Recently my latest project came with a strange requirement – I need to route IP packets from Linux kernel space to user space. In other word, I need to write a IP packets sniffer similar to tcpdump or wireshark.
The project does not have high data rate requirement. So I chose Python for some rapid prototyping to get a feel for the problem.
Sniffing with Scapy … Slowly
My past experience with Python is that it often comes with magical one-liner that just finish my job. And this time, Python did not disappoint me. My co-worker’s Google-Fu quickly found that the Scapy package has a sniff feature, and yes, it is a one-liner. 🙂
On the first try, the above code functioned perfectly and I immediately saw all the incoming and outgoing packets as I browsed through different webpages to trigger http traffic.
So how about some stress test? For that, I browsed to the Ubuntu homepage and downloaded an Ubuntu ISO. The file is large, and the data rate is reasonably high for a quick test. Unfortunately, Scapy didn’t perform so well.
It turns out that a ~4.4MBps (35Mbps) capture would consume close to 100% of my CPU. This is an unacceptable amount of overhead for just routing packets from kernel into user space.
Sniffing with Raw Socket
Since Scapy comes with too much overhead, the next step was to dive into a lower layer and implement a raw layer 2 socket. In user space, if an application creates a raw socket, the linux kernel will automatically forward a copy of the datagram of the same protocol number to the application. So if a layer 2 socket is implemented, the host application will receive all ethernet frames.
*Layer 2 socket is chosen because I need to sniff both incoming and outgoing packets on a network interface. L3 socket does not appear to provide this capabilities.
So how’s the performance this time around? It turned out to be surprisingly fast.
With the same data rate, the previous 100% CPU consumption now goes down to only 16%.
This is more than fast enough for my application. Mission Accomplished!
If the Python raw socket was still too slow, the next step would be to re-write the raw socket in C.
Scapy comes with a lot of overhead in practice as a live packet sniffer. If you don’t need all the power of Scapy, an IP sniffer can be easily implemented in Python raw socket and provides fairly reasonable performance.
Binding a raw socket requires root permission. Therefore, the scripts need to run under root permission.
scapy_sniff.py – IP sniffer using Scapy
ip_sniff.py – IP sniffer using Python raw socket
All tests were run under Mint Linux 15 VirtualBox VM with Window 7 as host.