Before we get started you should read a few things in this post about the differences here between the current version of PyShark (0.3.3) and the documentation on the website. Everything I cover in this post will be things I’ve tested and confirmed work in the current version.
Now that we know how to use the FileCapture and LiveCapture modules to capture some packets, let’s see what options we have with the returned capture object (truncated list for brevity):
dir(cap) Out: ['apply_on_packets', 'close', 'current_packet', 'display_filter', 'encryption', 'input_filename', 'next', 'next_packet']
These are the methods/attributes that I feel are actually useful, most of the other ones are used for debugging or internally for the capture process. The
display_filter, encryption, input_filename attributes are used for displaying parameters passed into FileCapture or LiveCapture.
The real magic here is the
next() methods. Iteration (via
for loop) is available because of the
next() method, and
apply_on_packets() is another way to iterate through the packets, passing in a function to apply to each packet:
>>> cap = pyshark.FileCapture('test.pcap', keep_packets=False) >>> def print_highest_layer(pkt) ...: print pkt.highest_layer >>> cap.apply_on_packets(print_highest_layer) HTTP HTTP HTTP HTTP HTTP ... (truncated)
This can also be used for things other than printing, such as adding the packets to a list for counting or other processing. Here’s a script that will append all the packets to a list and print the count:
import pyshark def get_capture_count(): p = pyshark.FileCapture('test.cap.pcap', keep_packets=False) count =  def counter(*args): count.append(args) p.apply_on_packets(counter, timeout=100000) return len(count) print get_capture_count()
Check out the next PyShark article that covers the methods and attributes of the PyShark