I can hardly believe it took me this long to find PyShark, but I am very glad I did! PyShark is a wrapper for the Wireshark CLI interface, tshark, so all of the Wireshark decoders are available to PyShark! It’s so amazing that I started a new project just so I could use this amazing new tool: Cloud-Pcap.

You can use PyShark to sniff from a interface or open a saved capture file, as the docs show on the overview page here:

Once a capture object is created, either from a LiveCapture or FileCapture method, several methods and attributes are available at both the capture and packet level.  The power of PyShark is the access to all of the packet decoders built into tshark.  I’m going to just give a sneak peek of some of the things you can do in this post and there will be a few accompanying posts that follow to go more in depth.

1. Getting packet summaries (similar to tshark capture output):

This will give access to attributes like packet number, relative and delta times, IP addresses, protocol, and a brief info line.

2. Drilling down into packet attributes by layer:

3. Iterating through the packets and applying a function to each:

…and this is just the sneak peak!!  Who knew that the getting the power of tshark & Wireshark in your python scripts and applications would be this easy!  The only caveat that I’ve found so far is the performance. I’ve thrown a lot of packets at PyShark and it can really slow down once you start running through captures of a couple thousand packets. Some things have been done to preserve memory that will be covered in the following posts.

I certainly hope you’re as excited as I am at this point. There’s plenty more to come, so check back soon!

Series NavigationPyShark – FileCapture and LiveCapture modules >>

This article has 5 comments

  1. Mike

    i am trying to use the pyshark module and getting this : ”
    import pyshark
    capture = pyshark.LiveCapture(interface=’wlan0′)
    capture.sniff(timeout=50)
    capture

    AttributeError: ‘module’ object has no attribute ‘LiveCapture’

    am i missing something or i need to import anythig else?

    1. Mat

      Seems like something went wrong during the install process. What installation steps did you use and what platform are you on (OS & python version)? Are you able to access any of the other pyshark modules (FileCapture, RemoteCapture, etc.)?

      1. Mike

        i am using Kali-linux(latest-version).
        python -2.7.3
        gcc 4.7.2
        I used the repo packages as well as src packages.–> apt-get install python-pyshark
        guys at python-mailing list claimed that my version of python was not compiled correctly . the gevent library is not compiled correctly, the main issue is with gevent._threading module which i can’t make work correctly. i guess i’ll have to change OS for this.
        i tried using threading lib but it has nothing to do with this error.

Leave a Reply

Your email address will not be published. Required fields are marked *