0

As is known, pyshark is a wrapper for tshark. With large volumes of traffic, part of the packets are lost due to the limitations of the buffer size (tshark has 2 MB by default)

My idea is as follows: I want to run tshark with a buffer size like 20MB and pipe the output to my Python script. In this case, instead of LiveCapture, I use PipeCapture as follow:

import pyshark
import pandas as pd
import os

r, w = os.pipe()
pid = os.fork()
r = os.fdopen(r)    

capture = pyshark.PipeCapture(pipe=r, bpf_filter='udp port 5060')

for packet in capture.sniff_continuously():
  print(packet)

And i got error:

AttributeError: module 'pyshark' has no attribute 'PipeCapture' .

I checked source code of pyshark here: https://github.com/KimiNewt/pyshark/blob/master/src/pyshark/capture/pipe_capture.py

Whats wrong?

UPDATE:

As @maxkanthauer recommended I do:

import pyshark
import pandas as pd
import sys
from pyshark.capture.pipe_capture import PipeCapture

r =  sys.stdin

while True:
    capture = PipeCapture(pipe=r)
    print(capture)

and start my script :

tcpdump -l  port 5060 -i etho  | python  pyshark_test.py

Although i sure that there are many packets the output is :

<PipeCapture (0 packets)>
<PipeCapture (0 packets)>
<PipeCapture (0 packets)>
moken
  • 3,227
  • 8
  • 13
  • 23
harp1814
  • 1,494
  • 3
  • 13
  • 31

2 Answers2

1

For some reasons, PipeCapture is not directly under pyshark but rather under pyshark.capture.pipe_capture. In addition, os.pipe() is not a valid value for the pipe parameter. The following should work:

import pyshark
import sys
from pyshark.capture.pipe_capture import PipeCapture

r = sys.stdin

capture = PipeCapture(pipe=r)

def print_callback(pkt):
    print(pkt)

capture.apply_on_packets(print_callback)
MaxKanthauer
  • 11
  • 3
  • @harp1814 Cannot comment directly on question. The way you are implementing the functionality, you are just creating capture objects, which are immidiately discarded after the print. – MaxKanthauer Apr 23 '21 at 10:57
0

To answer the update, PipeCapture creates a generator, which will always indicate 0 packets before properly reading it. In order to actually read from the FIFO, you iterate over it:

capture = PipeCapture(pipe=r)
for packet in capture:
     # do stuff

This will execute the loop everytime a new packet comes in.

Thomas Blazek
  • 1