Welcome to FlowParser!

FlowParser is a C Python extenson for reconstructing and dumping IP flows from either a packet trace or a live capture. It works by sniffing traffic and keeping track of active flows. Each flow also has the headers (network and transport layer) of its packets stored. The flow and its packet headers are made available either on demand or when the flow terminates.

Use Cases

What could you possibly use another packet sniffer for?

• Active monitoring of flows in / out of your machine / network. Ever wondered what flows are currently active and how much bandwidth they are using? FlowParser is an easy-to-use lightweight way of finding out.
• Looking for anomalies in header fields. FlowParser will let you spot and record flows that for example have strange variation in TTL.
• Quick offline data parsing. If you are looking for a specific flow or you want to study the behavior of a class of flows in a multi-GB packet trace FlowParser can help you accomplish the task quickly and easily.

And lots more. In general the idea is that reconstructing a flow and looking at the header fields of its packets should be as quick and painless as a couple of lines of Python.

Simple Example

This simple snippet will start listening to the en0 interface and every ten seconds will print the five-tuple id of flows that go faster than 1KB per second:

import fparser
import time

fp = fparser.FParser('en0')

while True:
      time.sleep(10)
      for flow in fp.flow_iter():
          if flow.get_info().Bps > 1000:
             print flow.get_id()

There are more examples in the examples section.

Requirements and installation

Currently FlowParser requires Python 2.7 and libpcap. You will also need the usual things needed when compiling C extensions (gcc, python-dev etc.). FlowParser has been tested on Linux and OSX, but should work on any unix-like system with support for libpcap. To install do

easy_install flowparser

The source code repository is located at http://flowparser.googlecode.com

• API