Skip to content

Latest commit

 

History

History
171 lines (103 loc) · 6.63 KB

README.md

File metadata and controls

171 lines (103 loc) · 6.63 KB

Overview

This repository contains usage documentation for the Python module PyShark. This Python module is a wrapper for TShark, which is command-line interface (CLI) for Wireshark. The latter is used to sniff and capture packets from a network interface. The real power of PyShark is its capability to access all of the packet decoders built into TShark.

This repository also contains some basic parsing examples, which are also contained in the usage documentation that I developed for PyShark.

LiveCapture Usage examples

Basic Capture

import pyshark 

# Create a LiveCapture object to capture packets from the specified interface
capture = pyshark.LiveCapture(interface='your capture interface')
for packet in capture:
   # do something with the packet

LiveCapture with packet count

PyShark LiveCapture has a featured named sniff_continuously that allows you to limit the number of packets captured.

import pyshark 

# Create a LiveCapture object to capture packets from the specified interface
capture = pyshark.LiveCapture(interface='your capture interface')

# Start capturing packets for a specified number of packets
for packet in capture.sniff_continuously(packet_count=10):
   # do something with the packet

LiveCapture with timeout

PyShark LiveCapture also has a featured named sniff that allows you to set a capture timeout period.

import pyshark

# Create a LiveCapture object to capture packets from the specified interface
capture = pyshark.LiveCapture(interface='your capture interface')

# Start capturing packets for a specified duration (in seconds)
capture.sniff(timeout=10)

packets = [pkt for pkt in capture._packets]
capture.close()
for packet in packets:
   # do something with the packet

LiveCapture with BPF_Filter

The PyShark LiveCapture mode has a BPF_Filter that allows you to prefilter the packets being captured. The example below show how to parse Domain Name System (DNS) packets from a LiveCapture session.

import pyshark 

# Create a LiveCapture object to capture packets from the specified interface with a bpf_filter
capture = pyshark.LiveCapture(interface='your capture interface', bpf_filter='udp port 53')
for packet in capture:
   # do something with the packet

LiveCapture with Display_Filter

The PyShark LiveCapture mode has a Display_Filter that allows you to prefilter the packets being captured. The example below show how to parse Domain Name System (DNS) packets from a LiveCapture session.

import pyshark 

# Create a LiveCapture object to capture packets from the specified interface with a display_filter
capture = pyshark.LiveCapture(interface='your capture interface', display_filter='dns')
for packet in capture:
   # do something with the packet

Additional parsing examples

Here are some additional parsing examples within this repository.

Here are some additional parsing examples that I posted to GitHub Gist.

Stack Overflow answers

Here are some Stack Overflow answers that I posted for questions about PyShark.

Prerequisites

TShark has to be installed and accessible via your $PATH, which Python queries for PyShark. Reference the installation section of the usage documentation for details on how to install TShark.

References

  • PyShark:   Is the Python. wrapper for TShark., that allows Python. packet parsing using Wireshark. dissectors.

  • TShark:   TShark. is a terminal oriented version of Wireshark. designed for capturing and displaying packets when an interactive user interface isn't necessary or available.

  • Wireshark:   Wireshark is a network packet analysis tool that captures packets in real time and displays them in a graphic interface.

  • Homebrew:   Package Manager for macOS and Linux.

  • Berkeley Packet Filter (BPF) syntax

  • Display Filter syntax

Notes

PyShark has limited documentation, so that is the reason why I developed the PyShark usage documentation within this repository for others to use.

The code within this repository is not production ready. It was strictly designed for experimental testing purposes only.