Reading Pcap files with Scapy

Network traffic captures are a wonderful thing. However, they can be an absolute chore to read and Wireshark isn't the most newbie-friendly tool in the world. Thankfully, we have a fantastic Python module named Scapy to make our lives a little easier.

To begin, let's grab a bit of traffic from our own machine. First, start tcpdump listening on all interfaces, saving full sized packets, and writing the results to a pcap file:

sudo tcpdump -i any -s 65535 -w example.pcap

Now, while that's running, we'll open a browser and hop to a few different sites. Let's say Github to check our PRs and Twitter to check if the sky is falling. When we're done, go back to the terminal window and Ctrl+C to end the tcpdump.

Now, let's create and see if we can find the DNS answer packets in the dump we just created:

from scapy.all import *

# rdpcap comes from scapy and loads in our pcap file
packets = rdpcap('example.pcap')

# Let's iterate through every packet
for packet in packets:
    # We're only interested packets with a DNS Round Robin layer
    if packet.haslayer(DNSRR):
        # If the an(swer) is a DNSRR, print the name it replied with.
        if isinstance(, DNSRR):

Running this should, depending on the state of our caches before running tcpdump anyway, give us the DNS responses from opening Github and Twitter: # Oh hey there NTP.


Anyway, Scapy is huge, this post won't be, but I'll hopefully add more as I learn.