Mastering Network Analysis with Pyshark: A Comprehensive Guide to Python Packet Parsing

Pyshark

Pyshark is a Python wrapper for tshark. With the help of Pyshark, researchers can use wireshark’s parser for Python packet analysis.

Extended documentation: [Pyshark]

Although there are currently several Python package parsing modules in the community, Pyshark differs in that it does not parse any packets itself; it only uses the functionality of tshark (Wireshark command-line utility) to export XML and complete packet parsing.

Pyshark Tool Installation

Pyshark: Available for All Platforms

Users can directly use pip to install Pyshark from pypi:

pip install pyshark

Alternatively, you can clone the project code directly from the project’s GitHub repository:

git clone https://github.com/KimiNewt/pyshark.gitcd pyshark/srcpython setup.py install

Pyshark for Mac OS X

On macOS, you may also need to install libxml. If you encounter errors while running the clang command or errors regarding libxml, you’ll need to run the following commands:

xcode-select--installpip install libxml

Pyshark Tool Usage

Reading and Parsing Content from a Cap File:

>>>import pyshark>>>cap = pyshark.FileCapture('/tmp/mycapture.cap')>>>cap<FileCapture/tmp/mycapture.cap (589 packets)>>>>print cap[0]Packet(Length: 698)LayerETH:Destination: BLANKEDSource: BLANKEDType: IP (0x0800)LayerIP:Version: 4Header Length: 20 bytesDifferentiated Services Field: 0x00(DSCP 0x00: Default; ECN: 0x00: Not-ECT (Not ECN-Capable Transport))Total Length: 684Identification: 0x254f (9551)Flags: 0x00Fragment offset: 0Time to live: 1Protocol: UDP (17)Header checksum: 0xe148 [correct]Source: BLANKEDDestination: BLANKED...

Other Options:

paramkeep_packets: Whether to keep packets after reading content;paraminput_file: Determine if the path or file object contains a packet file (PCAP, PCAP-NG…) or TSharkXML;paramdisplay_filter: Whether to configure filters before reading packet content;paramonly_summaries: Generate packet summary data, fast but less information;paramdisable_protocol: Disable protocol detection (tshark > version 2);paramdecryption_key: Key for encrypting and decrypting captured traffic;paramencryption_type: Standard encryption for captured traffic ('WEP', 'WPA-PWD', or 'WPA-PWK', default is WPA-PWK);paramtshark_path: tshark code path;

Reading Packet Content from a Live Interface:

>>>capture = pyshark.LiveCapture(interface='eth0')>>>capture.sniff(timeout=50)>>>capture<LiveCapture(5 packets)>>>>capture[3]<UDP/HTTPPacket>for packet in capture.sniff_continuously(packet_count=5):print 'Just arrived:', packet

Using Ring Buffer to Read Packet Content from a Live Interface:

>>>capture = pyshark.LiveRingCapture(interface='eth0')>>>capture.sniff(timeout=50)>>>capture<LiveCapture(5 packets)>>>>capture[3]<UDP/HTTPPacket>for packet in capture.sniff_continuously(packet_count=5):print 'Just arrived:', packet

Reading Packet Content from a Remote Live Interface:

>>>capture = pyshark.RemoteCapture('192.168.1.101', 'eth0')>>>capture.sniff(timeout=50)>>>capture

Accessing Packet Data

We can access data in various ways. Python packets are divided into multiple layers. First, we need to access a specific layer and then select the corresponding data area.

>>>packet['ip'].dst192.168.0.1>>>packet.ip.src192.168.0.100>>>packet[2].src192.168.0.100

To determine whether a certain layer is included in the packet, we can use the following command:

>>>'IP' in packetTrue

To view all data fields, you can use the “packet.layer.field_names” attribute, such as “packet.ip.field_names.” Additionally, you can directly access raw code data and annotation information of data fields:

>>>p.ip.addr.shownameSource or Destination Address: 10.0.0.10 (10.0.0.10)# And some new attributes as well:   >>>p.ip.addr.int_value   167772170   >>>p.ip.addr.binary_value   '\n\x00\x00\n'

Decrypting Captured Packets

Pyshark supports automated decryption and supports the encryption standards WEP, WPA-PWD, and WPA-PSK, with WPA-PWD as the default:

>>>cap1 = pyshark.FileCapture('/tmp/capture1.cap', decryption_key='password')>>>cap2 = pyshark.LiveCapture(interface='wi0', decryption_key='password',encryption_type='wpa-psk')

Additionally, Pyshark supports passing supported encryption standards in tuple form:

>>>pyshark.FileCapture.SUPPORTED_ENCRYPTION_STANDARDS('wep','wpa-pwd', 'wpa-psk')>>>pyshark.LiveCapture.SUPPORTED_ENCRYPTION_STANDARDS('wep','wpa-pwd', 'wpa-psk')