1- pyshark
2- =======
1+ #pyshark
32
43Python wrapper for tshark, allowing python packet parsing using wireshark dissectors.
54
@@ -10,17 +9,15 @@ There are quite a few python packet parsing modules, this one is different becau
109This package allows parsing from a capture file or a live capture, using all wireshark dissectors you have installed.
1110Tested on windows/linux.
1211
13- Usage
14- =====
12+ ##Usage
1513
16- Reading from a capture file:
17- ----------------------------
14+ ###Reading from a capture file:
1815
19- ```
20- import pyshark
21- cap = pyshark.FileCapture('/tmp/mycapture.cap')
22- cap
23- >>> <FileCapture /tmp/mycapture.cap (589 packets)>
16+ ``` python
17+ >> > import pyshark
18+ >> > cap = pyshark.FileCapture(' /tmp/mycapture.cap'
19+ >> > cap
20+ < FileCapture / tmp/ mycapture.cap (589 packets)>
2421print cap[0 ]
2522Packet (Length: 698 )
2623Layer ETH :
@@ -42,36 +39,106 @@ Layer IP:
4239 Destination: BLANKED
4340 ...
4441```
45-
46- Reading from a live interface:
47- ------------------------------
4842
49- ```
50- capture = pyshark.LiveCapture(interface='eth0')
51- capture.sniff(timeout=50)
52- capture
53- >>> <LiveCapture (5 packets)>
54- capture[3]
43+ #### Other options
44+
45+ * ** lazy** : Whether to lazily get packets from the cap file or read all of them
46+ immediately.
47+ * ** param keep_packets** : Whether to keep packets after reading them via next().
48+ Used to conserve memory when reading large caps (can only be used along with
49+ the "lazy" option!)
50+ * ** param input_file** : Either a path or a file-like object containing either a
51+ packet capture file (PCAP, PCAP-NG..) or a TShark xml.
52+ * ** param bpf_filter** : A BPF (tcpdump) filter to apply on the cap before reading.
53+ * ** param display_filter** : A display (wireshark) filter to apply on the cap
54+ before reading it.
55+ * ** param only_summaries** : Only produce packet summaries, much faster but includes
56+ very little information
57+ * ** param decryption_key** : Key used to encrypt and decrypt captured traffic.
58+ * ** param encryption_type** : Standard of encryption used in captured traffic (must
59+ be either 'WEP', 'WPA-PWD', or 'WPA-PWK'. Defaults to WPA-PWK.
60+
61+ ###Reading from a live interface:
62+
63+ ``` python
64+ >> > capture = pyshark.LiveCapture(interface = ' eth0'
65+ >> > capture.sniff(timeout = 50 )
66+ >> > capture
67+ < LiveCapture (5 packets)>
68+ >> > capture[3 ]
5569< UDP / HTTP Packet>
5670
5771for packet in capture.sniff_continuously(packet_count = 5 ):
5872 print ' Just arrived:'
5973```
6074
75+ #### Other options
76+
77+ * ** param interface** : Name of the interface to sniff on. If not given, takes
78+ the first available.
79+ * ** param bpf_filter** : BPF filter to use on packets.
80+ * ** param display_filter** : Display (wireshark) filter to use.
81+ * ** param only_summaries** : Only produce packet summaries, much faster but
82+ includes very little information
83+ * ** param decryption_key** : Key used to encrypt and decrypt captured traffic.
84+ * ** param encryption_type** : Standard of encryption used in captured traffic
85+ (must be either 'WEP', 'WPA-PWD', or 'WPA-PWK'. Defaults to WPA-PWK).
86+
87+ ###Reading from a live remote interface:
88+
89+ ``` python
90+ >> > capture = pyshark.RemoteCapture(' 192.168.1.101' ' eth0'
91+ >> > capture.sniff(timeout = 50 )
92+ >> > capture
93+ ```
94+
95+ #### Other options
6196
62- Accessing packet data:
63- ----------------------
97+ * ** param remote_host** : The remote host to capture on (IP or hostname).
98+ Should be running rpcapd.
99+ * ** param remote_interface** : The remote interface on the remote machine to
100+ capture on. Note that on windows it is not the device display name but the
101+ true interface name (i.e. \\ Device\\ NPF_ ..).
102+ * ** param remote_port** : The remote port the rpcapd service is listening on
103+ * ** param bpf_filter** : A BPF (tcpdump) filter to apply on the cap before
104+ reading.
105+ * ** param only_summaries** : Only produce packet summaries, much faster but
106+ includes very little information
107+ * ** param decryption_key** : Key used to encrypt and decrypt captured traffic.
108+ * ** param encryption_type** : Standard of encryption used in captured traffic
109+ (must be either 'WEP', 'WPA-PWD', or 'WPA-PWK'. Defaults to WPA-PWK).
64110
65- Data can be accessed in multiple ways.
111+ ###Accessing packet data:
112+
113+ Data can be accessed in multiple ways.
66114Packets are divided into layers, first you have to reach the appropriate layer and then you can select your field.
67115
68116All of the following work:
69117
118+ ``` python
119+ >> > packet[' ip'
120+ 192.168 .0.1
121+ >> > packet.ip.src
122+ 192.168 .0.100
123+ >> > packet[2 ].src
124+ 192.168 .0.100
70125```
71- packet['ip'].dst
72- >>> 192.168.0.1
73- packet.ip.src
74- >>> 192.168.0.100
75- packet[2].src
76- >>> 192.168.0.100
126+
127+ ###Decrypting packet captures
128+
129+ Pyshark supports automatic decryption of traces using the WEP, WPA-PWD, and WPA-PSK standards (WPA-PWD is the default).
130+
131+ ``` python
132+ >> > cap1 = pyshark.FileCapture(' /tmp/capture1.cap' decryption_key = ' password'
133+ >> > cap2 = pyshark.LiveCapture(interface = ' wi0' decryption_key = ' password' encryption_type = ' wpa-psk'
77134```
135+
136+ A tuple of supported encryption standards, SUPPORTED_ENCRYPTION_STANDARDS,
137+ exists in each capture class.
138+
139+ ``` python
140+ >> > pyshark.FileCapture.SUPPORTED_ENCRYPTION_STANDARDS
141+ (' wep' ' wpa-pwd' ' wpa-psk'
142+ >> > pyshark.LiveCapture.SUPPORTED_ENCRYPTION_STANDARDS
143+ (' wep' ' wpa-pwd' ' wpa-psk'
144+ ```
0 commit comments