Python dpkt Packet Parsing — Core Concepts

Parse pcap files and decode network protocols in Python with dpkt — a lightweight, fast library for packet-level traffic analysis.

Why this matters in production

When investigating security incidents, debugging network issues, or building traffic analytics, you often start with a pcap file — a raw capture of network packets. dpkt is one of the fastest Python libraries for parsing these files. Unlike Scapy (which focuses on packet crafting and sending), dpkt is optimized for reading and decoding existing traffic at speed.

Companies use dpkt to build custom intrusion detection systems, network flow analyzers, and compliance monitoring tools where processing millions of packets quickly matters.

What dpkt does

dpkt provides two things:

  1. Pcap file reading — Open capture files and iterate through packets.
  2. Protocol decoding — Parse raw bytes into structured objects for Ethernet, IP, TCP, UDP, DNS, HTTP, and dozens more protocols.

It does not send packets or capture live traffic. It is purely a parser — but a very fast one, written in C-optimized Python.

How pcap parsing works

A pcap file stores packets with timestamps. dpkt reads them sequentially:

import dpkt

with open("capture.pcap", "rb") as f:
    pcap = dpkt.pcap.Reader(f)
    for timestamp, buf in pcap:
        eth = dpkt.ethernet.Ethernet(buf)
        print(f"Time: {timestamp}, Length: {len(buf)}")

Each iteration yields a timestamp (Unix epoch) and raw bytes. You then decode the bytes starting from the link layer (usually Ethernet).

Protocol layer decoding

Network packets are layered. dpkt decodes each layer as a nested object:

import dpkt
import socket

with open("capture.pcap", "rb") as f:
    pcap = dpkt.pcap.Reader(f)
    for ts, buf in pcap:
        eth = dpkt.ethernet.Ethernet(buf)

        # Check for IP layer
        if not isinstance(eth.data, dpkt.ip.IP):
            continue
        ip = eth.data

        src = socket.inet_ntoa(ip.src)
        dst = socket.inet_ntoa(ip.dst)

        # Check for TCP
        if isinstance(ip.data, dpkt.tcp.TCP):
            tcp = ip.data
            print(f"{src}:{tcp.sport}{dst}:{tcp.dport}")

The pattern is always: decode outer layer → access .data → decode inner layer.

Supported protocols

dpkt supports a wide range of protocols out of the box:

  • Link layer: Ethernet, 802.11 WiFi, PPP, SLL (Linux cooked capture)
  • Network layer: IPv4, IPv6, ARP, ICMP, IGMP
  • Transport layer: TCP, UDP, SCTP
  • Application layer: HTTP, DNS, SSL/TLS, DHCP, NTP, RTP, SIP, SNMP

Each protocol is a lightweight class with named attributes for every header field.

Common misconception

Many developers confuse dpkt with Scapy. They serve different roles: Scapy is for crafting and sending packets (interactive, flexible, slower). dpkt is for parsing and analyzing existing captures (batch processing, fast, read-only). If you need to build packets, use Scapy. If you need to read a 10 GB pcap file, use dpkt.

Key considerations

  • Endianness — Network protocols use big-endian byte order. dpkt handles this automatically, but if you access raw bytes directly, remember to convert.
  • Truncated packets — Captures often have a snaplen that truncates large packets. Always check data lengths before parsing payload.
  • IP fragmentation — A single logical message may span multiple IP fragments. dpkt parses each fragment independently; reassembly is your responsibility.

One thing to remember: dpkt is the speed-focused choice for reading pcap files in Python. It decodes the nested layers of network packets into clean Python objects, making large-scale traffic analysis practical without leaving the Python ecosystem.

pythonnetworkingpacket-analysis

See Also

  • Python Dns Resolver Understand how Python translates website names into addresses, like a phone book for the entire internet.
  • Python Ftp Sftp Transfers Understand how Python moves files between computers over a network, like a digital delivery truck with a locked or unlocked cargo door.
  • Python Impacket Security Tools Understand how Python speaks the secret languages of Windows networks, helping security teams find weaknesses before attackers do.
  • Python Netconf Yang Understand how Python configures network devices automatically, like a remote control for every router and switch in your building.
  • Python Pcap Analysis Understand how Python reads recordings of network traffic, like playing back security camera footage to see what happened on your network.

Related Topics

ab-testing How tech companies run thousands of experiments at once to improve their products — the scientific method applied to everything from button colors to recommendation algorithms. 3 levels → activation-functions Why neural networks need these tiny mathematical functions — and how ReLU's simplicity accidentally made deep learning possible. 3 levels → ai-agents-architecture How AI systems go from answering questions to actually doing things — the design patterns that turn language models into autonomous agents that browse, code, and plan. 3 levels →