Extracting UNIX Timestamp from PCAP frame using PyShark

Question

Each packet captured in PCAP by tcpdump seems to have the UNIX ( seconds since 1970) timestamp. However, I can't figure out how to get at this item using PyShark. It seems like PyShark will yield only the three layers of my packets -- IP - UDP -RTP -- none of which seem to have the UNIX timestamp. It seems hard to believe that this functionality is absent from PyShark. What am I missing?

I tried doing a str( packet) to see what PyShark was giving me with each packet. It provides the three layers, but apparently not the prefixed timestamp. I was hoping there was a way for PyShark to yield the raw PCAP record with the PCAP header/Timestamp. You can see the Timestamp by looking at the PCAP file with a hex editor, so I could write something apart from PyShark to sequentially access the PCAP records in sync with the PyShark processing .... but this seems like a desperate hack.

Please provide enough code so others can better understand or reproduce the problem. — Community, Jan 10 '23 at 12:22

Ralph Pho · Answer 1 · 2023-04-28T20:03:34.073

You can use packet.frame_info to get epoch_time from the frame layer.

    # sample code
    import pyshark
    
    pcap_file = "tcp_sample.pcap"
    capture = pyshark.FileCapture(pcap_file, keep_packets=True)
    
    for i, packet in enumerate(capture):
        print(packet.layers)
        print(packet.frame_info)
        print(packet.frame_info.time_epoch)
        print(packet)
    
        # print only the 1st packet
        break

Extracting UNIX Timestamp from PCAP frame using PyShark

1 Answers1