{"id":13668277,"url":"https://github.com/KimiNewt/pyshark","last_synced_at":"2025-04-26T22:30:46.077Z","repository":{"id":12818617,"uuid":"15493723","full_name":"KimiNewt/pyshark","owner":"KimiNewt","description":"Python wrapper for tshark, allowing python packet parsing using wireshark dissectors","archived":false,"fork":false,"pushed_at":"2024-08-10T06:39:53.000Z","size":609,"stargazers_count":2232,"open_issues_count":124,"forks_count":422,"subscribers_count":77,"default_branch":"master","last_synced_at":"2024-10-29T11:27:18.712Z","etag":null,"topics":["capture-packets","packet-capture","python","tshark","wireshark"],"latest_commit_sha":null,"homepage":null,"language":"Python","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"mit","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/KimiNewt.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE.txt","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null}},"created_at":"2013-12-28T14:38:22.000Z","updated_at":"2024-10-29T05:37:12.000Z","dependencies_parsed_at":"2023-01-13T17:09:16.707Z","dependency_job_id":"d4d8a077-d8d0-4e9b-ad8c-8ad4168ff2c1","html_url":"https://github.com/KimiNewt/pyshark","commit_stats":{"total_commits":415,"total_committers":77,"mean_commits":"5.3896103896103895","dds":0.7132530120481928,"last_synced_commit":"e7da5667b8587f1b59145a86356615f93d0e8495"},"previous_names":[],"tags_count":16,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/KimiNewt%2Fpyshark","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/KimiNewt%2Fpyshark/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/KimiNewt%2Fpyshark/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/KimiNewt%2Fpyshark/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/KimiNewt","download_url":"https://codeload.github.com/KimiNewt/pyshark/tar.gz/refs/heads/master","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":224048653,"owners_count":17247061,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["capture-packets","packet-capture","python","tshark","wireshark"],"created_at":"2024-08-02T08:00:28.793Z","updated_at":"2024-11-11T04:30:56.634Z","avatar_url":"https://github.com/KimiNewt.png","language":"Python","funding_links":[],"categories":["Network and Middleware","Python生态圈Dev\u0026Ops工具与服务","Python","System","📚 فهرست"],"sub_categories":["Ethernet and Wireless Networking","Network and Middleware","شبکه"],"readme":"# pyshark\r\n\r\nPython wrapper for tshark, allowing python packet parsing using wireshark dissectors.\r\n\r\nExtended documentation: http://kiminewt.github.io/pyshark\r\n\r\n**Looking for contributors** - for various reasons I have a hard time finding time to maintain and enhance the package at the moment. Any pull-requests will be reviewed and if any one is interested and is suitable, I will be happy to include them in the project. Feel free to mail me at dorgreen1 at gmail.\r\n\r\nThere are quite a few python packet parsing modules, this one is different because it doesn't actually parse any packets, it simply uses tshark's (wireshark command-line utility) ability to export XMLs to use its parsing.\r\n\r\nThis package allows parsing from a capture file or a live capture, using all wireshark dissectors you have installed.\r\nTested on windows/linux.\r\n\r\n## Installation\r\n\r\n### Version support\r\nPython 3.7+ is supported. An unsupported Python 2 version exists as [pyshark-legacy](https://github.com/KimiNewt/pyshark-legacy).\r\n\r\nSupports all modern versions of tshark / wireshark but certain features may be unavailable on older versions.\r\n\r\n### All Platforms\r\nSimply run the following to install the latest from pypi\r\n```bash\r\npip install pyshark\r\n```\r\n\r\nOr install from the git repository:\r\n```bash\r\ngit clone https://github.com/KimiNewt/pyshark.git\r\ncd pyshark/src\r\npython setup.py install\r\n```\r\n\r\n\r\n### Mac OS X\r\nYou may have to install libxml which can be unexpected.  If you receive an error from clang or an error message about libxml, run the following:\r\n```bash\r\nxcode-select --install\r\npip install libxml\r\n```\r\nYou will probably have to accept a EULA for XCode so be ready to click an \"Accept\" dialog in the GUI.\r\n\r\n\r\n\r\n## Usage\r\n\r\n### Reading from a capture file:\r\n\r\n```python\r\n\u003e\u003e\u003e import pyshark\r\n\u003e\u003e\u003e cap = pyshark.FileCapture('/tmp/mycapture.cap')\r\n\u003e\u003e\u003e cap\r\n\u003cFileCapture /tmp/mycapture.cap (589 packets)\u003e\r\n\u003e\u003e\u003e print cap[0]\r\nPacket (Length: 698)\r\nLayer ETH:\r\n        Destination: BLANKED\r\n        Source: BLANKED\r\n        Type: IP (0x0800)\r\nLayer IP:\r\n        Version: 4\r\n        Header Length: 20 bytes\r\n        Differentiated Services Field: 0x00 (DSCP 0x00: Default; ECN: 0x00: Not-ECT (Not ECN-Capable Transport))\r\n        Total Length: 684\r\n        Identification: 0x254f (9551)\r\n        Flags: 0x00\r\n        Fragment offset: 0\r\n        Time to live: 1\r\n        Protocol: UDP (17)\r\n        Header checksum: 0xe148 [correct]\r\n        Source: BLANKED\r\n        Destination: BLANKED\r\n  ...\r\n```\r\n\r\n#### Other options\r\n\r\n* **param keep_packets**: Whether to keep packets after reading them via next().\r\nUsed to conserve memory when reading large caps.\r\n* **param input_file**: Either a path or a file-like object containing either a\r\npacket capture file (PCAP, PCAP-NG..) or a TShark xml.\r\n* **param display_filter**: A display (wireshark) filter to apply on the cap\r\nbefore reading it.\r\n* **param only_summaries**: Only produce packet summaries, much faster but includes\r\nvery little information\r\n* **param disable_protocol**: Disable detection of a protocol (tshark \u003e version 2)\r\n* **param decryption_key**: Key used to encrypt and decrypt captured traffic.\r\n* **param encryption_type**: Standard of encryption used in captured traffic (must\r\nbe either 'WEP', 'WPA-PWD', or 'WPA-PWK'. Defaults to WPA-PWK.\r\n* **param tshark_path**: Path of the tshark binary\r\n\r\n### Reading from a live interface:\r\n\r\n```python\r\n\u003e\u003e\u003e capture = pyshark.LiveCapture(interface='eth0')\r\n\u003e\u003e\u003e capture.sniff(timeout=50)\r\n\u003e\u003e\u003e capture\r\n\u003cLiveCapture (5 packets)\u003e\r\n\u003e\u003e\u003e capture[3]\r\n\u003cUDP/HTTP Packet\u003e\r\n\r\nfor packet in capture.sniff_continuously(packet_count=5):\r\n    print('Just arrived:', packet)\r\n```\r\n\r\n#### Other options\r\n\r\n* **param interface**: Name of the interface to sniff on. If not given, takes\r\nthe first available.\r\n* **param bpf_filter**: BPF filter to use on packets.\r\n* **param display_filter**: Display (wireshark) filter to use.\r\n* **param only_summaries**: Only produce packet summaries, much faster but\r\nincludes very little information\r\n* **param disable_protocol**: Disable detection of a protocol (tshark \u003e version 2)\r\n* **param decryption_key**: Key used to encrypt and decrypt captured traffic.\r\n* **param encryption_type**: Standard of encryption used in captured traffic\r\n(must be either 'WEP', 'WPA-PWD', or 'WPA-PWK'. Defaults to WPA-PWK).\r\n* **param tshark_path**: Path of the tshark binary\r\n* **param output_file**: Additionally save captured packets to this file.\r\n\r\n### Reading from a live interface using a ring buffer\r\n```python\r\n\u003e\u003e\u003e capture = pyshark.LiveRingCapture(interface='eth0')\r\n\u003e\u003e\u003e capture.sniff(timeout=50)\r\n\u003e\u003e\u003e capture\r\n\u003cLiveCapture (5 packets)\u003e\r\n\u003e\u003e\u003e capture[3]\r\n\u003cUDP/HTTP Packet\u003e\r\n\r\nfor packet in capture.sniff_continuously(packet_count=5):\r\n    print('Just arrived:', packet)\r\n```\r\n\r\n#### Other options\r\n* **param ring_file_size**: Size of the ring file in kB, default is 1024\r\n* **param num_ring_files**: Number of ring files to keep, default is 1\r\n* **param ring_file_name**: Name of the ring file, default is /tmp/pyshark.pcap\r\n* **param interface**: Name of the interface to sniff on. If not given, takes\r\nthe first available.\r\n* **param bpf_filter**: BPF filter to use on packets.\r\n* **param display_filter**: Display (wireshark) filter to use.\r\n* **param only_summaries**: Only produce packet summaries, much faster but\r\nincludes very little information\r\n* **param disable_protocol**: Disable detection of a protocol (tshark \u003e version 2)\r\n* **param decryption_key**: Key used to encrypt and decrypt captured traffic.\r\n* **param encryption_type**: Standard of encryption used in captured traffic\r\n(must be either 'WEP', 'WPA-PWD', or 'WPA-PWK'. Defaults to WPA-PWK).\r\n* **param tshark_path**: Path of the tshark binary\r\n* **param output_file**: Additionally save captured packets to this file.\r\n\r\n### Reading from a live remote interface:\r\n\r\n```python\r\n\u003e\u003e\u003e capture = pyshark.RemoteCapture('192.168.1.101', 'eth0')\r\n\u003e\u003e\u003e capture.sniff(timeout=50)\r\n\u003e\u003e\u003e capture\r\n```\r\n\r\n#### Other options\r\n\r\n* **param remote_host**: The remote host to capture on (IP or hostname).\r\nShould be running rpcapd.\r\n* **param remote_interface**: The remote interface on the remote machine to\r\ncapture on. Note that on windows it is not the device display name but the\r\ntrue interface name (i.e. \\\\Device\\\\NPF_..).\r\n* **param remote_port**: The remote port the rpcapd service is listening on\r\n* **param bpf_filter**: A BPF (tcpdump) filter to apply on the cap before\r\nreading.\r\n* **param only_summaries**: Only produce packet summaries, much faster but\r\nincludes very little information\r\n* **param disable_protocol**: Disable detection of a protocol (tshark \u003e version 2)\r\n* **param decryption_key**: Key used to encrypt and decrypt captured traffic.\r\n* **param encryption_type**: Standard of encryption used in captured traffic\r\n(must be either 'WEP', 'WPA-PWD', or 'WPA-PWK'. Defaults to WPA-PWK).\r\n* **param tshark_path**: Path of the tshark binary\r\n\r\n### Accessing packet data:\r\n\r\nData can be accessed in multiple ways.\r\nPackets are divided into layers, first you have to reach the appropriate layer and then you can select your field.\r\n\r\nAll of the following work:\r\n\r\n```python\r\n\u003e\u003e\u003e packet['ip'].dst\r\n192.168.0.1\r\n\u003e\u003e\u003e packet.ip.src\r\n192.168.0.100\r\n\u003e\u003e\u003e packet[2].src\r\n192.168.0.100\r\n```\r\n\r\nTo test whether a layer is in a packet, you can use its name:\r\n\r\n```python\r\n\u003e\u003e\u003e 'IP' in packet\r\nTrue\r\n```\r\n\r\nTo see all possible field names, use the `packet.layer.field_names` attribute (i.e. `packet.ip.field_names`) or the autocomplete function on your interpreter.\r\n\r\nYou can also get the original binary data of a field, or a pretty description of it:\r\n\r\n```python\r\n\u003e\u003e\u003e p.ip.addr.showname\r\nSource or Destination Address: 10.0.0.10 (10.0.0.10)\r\n# And some new attributes as well:\r\n\u003e\u003e\u003e p.ip.addr.int_value\r\n167772170\r\n\u003e\u003e\u003e p.ip.addr.binary_value\r\nb'\\n\\x00\\x00\\n'\r\n```\r\n\r\n\r\n### Decrypting packet captures\r\n\r\nPyshark supports automatic decryption of traces using the WEP, WPA-PWD, and WPA-PSK standards (WPA-PWD is the default).\r\n\r\n```python\r\n\u003e\u003e\u003e cap1 = pyshark.FileCapture('/tmp/capture1.cap', decryption_key='password')\r\n\u003e\u003e\u003e cap2 = pyshark.LiveCapture(interface='wi0', decryption_key='password', encryption_type='wpa-psk')\r\n```\r\n\r\nA tuple of supported encryption standards, SUPPORTED_ENCRYPTION_STANDARDS,\r\nexists in each capture class.\r\n\r\n```python\r\n\u003e\u003e\u003e pyshark.FileCapture.SUPPORTED_ENCRYPTION_STANDARDS\r\n('wep', 'wpa-pwd', 'wpa-psk')\r\n\u003e\u003e\u003e pyshark.LiveCapture.SUPPORTED_ENCRYPTION_STANDARDS\r\n('wep', 'wpa-pwd', 'wpa-psk')\r\n```\r\n\r\n### Reading from a file using a display filter\r\n\r\nPyshark display filters can be helpful in analyzing application focused traffic.\r\nBPF filters do not offer as much flexibility as Wireshark's display filters.\r\n\r\n```python\r\n\u003e\u003e\u003e cap1 = pyshark.FileCapture('/tmp/capture1.cap', display_filter=\"dns\")\r\n\u003e\u003e\u003e cap2 = pyshark.LiveCapture(interface='en0', display_filter=\"tcp.analysis.retransmission\")\r\n```\r\n## License\r\nThis project is licensed under MIT. Contributions to this project are accepted under the same license. \r\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2FKimiNewt%2Fpyshark","html_url":"https://awesome.ecosyste.ms/projects/github.com%2FKimiNewt%2Fpyshark","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2FKimiNewt%2Fpyshark/lists"}