2

i found a nice python module pyshark that as far as i got can be used the same way as tshark with bpf filtering. I am actually looking for live capture option with bpf filtering and display filtering to do something else with those data and store them to db for later analyise. According documentation pyshark can do live capturing but i do not know how to display and send to file or DB data for each packet received. I am running IPv6 lab network. This is sample python script:

import pyshark
capture = pyshark.LiveCapture(interface='eth1',bpf_filter="tcp and port 80")
capture.sniff(timeout=20)

after timeout i can print time and epoch time but only per packet. Other parts of package i am not able to see

print capture[1].sniff_time
print capture[1].sniff_timestamp

i would appreciate any help and direction to go to have live capture and data per packet for sending to db

Dhia
  • 10,119
  • 11
  • 58
  • 69
user1627588
  • 133
  • 2
  • 6
  • 16

2 Answers2

2

Hope this helps, capturing packets with a timeout of 1 sec and retrieving them

import pyshark
capture = pyshark.LiveCapture(interface=r'\Device\NPF_{D41D8EE1-2739-4FA1-8873-024D3F68E9E1}',
                              output_file=r'C:\Temp\samp1.pcap')
capture.sniff(timeout=1)
pkts = [pkt for pkt in capture._packets]
print(len(capture))
capture.close()

But with capture.close() there seems to be some asyncio exception. Which doesnt affect our code anyway. Output is as below

94

taking long time to close proactor

Task exception was never retrieved

future: <Task finished coro=<_close_async() done, defined at C:\Python34\lib\site-packages\pyshark\capture\capture.py:409> exception=RuntimeError('Set changed size during iteration',)>

Traceback (most recent call last):
  File "C:\Python34\lib\site-packages\trollius\tasks.py", line 255, in _step
    result = next(coro)
  File "C:\Python34\lib\site-packages\pyshark\capture\capture.py", line 411, in _close_async
    for process in self.running_processes:

RuntimeError: Set changed size during iteration

Task was destroyed but it is pending!

task: <Task pending coro=<packets_from_tshark() running at C:\Python34\lib\site-packages\pyshark\capture\capture.py:261> wait_for=<Task finished coro=<_close_async() done, defined at C:\Python34\lib\site-packages\pyshark\capture\capture.py:409> exception=RuntimeError('Set changed size during iteration',)>>

Process finished with exit code 0
Alex
  • 781
  • 10
  • 23
arunkumarreddy
  • 159
  • 1
  • 7
1

You can't access raw packet data, but you can access packet fields by accessing the relevant layer such as packet.udp.src_port You can see all fields easily by printing the packet

KimiNewt
  • 501
  • 3
  • 14
  • You're the package author, so I assume you probably know this answer is out of date. I'm just pointing out that sometime between when you wrote it and now, you can access packets from a `LiveCapture()` object with the `_packets` attribute as [arunkumarreddy mentioned in this answer](https://stackoverflow.com/a/46783743/667301) – Mike Pennington Jul 30 '18 at 17:41