-1

In Wireshark I can use the feature "export object => DICOM" to extract from network packets the DICOM file sent.

I would like to do the same thing with Python or with Wireshark API, is it possible?

Amit Joshi
  • 15,448
  • 21
  • 77
  • 141
Furin
  • 532
  • 10
  • 31
  • How you are sending the file? Are you using a DICOM protocol, or just sending the file some other way? – MrBean Bremen Mar 30 '20 at 14:55
  • Hi! Short answer: yes I'm using the DICOM protocol. I'm sending the file over two laptops connected with an ethernet cable, on each laptop I have installed the DVTK tool to emulate SCU and SCP. The sniffing happens over a port mirroring the data exchanged between the two laptops. – Furin Mar 30 '20 at 14:58
  • Not sure about network sniffing, but the normal handling would be to setup a storeSCP app, for example using dcmtk, or, if you want it in Python, [pynetdicom](https://github.com/pydicom/pynetdicom). Though I understand you have already set up a store SCP - so what is your goal here? – MrBean Bremen Mar 30 '20 at 15:13
  • Hi! The final goal is to be able to analyze DICOM file (headers and images) "on the fly", i.e. from sniffed packets. The idea is to make an alert if the wrong file is sent. – Furin Mar 30 '20 at 17:04
  • Is there a reason why you have to do this at this level, instead of in the storescu handler? (I have no experience with network sniffing, so I may just not understand) – MrBean Bremen Mar 30 '20 at 17:07
  • Do you have wireshark on your system and do you mind using it's command line equivalent as part of this solution? To my knowledge, scapy does not have this capability. – Ross Jacobs Mar 30 '20 at 17:57
  • Hi! Yes, I have Wireshark and I saw that with command line (tshark) it is possible to extract object. But I was wondering how to interpret and better understand the packet payload, and how does the object extraction really work. But yes, if I don't find any other library or pure python solution I guess I have to use the command line. – Furin Mar 31 '20 at 07:04

1 Answers1

0

If we're using python and tshark, this is mostly a call to subprocess as tshark already has this capability:

import subprocess as sp
import os

# Source file
pcap_file = "C:\\...\\DICOM.pcap"
dest_dir = "exported"
os.mkdir(dest_dir)
# Read the file and use --export-objects. Next arg must be `protocol,dir`.
sp.run(["tshark", "-Q", "-r", pcap_file, "--export-objects", "DICOM," + dest_dir])

Then if you ls exported, you'll see the exported file(s). I have tested and verified that this wireshark bug file has a dicom file that you can export with these commands.

If you want to better understand the extraction process, Wireshark is open source and you can look at its DICOM code.

Ross Jacobs
  • 2,962
  • 1
  • 17
  • 27