- Atul for Marketing
- Posts
- Watching the Internet Talk: A Beginner’s Packet Sniffer in Python
Watching the Internet Talk: A Beginner’s Packet Sniffer in Python
In this project, I built a lightweight packet sniffer using Python and the Scapy library to capture and inspect live network traffic at the transport and network layers. The goal was to understand, from first principles, how data flows through a system when it connects to the internet. By parsing IP, TCP, UDP, and ICMP packets in real-time, the tool reveals exactly who your machine is talking to, over which ports and protocols, and at what stage of communication—handshake, data transfer, or teardown. It’s a raw, low-level window into the internet’s pulse, built entirely from scratch for educational exploration.
Atul Verma
May 17, 2025
Every time you open a webpage, send a message, or refresh your feed - your device silently whispers and listens across a vast, invisible web of connections.
But what actually happens under the hood when you "go online"? What is the internet doing on your behalf - and why?
This week, I wanted to go to the very beginning of how the internet works.
I wanted to see the internet speak.
Welcome to Week 14 of Project 52.
This week, I built a bare-bones, terminal-based packet sniffer. Using Python and Scapy, this tool captures every packet moving in and out of my machine.
It captures every inbound and outbound packet on my machine - and tells me exactly:
Who my machine is talking to
Over which protocol
On what port
And what kind of message is being exchanged
This project isn’t about building a tool. It’s about understanding the invisible.
When you load a webpage or check your email, dozens of silent connections fire off under the hood. This tool lets you see them in real time — like watching your device breathe.
What is a Packet?
A packet is the basic unit of data that travels across a computer network.
When you send data over the internet — whether it’s a message, a video, or a web page request — it doesn’t travel all at once.
Instead, it is broken down into small chunks called packets, which are sent individually across the network and then reassembled on the other end.
Each packet contains two main parts:
Header – the control information:
Source IP (who sent it)
Destination IP (where it’s going)
Protocol (TCP, UDP, etc.)
Port numbers (like extension numbers at a big office)
Flags, sequence numbers, etc.
Payload – the actual content (a slice of the data being sent):
Part of your message, file, video, etc.
Think of sending a letter:
You don’t ship an entire book in one envelope.
You tear it into chapters (or pages), number them, and send each in a separate envelope.
The receiver reassembles the full book using the numbered envelopes.
That’s what packets do.
They're fast, efficient, and flexible — they allow data to take multiple paths through the internet and still arrive safely, even if the route changes or some packets are delayed.
Why This Matters (Real Understanding of the Internet)
This project reveals:
Layer | What You’ll See |
|---|---|
Link Layer | MAC address |
Network Layer | Source/Destination IP |
Transport Layer | TCP/UDP headers |
Application Layer | (Optional) HTTP, DNS, etc. |
You’re seeing the internet as the OS sees it — before the browser touches it.
What You’re Seeing:
Each line like:
[TCP] My IP:59303 → 185.70.42.37:443 | Flags: PA means:
Field | Meaning |
|---|---|
| Your local machine (private IP) |
| External server (e.g. Facebook, Google, etc.) |
| Random ephemeral port used by your machine |
| HTTPS (SSL/TLS) |
| PSH + ACK (data being transferred) |
What’s the Actual Utility of This Tool?
This packet sniffer is like having X-ray vision into your internet. It's not meant for end-users - it's for debuggers, security analysts, and builders like you.
Here’s what it lets you see that most people can’t:
1. Who your computer is talking to
Every time you open a browser, load an app, or use a tool — your system starts talking to:
142.250.65.196:443→ Google104.16.103.112:443→ Cloudflare31.13.66.4:443→ Facebook
You now see every connection in real time, and can map who your system is connected to.
2. What kind of data is moving
TCP Flags like:
S→ SYN (start of handshake)SA→ SYN-ACK (response)PA→ Push + ACK (data transfer)FA→ FIN + ACK (connection close)
This lets you watch handshakes form and break. If something is constantly sending SYN packets and getting no response, maybe it's a dead server or blocked request.
3. If malware or spyware is running
Let’s say some app is silently talking to 185.70.42.37:6666 every 5 minutes.
That’s:
Unusual IP
Weird port
And maybe your system shouldn’t be doing that
Sniffers like this are used to:
Detect suspicious traffic
Identify outgoing data leaks
Audit what software is doing behind the scenes
4. Debug API calls without browser DevTools
For apps or IoT devices that don’t use browsers, this lets you:
See API endpoints hit
Check if connections succeed
Watch request-response patterns
5. Understand the Internet Protocol Stack
Most people don’t know what’s behind:
curl https://example.com You now do.
SYN → SYN-ACK → ACK → TLS → HTTP → FIN
This is the TCP 3-way handshake + termination
It's how the internet works under the hood
You're watching the heartbeat of the web.
Detailed Breakdown
[TCP] My IP:59342 → 17.248.195.65:443 | Flags: PA
[TCP] My IP:59342 → 17.248.195.65:443 | Flags: FA
[TCP] 17.248.195.65:443 → My IP:59342 | Flags: FA
[TCP] My IP:59342 → 17.248.195.65:443 | Flags: FA
[TCP] 17.248.195.65:443 → My IP:59342 | Flags: A
[TCP] My IP:58717 → 142.251.111.188:5228 | Flags: A
[TCP] 142.251.111.188:5228 → My IP:58717 | Flags: A
[TCP] My IP:58652 → 104.16.102.112:443 | Flags: PA
[TCP] 104.16.102.112:443 → My IP:58652 | Flags: PA
[TCP] My IP:58652 → 104.16.102.112:443 | Flags: A
[~] Captured 10 packets...let’s walk through each line like a narrator watching your Mac talk to a server:
🔎 Log 1:
[TCP] My IP:59342 → 17.248.195.65:443 | Flags: PAYour computer sent data to 17.248.195.65 (probably an Apple server) using port 443 (HTTPS).
The P flag means Push, which carries actual data (like an API call, or web request).
The A flag means it's also acknowledging previous data from the server.
🟢 Stage: Active conversation (data in flight)
🔎 Log 2:
[TCP] My IP:59342 → 17.248.195.65:443 | Flags: FAYour computer says: "I'm done sending data."
F = FIN, or “Finish” — it's closing the connection.
It’s like saying “I’ve said everything I needed to say.”
🔚 Stage: Initiating connection shutdown
🔎 Log 3:
[TCP] 17.248.195.65:443 → My IP:59342 | Flags: FAThe server replies with its own FIN flag: “I’m done too.”
🤝 Stage: Mutual agreement to end conversation
🔎 Log 4:
[TCP] My IP:59342 → 17.248.195.65:443 | Flags: FAThis is likely a duplicate FIN, sent again just in case the previous one was lost (TCP is cautious).
🔎 Log 5:
[TCP] 17.248.195.65:443 → My IP:59342 | Flags: AThe server confirms: "Got your FIN."
This is the final ACK — like saying “Bye, confirmed.”
🔒 Stage: Connection now fully closed
🔎 Log 6:
[TCP] My IP:58717 → 142.251.111.188:5228 | Flags: AYour machine sends an acknowledgment only to a Google server.
Likely a keep-alive or background connection (5228 = Google Play Services).
🔎 Log 7:
[TCP] 142.251.111.188:5228 → My IP:58717 | Flags: AGoogle responds: “Yep, got it.”
🔁 Stage: Silent, ongoing background TCP session
🔎 Log 8:
[TCP] My IP:58652 → 104.16.102.112:443 | Flags: PAYou initiate a new request to a Cloudflare-protected server.
🔎 Log 9:
[TCP] 104.16.102.112:443 → My IP:58652 | Flags: PACloudflare responds with its own data.
🔎 Log 10:
[TCP] My IP:58652 → 104.16.102.112:443 | Flags: AYour Mac acknowledges the response. No new data, just a "got it."
What You Just Witnessed
You saw:
A full connection lifecycle:
Data sent (
PA)Connection ended (
FA)Final handshake (
A)
A background connection staying alive (Google Play services or iCloud sync)
A new secure connection to a Cloudflare server (maybe loading a webpage or app)
What Can You Actually Do With This?
See every IP and hostname your machine talks to, in real-time.
2. Understand TCP handshakes
Identify:
SYN: start of connectionPA: actual data flowFIN: closing the connection
3. Spot suspicious behavior
Unexpected IPs or weird ports? Might be spyware or background pings you didn’t authorize.
4. Debug APIs without a browser
IoT? CLI apps? Backend tools? Sniff their requests directly.
5. Learn the internet, for real
Reading TCP flags is like reading the internet’s body language.
Why I Built This
Most people use the internet like magic. You type a URL, press Enter, and boom - a webpage loads. You open an app, and somehow it knows everything. It feels instant, invisible, and seamless.
But I didn’t want magic.
I wanted understanding.
This week, I decided to peel back the layers. To see what really happens when a device "goes online." I wanted to witness the raw, low-level conversation between my machine and the outside world - the digital equivalent of eavesdropping on the internet itself.
Not through Chrome DevTools.
Not through browser extensions.
But from the operating system’s perspective.
So I built a tool from scratch:
A terminal-based packet sniffer using Python and Scapy that captures every network packet flowing through my Mac.
It doesn’t just show activity - it narrates the silent dance of data:
Who my machine is talking to
Over what protocol
On which port
With what kind of message
This wasn’t about building a fancy tool.
This was about seeing the internet breathe.
And in the process, understanding, not just how it works, but why it works that way.
—
Atul Verma
Creator, Project52🚀
www.atulformarketing.com