A minimal tcpdump-like packet capture tool built with Python and libpcap.
- Lean dependency model: directly calls
libpcapvia ctypes, thus having no bundled binary dependencies. - Familiar workflow: supports tcpdump-style BPF expressions (for example,
tcp port 443). - Flexible packaging: supports
shiv(.pyz),pex(.pex), andnuitka(native executable).
- Python
>=3.10 - On Windows, install Npcap/WinPcap first (provides
wpcap.dll)
# List interfaces
uv run python main.py -D
# Capture packets (example)
uv run python main.py "tcp and port 80"
# Capture on a specific interface and stop after 20 packets
uv run python main.py -i "<interface>" -c 20 udp
# Write packets to a pcap file
uv run python main.py -i "<interface>" -q -w capture.pcap "tcp port 443"uv run --with shiv python build_shiv.py
uv run --with shiv python build_shiv.py --output-file dist/custom/pytcpdump.pyzuv run --with pex python build_pex.py
uv run --with pex python build_pex.py --output-file dist/custom/pytcpdump.pexNotes:
build_pex.pyinstalls dependencies into a temporary bundle first, then invokes pex.- This avoids common Windows path issues during direct pex resolution.
uv run --with nuitka python build_nuitka.py
uv run --with nuitka python build_nuitka.py --mode standalone
uv run --with nuitka python build_nuitka.py --output-dir dist/customNotes:
- Default output directory:
dist/nuitka - Uses Nuitka import inference by default (no hardcoded include flags)
-i, --interface: capture interface name-D, --list-interfaces: list interfaces and exit-c, --count: stop after receiving COUNT packets (0means unlimited)-s, --snapshot-length: snapshot length in bytes-p, --no-promiscuous: disable promiscuous mode-w, --write: write captured packets to a.pcapfile-q, --quiet: do not print packet summaries-t, --timeout-ms: read timeout in millisecondsexpression: BPF filter expression (tcpdump style)