FileCapture and LiveCapture in pyshark

As we saw previously, you can use the FileCapture method to open a previously saved trace file. You can also use pyshark to sniff from an interface in real time with the LiveCapture method, like so:

import pyshark
 # Sniff from interface in real time
 capture = pyshark.LiveCapture(interface='eth0')
 capture.sniff(timeout=10)
 <LiveCapture (5 packets)>

Once a capture object is created, either from a LiveCapture or FileCapture method, several methods and attributes are available at both the capture and packet level. The power of pyshark is that it has access to all of the packet decoders that are built into TShark.

Now, let's see what methods provide the returned capture object.

To check this, we can use the dir method with the capture object:

The display_filter, encryption, and input_filename attributes are used for displaying parameters that are passed into FileCapture or LiveCapture.

Both methods offer similar parameters that affect packets that are returned in the capture object. For example, we can iterate through the packets and apply a function to each. The most useful method here is the apply_on_packets() method. apply_on_packets() is the main way to iterate through the packets, passing in a function to apply to each packet:

>>> cap = pyshark.FileCapture('http.cap', keep_packets=False)
 >>> def print_info_layer(packet):
 >>>     print("[Protocol:] "+packet.highest_layer+" [Source IP:] "+packet.ip.src+" [Destination IP:]"+packet.ip.dst)
 >>> cap.apply_on_packets(print_info_layer)

In the following screenshot, we can see the information that's returned when we are obtaining information for each packet pertaining to Protocol, Source IP, and Destination IP:

We can also use the apply_on_packets() method for adding the packets to a list for counting or other processing means. Here's a script that will append all of the packets to a list and print the count. For this, create a text file called count_packets.py:

import pyshark
packets_array = []

def counter(*args):
 packets_array.append(args[0])
 
def count_packets():
    cap = pyshark.FileCapture('http.cap', keep_packets=False)
    cap.apply_on_packets(counter, timeout=10000)
    return len(packets_array)

print("Packets number:"+str(count_packets()))

for packet in packets_array:
 print(packet)

We can use only_summaries, which will return packets in the capture object with just the summary information of each packet:

>>> cap = pyshark.FileCapture(‘http.cap', only_summaries=True)
 >>> print cap[0]

This option makes capture file reading much faster, and with the dir method, we can check the attributes that are available in the object to obtain information about a specific packet.

In the following screenshot, we can see information about a specific packet and get all of the attributes that return not null information:

The information you can see in the form of attributes is as follows:

  • destination: The IP destination address
  • source: The IP source address
  • info: A summary of the application layer
  • length: Length of the packet in bytes
  • no: Index number of the packet
  • protocol: The highest layer protocol that's recognized in the packet
  • summary_line: All of the summary attributes in one string
  • time: Time between the current packet and the first packet
..................Content has been hidden....................

You can't read the all page of ebook, please click here login for view all page.
Reset