FlowParser is a C Python extenson for reconstructing and dumping IP flows from either a packet trace or a live capture. It works by sniffing traffic and keeping track of active flows. Each flow also has the headers (network and transport layer) of its packets stored. The flow and its packet headers are made available either on demand or when the flow terminates.
What could you possibly use another packet sniffer for?
And lots more. In general the idea is that reconstructing a flow and looking at the header fields of its packets should be as quick and painless as a couple of lines of Python.
This simple snippet will start listening to the en0 interface and every ten seconds will print the five-tuple id of flows that go faster than 1KB per second:
import fparser
import time
fp = fparser.FParser('en0')
while True:
time.sleep(10)
for flow in fp.flow_iter():
if flow.get_info().Bps > 1000:
print flow.get_id()
There are more examples in the examples section.
Currently FlowParser requires Python 2.7 and libpcap. You will also need the usual things needed when compiling C extensions (gcc, python-dev etc.). FlowParser has been tested on Linux and OSX, but should work on any unix-like system with support for libpcap. To install do
easy_install flowparser
The source code repository is located at http://flowparser.googlecode.com