Pyshark - Python Wrapper For Tshark, Allowing Python Parcel Parsing Using Wireshark Dissectors


Python wrapper for tshark, allowing python packet parsing using wireshark dissectors.
Extended documentation: http://kiminewt.github.io/pyshark
Python2 deprecation - This packet no longer supports Python2. If you lot wishing to all the same role it inwards Python2, you lot can:
Looking for contributors - for diverse reasons I have got a difficult fourth dimension finding fourth dimension to maintain in addition to heighten the packet at the moment. Any pull-requests volition live on reviewed in addition to if whatever 1 is interested in addition to is suitable, I volition live on happy to include them inwards the project. Feel costless to postal service me at dorgreen1 at gmail.
There are quite a few python packet parsing modules, this 1 is dissimilar because it doesn't genuinely parse whatever packets, it exactly uses tshark's (wireshark command-line utility) mightiness to export XMLs to role its parsing.
This packet allows parsing from a capture file or a alive capture, using all wireshark dissectors you lot have got installed. Tested on windows/linux.

Installation

All Platforms
Simply run the next to install the latest from pypi
pip install pyshark
Or install from the git repository:
git clone https://github.com/KimiNewt/pyshark.git cd pyshark/src python setup.py install

Mac OS X
You may have got to install libxml which tin give the axe live on unexpected. If you lot have an mistake from clang or an mistake message virtually libxml, run the following:
xcode-select --install pip install libxml
You volition in all probability have got to convey a EULA for XCode thus live on ready to click an "Accept" dialog inwards the GUI.

Usage

Reading from a capture file:
>>> import pyshark >>> cap = pyshark.FileCapture('/tmp/mycapture.cap') >>> cap  >>> impress cap[0] Packet (Length: 698) Layer ETH:         Destination: BLANKED         Source: BLANKED         Type: IP (0x0800) Layer IP:         Version: iv         Header Length: xx bytes         Differentiated Services Field: 0x00 (DSCP 0x00: Default; ECN: 0x00: Not-ECT (Not ECN-Capable Transport))         Total Length: 684         Identification: 0x254f (9551)         Flags: 0x00         Fragment offset: 0         Time to live: 1         Protocol: UDP (17)         Header checksum: 0xe148 [correct]         Source: BLANKED         Destination: BLANKED   ...

Other options
  • param keep_packets: Whether to proceed packets later reading them via next(). Used to conserve retention when reading large caps.
  • param input_file: Either a path or a file-like object containing either a packet capture file (PCAP, PCAP-NG..) or a TShark xml.
  • param display_filter: H5N1 display (wireshark) filter to apply on the cap earlier reading it.
  • param only_summaries: Only hit packet summaries, much faster but includes really piffling information
  • param disable_protocol: Disable detection of a protocol (tshark > version 2)
  • param decryption_key: Key used to encrypt in addition to decrypt captured traffic.
  • param encryption_type: Standard of encryption used inwards captured traffic (must live on either 'WEP', 'WPA-PWD', or 'WPA-PWK'. Defaults to WPA-PWK.
  • param tshark_path: Path of the tshark binary

Reading from a alive interface:
>>> capture = pyshark.LiveCapture(interface='eth0') >>> capture.sniff(timeout=50) >>> capture  >>> capture[3]   for packet inwards capture.sniff_continuously(packet_count=5):     impress 'Just arrived:', packet

Other options
  • param interface: Name of the interface to sniff on. If non given, takes the showtime available.
  • param bpf_filter: BPF filter to role on packets.
  • param display_filter: Display (wireshark) filter to use.
  • param only_summaries: Only hit packet summaries, much faster but includes really piffling information
  • param disable_protocol: Disable detection of a protocol (tshark > version 2)
  • param decryption_key: Key used to encrypt in addition to decrypt captured traffic.
  • param encryption_type: Standard of encryption used inwards captured traffic (must live on either 'WEP', 'WPA-PWD', or 'WPA-PWK'. Defaults to WPA-PWK).
  • param tshark_path: Path of the tshark binary
  • param output_file: Additionally relieve captured packets to this file.

Reading from a alive interface using a telephone buffer
>>> capture = pyshark.LiveRingCapture(interface='eth0') >>> capture.sniff(timeout=50) >>> capture  >>> capture[3]   for packet inwards capture.sniff_continuously(packet_count=5):     impress 'Just arrived:', packet

Other options
  • param ring_file_size: Size of the telephone file inwards kB, default is 1024
  • param num_ring_files: Number of telephone files to keep, default is 1
  • param ring_file_name: Name of the telephone file, default is /tmp/pyshark.pcap
  • param interface: Name of the interface to sniff on. If non given, takes the showtime available.
  • param bpf_filter: BPF filter to role on packets.
  • param display_filter: Display (wireshark) filter to use.
  • param only_summaries: Only hit packet summaries, much faster but includes really piffling information
  • param disable_protocol: Disable detection of a protocol (tshark > version 2)
  • param decryption_key: Key used to encrypt in addition to decrypt captured traffic.
  • param encryption_type: Standard of encryption used inwards captured traffic (must live on either 'WEP', 'WPA-PWD', or 'WPA-PWK'. Defaults to WPA-PWK).
  • param tshark_path: Path of the tshark binary
  • param output_file: Additionally relieve captured packets to this file.

Reading from a alive remote interface:
>>> capture = pyshark.RemoteCapture('192.168.1.101', 'eth0') >>> capture.sniff(timeout=50) >>> capture

Other options
  • param remote_host: The remote host to capture on (IP or hostname). Should live on running rpcapd.
  • param remote_interface: The remote interface on the remote machine to capture on. Note that on windows it is non the device display advert but the truthful interface advert (i.e. \Device\NPF_..).
  • param remote_port: The remote port the rpcapd service is listening on
  • param bpf_filter: H5N1 BPF (tcpdump) filter to apply on the cap earlier reading.
  • param only_summaries: Only hit packet summaries, much faster but includes really piffling information
  • param disable_protocol: Disable detection of a protocol (tshark > version 2)
  • param decryption_key: Key used to encrypt in addition to decrypt captured traffic.
  • param encryption_type: Standard of encryption used inwards captured traffic (must live on either 'WEP', 'WPA-PWD', or 'WPA-PWK'. Defaults to WPA-PWK).
  • param tshark_path: Path of the tshark binary

Accessing packet data:
Data tin give the axe live on accessed inwards multiple ways. Packets are divided into layers, showtime you lot have got to achieve the appropriate layer in addition to and thus you lot tin give the axe select your field.
All of the next work:
>>> packet['ip'].dst 192.168.0.1 >>> packet.ip.src 192.168.0.100 >>> packet[2].src 192.168.0.100
To exam whether a layer is inwards a packet, you lot tin give the axe role its name:
>>> 'IP' inwards packet True
To encounter all possible champaign names, role the packet.layer.field_names attribute (i.e. packet.ip.field_names) or the autocomplete business office on your interpreter.
You tin give the axe every bit good perish the master copy binary information of a field, or a pretty description of it:
>>> p.ip.addr.showname Source or Destination Address: 10.0.0.10 (10.0.0.10) # And or thus novel attributes every bit well: >>> p.ip.addr.int_value 167772170 >>> p.ip.addr.binary_value '\n\x00\x00\n'

Decrypting packet captures
Pyshark supports automatic decryption of traces using the WEP, WPA-PWD, in addition to WPA-PSK standards (WPA-PWD is the default).
>>> cap1 = pyshark.FileCapture('/tmp/capture1.cap', decryption_key='password') >>> cap2 = pyshark.LiveCapture(interface='wi0', decryption_key='password', encryption_type='wpa-psk')
H5N1 tuple of supported encryption standards, SUPPORTED_ENCRYPTION_STANDARDS, exists inwards each capture class.
>>> pyshark.FileCapture.SUPPORTED_ENCRYPTION_STANDARDS ('wep', 'wpa-pwd', 'wpa-psk') >>> pyshark.LiveCapture.SUPPORTED_ENCRYPTION_STANDARDS ('wep', 'wpa-pwd', 'wpa-psk')