a developing networker

PyShark – Using the capture Object

11 Nov 2014 » Coding
This entry is part 3 of 4 in the series Intro to PyShark

Before we get started you should read a few things in this post about the differences here between the current version of PyShark (0.3.3) and the documentation on the website. Everything I cover in this post will be things I’ve tested and confirmed work in the current version.

Now that we know how to use the FileCapture and LiveCapture modules to capture some packets, let’s see what options we have with the returned capture object (truncated list for brevity):


These are the methods/attributes that I feel are actually useful, most of the other ones are used for debugging or internally for the capture process. The

display_filter, encryption, input_filename attributes are used for displaying parameters passed into  FileCapture or LiveCapture.

The real magic here is the apply_on_packets() and next() methods. Iteration (via for loop) is available because of the next() method, and apply_on_packets() is another way to iterate through the packets, passing in a function to apply to each packet:

>>> cap = pyshark.FileCapture('test.pcap', keep_packets=False)
>>> def print_highest_layer(pkt)
...: print pkt.highest_layer
>>> cap.apply_on_packets(print_highest_layer)
... (truncated)

This can also be used for things other than printing, such as adding the packets to a list for counting or other processing. Here’s a script that will append all the packets to a list and print the count:

import pyshark

def get_capture_count():
    p = pyshark.FileCapture('test.cap.pcap', keep_packets=False)

    count = []
    def counter(*args):

    p.apply_on_packets(counter, timeout=100000)

    return len(count)

print get_capture_count()

Check out the next PyShark article that covers the methods and attributes of the PyShark packet object.