While working with Pyshark I’ve found that some of the documentation doesn’t quite line up so I’m writing this post to help people that might run into the same situation. The intro doc is found here and I’ll be comparing it to what actually happens when using the newest version (0.3.3) of Pyshark.

The first thing I noticed is that it’s difficult to get a basic count of the packets in the capture object. The __repr__ string doesn’t include a packet count when reading from a file (only available when using LiveCapture):

pyshark1

And checking the len() of cap tells me that the packets are only read in when requested (lazy fetching):

But, I think this was changed in order to improve performance since I see references to a lazy parameter in earlier commits, and there is also a current option to not keep the packets in memory (in the cap._packets list). When this option is used, you can only iterate through the packets and not reference them by index:

pyshark2

 

This article has 3 comments

  1. Pingback: PyShark – Using the capture Object | thePacketGeek

  2. Cru Jones

    Is there anyway to get the payload of a packet using pyshark?? I am trying to do some packet analysis and need the data portion of the tcp packet. This seems like it has to be supported but I can’t find a way to get at the data. Thanks.

    1. Mat

      I don’t see a way to get the payload of a TCP packet, it only seems to be support for specific application layers (HTTP). If you’re wanting to capture bytes of packets, I would recommend using scapy instead as that should give you more access to the actual packet bytes (although it performs less built-in dissection of packets).

Leave a Reply

Your email address will not be published. Required fields are marked *