Follow TCP stream using python and pyshark

Question

When doing it manually in Wireshark, I right click a packet -> follow -> TCP stream a new window would be opened with the relevant information. Is there a way to do the exact same thing and get this information by using pyshark module and python 2.7? NOTE: I'm making request testing by sending a non valid HTTP methods , so looking for HTTP layer won't work here.

score 5 · Accepted Answer · answered Sep 24 '18 at 13:51

Yes, you can follow a TCP stream with python and pyshark. Below is a basic proof of concept.

"""
Follow a TCP stream with pyshark.

"""
import pyshark

# Change FILENAME to your pcap file's name.
FILENAME = "myfile.pcap"
# Change STREAM_NUMBER to the stream number you want to follow.
STREAM_NUMBER = 0

# open the pcap file, filtered for a single TCP stream 
cap = pyshark.FileCapture(
    FILENAME,
    display_filter='tcp.stream eq %d' % STREAM_NUMBER)

while True:
    try:
        p = cap.next()
    except StopIteration:  # Reached end of capture file.
        break
    try:
        # print data from the selected stream
        print(p.data.data.binary_value)
    except AttributeError:  # Skip the ACKs.
        pass

I verified the above code works for python 2.7.13 and python 3.6.6.

Note: Since newer versions of pyshark only support python 3.5+, if you must use python 2.7, you're stuck with the pyshark-legacy pip package.

it keeps saying "AttributeError: No attribute named data" – Elias Shourosh Mar 26 '19 at 12:13 — Elias Shourosh, Mar 26 '19 at 12:13
@EliasShourosh Could you solve the error? – Radwa Ahmed May 11 '23 at 17:21 — Radwa Ahmed, May 11 '23 at 17:21

Jacob Burckhardt · Answer 2 · 2018-05-19T06:16:02.177

I don't know about pyshark.

But maybe https://jon.oberheide.org/pynids/ would work since it also uses Python:

pynids is a python wrapper for libnids, a Network Intrusion Detection System library offering sniffing, IP defragmentation, TCP stream reassembly and TCP port scan detection. Let your own python routines examine network conversations.

I don't have personal experience using pynids, but I have had a lot of success using its underlying library, nids, which you can get at http://libnids.sourceforge.net/

Despite the name, Network Intrusion Detection System, it can be used for a lot more than just detecting network intrusions. It is essentially a library that helps you reassemble TCP streams like Wireshark's Follow TCP Stream.

Although nids is great, it does require the beginning the TCP stream to be in your capture file. If you lose the beginning and can't capture it, tshark might help:

tshark is a command line utility which comes with Wireshark. For example:

tshark -r t.pcap -q -z follow,tcp,ascii,18

It outputs the same thing to stdout that you see in Wireshark's GUI's Follow TCP Stream window.

The 18 in the above command is a stream index. To determine what number to use there you can just make your python script iterate from 0 on up and print out each stream until it finds the right one.

Another way to find a stream index is to first click on a packet in Wireshark that is in the stream of interest. Then expand the Transmission Control Protocol section to reveal the Stream index as shown in this image: How to find a stream index

Follow TCP stream using python and pyshark

2 Answers2