The linked page says "High level != inefficient" and shows an example program which will print "every TCP packet".
With no "if" anywhere in the code, I wondered how it knew to print only TCP packets and not others. And the answer turns out to be that it throws a C++ exception on every non-TCP packet!
If most of the packets on your network are TCP, this is sort of OK. But if you have mostly non-TCP packets, this toy program costs about 10x the CPU utilization that it would if it used "if" instead of magic.
There are plenty of ways they can keep the current API while eventually approaching optimal, for example, a chain of exceptions could incrementally refine the framework's idea of what the callback function expects, which could be turned into a BPF filter.
So for the cost of a few expensive frames at start, afterwards no exceptions get thrown.
Generally speaking though, I'm only replying because I hate people negging on minutia of new projects. If you're going to be critical of something especially when it's a lone wolf effort (or even a small team), try to be constructive, there are real people on the other end of the wire.
If high efficiency wasn't touted as a feature then it would have been fine. But when it turns out that one of the main selling points is performance (with no expressed limitations or restrictions) and regular patterns perform badly, as a consequence of the design, then it is quite valid criticism. (Whether this is the case in practice I don't know but GP brings up a very valid point)
GPs point begs the question - Why was it designed in such as way? Quite possibly the tradeoffs were considered and the current solution was targeted because of several reasons. But the page doesn't convey any of that, it simply states that "In fact, it is one of the fastest packet sniffing and interpretation libraries available.".
While I agree with your point the library isn't exactly marketed as a lone wolf effort either, and that will also affect the criticism it will receive.
A more charitable reading of my comment would be that I am recommending the use of "if" instead of C++ exceptions for hot-path control flow in high-performance libraries.
Heuristic construction of a packet filter based on previously seen exceptions is infeasible with the current API because rejection of the first N non-TCP packets does not guarantee rejection of the next one.
Developer here. There's alternatives that don't throw but the example is mostly so people look at it and say "ah, cool, this is actually simple to use". I normally still use this throw-version of doing things when I just need to quickly do something, as in reality in most cases I don't care about performance for specific 10 line code snippets.
If you want to do things right, you can read the docs and use the appropriate API call (like using the non throwing PDU::find_pdu, use bpf filters, etc).
It seems there is an rfind_pdu returning a reference and throwing if the PDU is not present, or a find_pdu returning a pointer which you can just test for null.
Also check out packit[1] a command line packet crafter. It is very easy to use once you really understand how to use it. Also it has no 'restrictions' on what packets can be crafted. It lets you get away with as much as possible.
It should be readily available on most package managers, atleast debian based last time I checked.
No, I thought so too initially. The person is just hosting the project looking for a maintainer(he is hosting other abandoned projects too). Debian project is also looking for someone to maintain the package.
>Note: the scapy benchmarks look like it takes almost the same time as the impacket ones, but it actually doesn't. In fact, it takes so much time that the maximum Y-axis value had to be restricted. Otherwise the rest of the bars couldn't almost be seen. If you hover over each bar, you will see the actual times in seconds.
wow, they weren't kidding. In the first and the last graph, scapy is ten times slower than the next slowest lib.
Somewhat related: pcapy is a useful Python library for network packet handling. We used it recently in a project after evaluating it and a few others (not very thoroughly, though). dpkt is useful too.
pcapy can read from a live stream or from a packet capture file (.pcap format).
How flexible it is despite being high level? I mean, can I use any field on those supported protocols? Can I tunnel TCP inside, say, dns? can I implement/send custom protocols without touching the lib?
With no "if" anywhere in the code, I wondered how it knew to print only TCP packets and not others. And the answer turns out to be that it throws a C++ exception on every non-TCP packet!
If most of the packets on your network are TCP, this is sort of OK. But if you have mostly non-TCP packets, this toy program costs about 10x the CPU utilization that it would if it used "if" instead of magic.