Intro to PyShark for Programmatic Packet Analysis

This entry is part 1 of 4 in the series Intro to PyShark

I can hardly believe it took me this long to find PyShark, but I am very glad I did! PyShark is a wrapper for the Wireshark CLI interface, tshark, so all of the Wireshark decoders are available to PyShark! It’s so amazing that I started a new project just so I could use this amazing new tool: Cloud-Pcap.

You can use PyShark to sniff from a interface or open a saved capture file, as the docs show on the overview page here:

Continue reading

PyShark – FileCapture and LiveCapture modules

This entry is part 2 of 4 in the series Intro to PyShark

The two typical ways to start analyzing packets are via PyShark’s FileCapture and LiveCapture modules. The first will import packets from a saved capture file, and the latter will sniff from a network interface on the local machine. Running these modules will return a capture object which I will cover in depth in the next post. For now, let’s see what we can do with these two modules.

Both modules offer similar parameters that affect packets returned in the capture object. These definitions are taken directly out of the docstrings for these modules:

  • interface: [LiveCapture only] Name of the interface to sniff on. If not given, takes the first available.
  • bpf_filter: [LiveCapture only] A BPF (tcpdump) filter to apply on the cap before reading.
  • input_file: [FileCapture only] File path of the capture (PCAP, PCAPNG)
  • keep_packets: Whether to keep packets after reading them via next(). Used to conserve memory when reading large caps.
  • display_filter: A display (wireshark) filter to apply on the cap before reading it.
  • only_summaries: Only produce packet summaries, much faster but includes very little information.
  • decryption_key: Optional key used to encrypt and decrypt captured traffic.
  • encryption_type: Standard of encryption used in captured traffic (must be either ‘WEP’, ‘WPA-PWD’, or ‘WPA-PWK’. Defaults to WPA-PWK).

Continue reading

PyShark – Using the capture Object

This entry is part 3 of 4 in the series Intro to PyShark

Before we get started you should read a few things in this post about the differences here between the current version of PyShark (0.3.3) and the documentation on the website. Everything I cover in this post will be things I’ve tested and confirmed work in the current version.

Now that we know how to use the FileCapture and LiveCapture modules to capture some packets, let’s see what options we have with the returned capture object (truncated list for brevity):

Continue reading

PyShark – Using the packet Object

This entry is part 4 of 4 in the series Intro to PyShark

So far in this series we’ve done a lot with capturing packets and working with the capture object, but finally we’re going to get to the fun part and finally start playing with some PACKETS!!!!

When we have captured packets in a capture object, they are stored as a list of packet objects.  These packet objects will have methods and attributes that give us access to the header and payload info of each packet.  As stated in a previous post we have control for how much info about the packets we store in each packet option through the only_summaries argument in the LiveCapture and ReadCapture modules. Continue reading