Intro to PyShark for Programmatic Packet Analysis
2016-06-23 18:34
2196 查看
https://thepacketgeek.com/intro-to-pyshark-for-programmatic-packet-analysis/
I can hardly believe it took me this long to find PyShark, but I am very glad I did! PyShark is a wrapper for the Wireshark CLI interface, tshark, so all of the Wireshark decoders are available to PyShark! It’s so amazing that I started a new project just so
I could use this amazing new tool: Cloud-Pcap.
You can use PyShark to sniff from a interface or open a saved capture file, as the docs show on the overview
page here:
Once a capture object is created, either from a LiveCapture or FileCapture method, several methods and attributes are available at both the capture and packet level. The power of PyShark is the access to all of the packet decoders built into tshark. I’m going to just give a sneak peek of some of the things you can do in this post and there will be a few accompanying posts that follow to go more in depth.1. Getting packet summaries (similar to tshark capture output):
This will give access to attributes like packet number, relative and delta times, IP addresses, protocol, and a brief info line.
2. Drilling down into packet attributes by layer:
3. Iterating through the packets and applying a function to each:
…and this is just the sneak peak!! Who knew that the getting the power of tshark & Wireshark in your python scripts and applications would be this easy! The only caveat that I’ve found so far is the performance. I’ve thrown a lot of packets at PyShark and
it can really slow down once you start running through captures of a couple thousand packets. Some things have been done to preserve memory that will be covered in the following posts.
I certainly hope you’re as excited as I am at this point. There’s plenty more to come, so check back soon!
Series Navigation
I can hardly believe it took me this long to find PyShark, but I am very glad I did! PyShark is a wrapper for the Wireshark CLI interface, tshark, so all of the Wireshark decoders are available to PyShark! It’s so amazing that I started a new project just so
I could use this amazing new tool: Cloud-Pcap.
You can use PyShark to sniff from a interface or open a saved capture file, as the docs show on the overview
page here:
123456789 | import pyshark # Open saved trace filecap = pyshark.FileCapture('/tmp/mycapture.cap') # Sniff from interfacecapture = pyshark.LiveCapture(interface='eth0')capture.sniff(timeout=10)<LiveCapture (5 packets)> |
1 2 3 4 5 6 7 | >>> for pkt in cap: ...: print pkt ...: 2 0.512323 0.512323 fe80::f141:48a9:9a2c:73e5 ff02::c SSDP 208 M-SEARCH * HTTP/ 3 1.331469 0.819146 fe80::159a:5c9f:529c:f1eb ff02::c SSDP 208 M-SEARCH * HTTP/ 4 2.093188 0.761719 192.168.1.1 239.255.255.250 SSDP 395 NOTIFY * HTTP/1. 0x0000 (0) 5 2.096287 0.003099 192.168.1.1 239.255.255.250 SSDP 332 NOTIFY * HTTP/1. 0x0000 (0) |
2. Drilling down into packet attributes by layer:
12345678910 | >>> pkt. #(tab auto-complete)pkt.captured_length pkt.highest_layer pkt.ip pkt.pretty_print pkt.transport_layerpkt.eth pkt.http pkt.layers pkt.sniff_time pkt.udppkt.frame_info pkt.interface_captured pkt.length pkt.sniff_timestamp>>>>>> pkt[pkt.highest_layer]. #(tab auto-complete)pkt_app. pkt_app.get_field_value pkt_app.raw_mode pkt_app.request_versionpkt_app.DATA_LAYER pkt_app.get_raw_value pkt_app.requestpkt_app.chat pkt_app.layer_name pkt_app.request_methodpkt_app.get_field pkt_app.pretty_print pkt_app.request_uri |
1 2 3 4 5 6 7 8 9 10 | >>> cap = pyshark.FileCapture('test.pcap', keep_packets=False) >>> def print_highest_layer(pkt) ...: print pkt.highest_layer >>> cap.apply_on_packets(print_highest_layer) HTTP HTTP HTTP HTTP HTTP ... (truncated) |
it can really slow down once you start running through captures of a couple thousand packets. Some things have been done to preserve memory that will be covered in the following posts.
I certainly hope you’re as excited as I am at this point. There’s plenty more to come, so check back soon!
Series Navigation
相关文章推荐
- 【干货】微信排版实用经验,看后操作立马上手
- visual studio运行时库MT、MTd、MD、MDd的研究(转载)
- 自己学Docker:9.基于Dockerfile创建镜像
- 脉冲时滞微分方程matlab方程
- webpack 处理html中img的src引入的图片
- RHEL 8使用的内核版本
- 基于request.getAttribute与request.getParameter的区别详解
- 简单实现Windows服务 TopShelf
- 推荐几款jquery图片切换插件
- python+opencv开发环境之ValueError错误的解决方法
- C提高 7 单向链表,传统链表
- Unity Shape sdk 安卓问题
- php中curl
- 第12课第5节 字符设备驱动程序之poll机制
- nagios监控插件 nagios_oracle_health+check_linux_stats.pl
- System.Security.SecurityException The source was not found, but some or all event logs could not be searched.Inaccessible logs Security.
- 【原创】linux命令-Axel命令 - linux多线程下载 - 费元星 - 未来星开发团队
- dll的def文件与__declspec(dllexport)导出函数方式比较
- smartsvn 使用
- 改变登录成功后跳转的页面