I am getting different results in Tshark and Pyshark when I think the results should be the same.
When using Tshark, it is easy to specify the fields you want by saying using "-e (field name)". Pyshark has an option to specify custom parameters and pass them to Tshark, but the debug output keeps saying that tshark is getting invalid fields. My current code looks like this:
filename='./pcaps/SSHv2.pcap'
params = ['-e ip.src', '-e ip.dst']
pcap = pyshark.FileCapture(filename, display_filter="ssh", custom_parameters=params, debug=True)
This results in this debug output:
020-06-05 14:18:02,288 - FileCapture - DEBUG - Creating TShark subprocess with parameters: /Applications/Wireshark.app/Contents/MacOS/tshark -l -n -T pdml -Y ssh -e ip.src -e ip.dst -r ./pcaps/SSHv2.pcap
2020-06-05 14:18:02,288 - FileCapture - DEBUG - Executable: /Applications/Wireshark.app/Contents/MacOS/tshark
2020-06-05 14:18:02,291 - FileCapture - DEBUG - TShark subprocess created
tshark: Some fields aren't valid:
ip.dst
ip.src
2020-06-05 14:18:03,213 - FileCapture - DEBUG - EOF reached (sync)
pyshark.capture.capture.TSharkCrashException: TShark seems to have crashed (retcode: 1). Try rerunning in debug mode [ capture_obj.set_debug() ] or try updating tshark.
When taking the exact command pyshark is using (as stated in it's debug output) and running it on command line in the same directory, tshark works and I am able to get the exact information out that I want. Am I on the right track? Is there a different way I should be getting custom fields? Does pyshark allow for -e to be used this way?
Current versions: Tshark: 3.2.4 Python: 3.7.3 Pyshark: 0.4.2.9
