PCAP tools for practical traffic monitoring in LAN

Speaker : Ludovic Noirie
Nokia Bell Labs France
Date: 20/10/2021
Time: 10:45 am - 12:00 pm
Location: Paris-Rennes Room (EIT Digital)

Abstract

Pcap (Packet CAPture) is an API for network monitoring in network, essentially in LANs (Ethernet, WiFi). It is mainly use for passive monitoring (packet capture) but it can also be used for active monitoring (packet injection). There are implementations for Linux (libpcap), Apple (libpcap) and Windows (WinPcap, Npcap and Win10Pcap) systems. Pcap is used by tcpdump, tshark and Wireshark software, but you can make your own software using it. In this session of Internet Measurement Reading Group, we will present how it works, how it can be used with Node.js (cap and pcap modules) and Python (Scapy), with some application uses cases. For the applications use cases, we will explain how we used Pcap for IoT device type identification and how we are using Pcap in our current IoT Network Monitoring project.

 

References

Pcap:
https://www.tcpdump.org/
pcap file format: https://wiki.wireshark.org/Development/LibpcapFileFormat

Node.js modules:
– node_pcap (pcap): https://www.npmjs.com/package/pcap
– cap: https://www.npmjs.com/package/cap

Python module:
– scapy: https://scapy.readthedocs.io/en/latest/

Application example:
Nesrine Ammar, Ludovic Noirie, Sébastien Tixeuil, “Autonomous IoT Device Identification Prototype,” best demo paper at Network Traffic Measurement and Analysis Conference 2019, Jun 2019, Paris
https://dx.doi.org/10.23919/TMA.2019.8784517

Presentation materials: Jupyter notebook used during the presentation