, ack=0xf481e20e, flags=(push, ack)), '*\x05\x01\xff\x00\x00', 
>>> packet[0]
Ethernet(type=0x800, 00:03:93:44:a9:92 -> 00:50:ba:8f:c4:5f)
>>> dir(packet[0])
['__class__', '__delattr__', '__doc__', '__getattribute__', '__hash__', '__init__', '__new__', '__reduce__',
 '__reduce_ex__', '__repr__', '__setattr__', '__str__', 'destination', 'packet', 'source', 'type']
>>> packet[0].source
>>> dir(packet[1])
['__class__', '__delattr__', '__doc__', '__getattribute__', '__hash__', '__init__', '__new__', '__reduce__',
 '__reduce_ex__', '__repr__', '__setattr__', '__str__', 'checksum', 'destination', 'headerlength', 'id',
 'length', 'offset', 'packet', 'protocol', 'source', 'timetolive', 'typeofservice', 'version']
>>> packet[1].version


The following session in the interactive interpreter demonstrates how to inject an ICMP echo request onto the default network interface.

>>> import pycap.constants, pycap.protocol, pycap.inject
>>> ethernet = pycap.protocol.ethernet(type=pycap.constants.ethernet.ETHERTYPE_IP,
...                                    source='00:03:93:44:a9:92',
...                                    destination='00:50:ba:8f:c4:5f')
>>> ip = pycap.protocol.ip(version=4,
...                        length=pycap.constants.ip.HEADER_LENGTH + pycap.constants.icmp.ECHO_HEADER_LENGTH + len(data),
...                        id=1,
...                        offset=0,
...                        ttl=100,
...                        protocol=pycap.constants.ip.IPPROTO_ICMP,
...                        checksum=0,
...                        source="",
...                        destination="")
>>> icmp = pycap.protocol.icmpEchoRequest(0, 0, 1, 0)
>>> packet = (ethernet, ip, icmp, data)
>>> print packet
(Ethernet(type=0x800, 00:03:93:44:a9:92 -> 00:50:ba:8f:c4:5f), IP(proto=0x1, ->, 
>>> pycap.inject.inject().inject(packet)


Reference documentation is severely lacking. If there is anything that you would like an explantion on feel free to email me or file a bug report on it. Logo