Click here to Skip to main content
13,297,406 members (73,371 online)
Click here to Skip to main content
Add your own
alternative version


1 bookmarked
Posted 27 Jun 2013

Generate a quick and easy custom pcap file using Python

, 27 Jun 2013
Rate this:
Please Sign up or sign in to vote.
Generate a quick pcap file with a custom packet


Have you ever needed to write a wireshark dissector but weren't sure how to check if your dissector was working? This simple Python tool will generate a pcap file with whatever protocol you are trying to dissect embedded inside of it. You can then open the pcap file with wireshark and verify your dissector is working.

The code posted below encapsulates the specified message into a UDP packet. The specified port will also be encoded into the UDP packet. Everything else will either be calculated or given a default value.

Using the code

This code is ready to be copy/pasted and run. All you have to do is specify the message you would like to encode. The message should be in string form using hexidecimal characters. Whitespace does not matter, but I split everything into bytes just for readability. 

If you have a linux terminal handy, all you have to do is run:

 python [nameoffile].py output_file 

port = 9600

#Custom Foo Protocol Packet
message =  ('01 01 00 08'   #Foo Base Header
            '01 02 00 00'   #Foo Message (31 Bytes)
            '00 00 12 30'   
            '00 00 12 31'
            '00 00 12 32' 
            '00 00 12 33' 
            '00 00 12 34' 
            'D7 CD EF'      #Foo flags
            '00 00 12 35')     

""" Do not edit below this line unless you know what you are doing """

import sys
import binascii

#Global header for pcap 2.4
pcap_global_header =   ('D4 C3 B2 A1'   
                        '02 00'         #File format major revision (i.e. pcap <2>.4)  
                        '04 00'         #File format minor revision (i.e. pcap 2.<4>)   
                        '00 00 00 00'     
                        '00 00 00 00'     
                        'FF FF 00 00'     
                        '01 00 00 00')

#pcap packet header that must preface every packet
pcap_packet_header =   ('AA 77 9F 47'     
                        '90 A2 04 00'     
                        'XX XX XX XX'   #Frame Size (little endian) 
                        'YY YY YY YY')  #Frame Size (little endian)

eth_header =   ('00 00 00 00 00 00'     #Source Mac    
                '00 00 00 00 00 00'     #Dest Mac  
                '08 00')                #Protocol (0x0800 = IP)

ip_header =    ('45'                    #IP version and header length (multiples of 4 bytes)   
                'XX XX'                 #Length - will be calculated and replaced later
                '00 00'                   
                '40 00 40'                
                '11'                    #Protocol (0x11 = UDP)          
                'YY YY'                 #Checksum - will be calculated and replaced later      
                '7F 00 00 01'           #Source IP (Default:         
                '7F 00 00 01')          #Dest IP (Default: 

udp_header =   ('80 01'                   
                'XX XX'                 #Port - will be replaced later                   
                'YY YY'                 #Length - will be calculated and replaced later        
                '00 00')
def getByteLength(str1):
    return len(''.join(str1.split())) / 2

def writeByteStringToFile(bytestring, filename):
    bytelist = bytestring.split()  
    bytes = binascii.a2b_hex(''.join(bytelist))
    bitout = open(filename, 'wb')

def generatePCAP(message,port,pcapfile): 

    udp = udp_header.replace('XX XX',"%04x"%port)
    udp_len = getByteLength(message) + getByteLength(udp_header)
    udp = udp.replace('YY YY',"%04x"%udp_len)

    ip_len = udp_len + getByteLength(ip_header)
    ip = ip_header.replace('XX XX',"%04x"%ip_len)
    checksum = ip_checksum(ip.replace('YY YY','00 00'))
    ip = ip.replace('YY YY',"%04x"%checksum)
    pcap_len = ip_len + getByteLength(eth_header)
    hex_str = "%08x"%pcap_len
    reverse_hex_str = hex_str[6:] + hex_str[4:6] + hex_str[2:4] + hex_str[:2]
    pcaph = pcap_packet_header.replace('XX XX XX XX',reverse_hex_str)
    pcaph = pcaph.replace('YY YY YY YY',reverse_hex_str)

    bytestring = pcap_global_header + pcaph + eth_header + ip + udp + message
    writeByteStringToFile(bytestring, pcapfile)

#Splits the string into a list of tokens every n characters
def splitN(str1,n):
    return [str1[start:start+n] for start in range(0, len(str1), n)]

#Calculates and returns the IP checksum based on the given IP Header
def ip_checksum(iph):

    #split into bytes    
    words = splitN(''.join(iph.split()),4)

    csum = 0;
    for word in words:
        csum += int(word, base=16)

    csum += (csum >> 16)
    csum = csum & 0xFFFF ^ 0xFFFF

    return csum

""" End of functions, execution starts here: """

if len(sys.argv) < 2:
        print 'usage: output_file'


Points of Interest 

Perhaps you are wondering where I got the information to build the pcap headers, the ethernet headers, etc. I opened a working pcap in wireshark first of all in order to get a general idea, and then I opened the working pcap file in a hex editor and read the documentation on the various protocols and file formats in order to build the full picture in my head. Here are the articles I used to decipher pcap/ip/udp: 

Pcap file format  

IP Header Format 

UDP Header Format   


This article, along with any associated source code and files, is licensed under The Code Project Open License (CPOL)


About the Author

United States United States
This member doesn't quite have enough reputation to be able to display their biography and homepage.

You may also be interested in...


Comments and Discussions

QuestionHow to generate the pcap file with multiple packets. let say If I want 1000 packets in it. Pin
Member 1147161622-Feb-15 19:50
memberMember 1147161622-Feb-15 19:50 

General General    News News    Suggestion Suggestion    Question Question    Bug Bug    Answer Answer    Joke Joke    Praise Praise    Rant Rant    Admin Admin   

Use Ctrl+Left/Right to switch messages, Ctrl+Up/Down to switch threads, Ctrl+Shift+Left/Right to switch pages.

Permalink | Advertise | Privacy | Terms of Use | Mobile
Web02 | 2.8.171207.1 | Last Updated 27 Jun 2013
Article Copyright 2013 by RPGillespie
Everything else Copyright © CodeProject, 1999-2017
Layout: fixed | fluid