Graphing packet details with PyShark, pygal, and Flask

So you’ve used PyShark to get packet statistics out of your trace files but you want to represent them in a more friendly way than just text output?  How about using Flask and pygal to get those statistics in a graph or chart for use in a web app!

PyGal ExampleThis blog post will be a brief overview of getting some packet data in a chart and on a webpage. Please note that this will be a very simple example and not a recommended production deployment of Flask. I highly recommend using templates, flask-bootstrap, and more advanced Flask topics which you can learn about here.

Continue reading

PyShark – Using the packet Object

This entry is part 4 of 4 in the series Intro to PyShark

So far in this series we’ve done a lot with capturing packets and working with the capture object, but finally we’re going to get to the fun part and finally start playing with some PACKETS!!!!

When we have captured packets in a capture object, they are stored as a list of packet objects.  These packet objects will have methods and attributes that give us access to the header and payload info of each packet.  As stated in a previous post we have control for how much info about the packets we store in each packet option through the only_summaries argument in the LiveCapture and ReadCapture modules. Continue reading

PyShark – Using the capture Object

This entry is part 3 of 4 in the series Intro to PyShark

Before we get started you should read a few things in this post about the differences here between the current version of PyShark (0.3.3) and the documentation on the website. Everything I cover in this post will be things I’ve tested and confirmed work in the current version.

Now that we know how to use the FileCapture and LiveCapture modules to capture some packets, let’s see what options we have with the returned capture object (truncated list for brevity):

Continue reading

PyShark – FileCapture and LiveCapture modules

This entry is part 2 of 4 in the series Intro to PyShark

The two typical ways to start analyzing packets are via PyShark’s FileCapture and LiveCapture modules. The first will import packets from a saved capture file, and the latter will sniff from a network interface on the local machine. Running these modules will return a capture object which I will cover in depth in the next post. For now, let’s see what we can do with these two modules.

Both modules offer similar parameters that affect packets returned in the capture object. These definitions are taken directly out of the docstrings for these modules:

  • interface: [LiveCapture only] Name of the interface to sniff on. If not given, takes the first available.
  • bpf_filter: [LiveCapture only] A BPF (tcpdump) filter to apply on the cap before reading.
  • input_file: [FileCapture only] File path of the capture (PCAP, PCAPNG)
  • keep_packets: Whether to keep packets after reading them via next(). Used to conserve memory when reading large caps.
  • display_filter: A display (wireshark) filter to apply on the cap before reading it.
  • only_summaries: Only produce packet summaries, much faster but includes very little information.
  • decryption_key: Optional key used to encrypt and decrypt captured traffic.
  • encryption_type: Standard of encryption used in captured traffic (must be either ‘WEP’, ‘WPA-PWD’, or ‘WPA-PWK’. Defaults to WPA-PWK).

Continue reading

Intro to PyShark for Programmatic Packet Analysis

This entry is part 1 of 4 in the series Intro to PyShark

I can hardly believe it took me this long to find PyShark, but I am very glad I did! PyShark is a wrapper for the Wireshark CLI interface, tshark, so all of the Wireshark decoders are available to PyShark! It’s so amazing that I started a new project just so I could use this amazing new tool: Cloud-Pcap.

You can use PyShark to sniff from a interface or open a saved capture file, as the docs show on the overview page here:

Continue reading

Differences between PyShark 0.3.3 and Documentation

While working with Pyshark I’ve found that some of the documentation doesn’t quite line up so I’m writing this post to help people that might run into the same situation. The intro doc is found here and I’ll be comparing it to what actually happens when using the newest version (0.3.3) of Pyshark.

Continue reading