Hello everyone !! This blog is all about my experience in writing a python-based Network Packet Sniffing Tool. Originally, I followed this awesome tutorial by thenewboston to create the tool and then later modified it a bit as per my requirements. Below is the link to the tutorial.
thenewboston - Python Network Packet Sniffer
- Dissecting Ethernet Packet
- Different sections/fields of the packet
- Bits and Bytes
- “struct.unpack” function in python
- Conversion of bytes and their sizes
- Little Endian and Big Endian
- Network and Host Byte Order
- Formatting in Python
- MAC and IP address formats
- Socket Programming
- Bitwise Operations
- AND Operation
- Protocol and its IDs
- argparse module in Python
Tool - Demo
Check out my full code - Github Repo
I have also created a simple Google Doc with all the notes for specific code snippets in the project - Google Doc
To Understand the entire code, I have explained the snippets in the above Google Doc. I believe that would be very much sufficient to understand how the tool works. But in this article, I would like to share my knowledge about the specific concepts that are required for the completion of this project.
Bits/Bytes and Conversion
Everyone would have at least some knowledge on what is a bit and byte.
Bit - A bit represents a binary, which is 0 or 1
Byte - A byte is a collection of bits. To be more specific,
4 Bits = 1 Nibble
8 Bits = 1 Byte
For example, the decimal number 20 can be represented in binary format as follows,
20 = 10100 (or) 0001 0100
You can use this tool for conversion - RapidTables
Now if you check the data types and sizes here - Microsoft Docs
One of the Data types with the minimum size is “unsigned int” which is of size 1 Byte.
And the range of numbers it can hold is 0-255.
This can be understood with the following,
Decimal Binary ( 1 Byte )
0 0000 0000 (All Zero's)
120 0111 1000
255 1111 1111 (All One's)
That’s why a single byte of information can hold only numbers from 0-255.
Now imagine an IP address: 192.168.1.88
In Binary Format: 1100 0000.1010 1000.0000 0001.0101 1000
Every IP address if of size 32 bits ( 32/8 = 4 Bytes )
Since every Octet is of 1 byte, it can hold up to a maximum of 255.
That’s why the max IP we can have is 255.255.255.255
Understanding this concept will be very much helpful while working on the project.
Little Endian and Big Endian
These Endian formats represent how data is stored onto the system and does not bring any changes to its values.
Little Endian - In this format data is stored with its least significant byte at the first.
0×12345678 is saved in the format 78 56 34 12
Big Endian - In this format data is stored as we see.
0×12345678 is saved in the format 12 34 56 78
TCP/IP uses Big Endian
x86_64 uses Little Endian
That’s why we will come across this concept while writing the tool
I referred to this article to learn the Endian concept in an in-depth manner -
Endian - Section.io
Network and Host Byte Order
Since machines use two different ways to store data - Big Endian and Little Endian, we need uniformity while communicating within the network. So two terms come into play here,
Host Byte Order - This represents the way in which a system stores the data. This might be Little Endian or Big Endian
Network Byte Order - This represents the way in which communication takes place in the network. This will be Big Endian
So, whenever there is communication in the network, if a Big Endian system gets the data from the network, there is no need for it to reverse the data, whereas if the system that receives the data from the network is a Little Endian one, then it has to reverse the data.
These are the web pages I referred to learn more about Byte Order -
Hope this article was helpful for students who are looking to do projects on Networking and Cybersecurity. Any modifications/suggestions to Project/This Blog are welcome. Meet you on the next project !!