Pyshark to Analyze Wireshark Decodes With Python

Wireshark is a great tool and sometimes I wonder if I use it more often than a word processor. It’s great to analyze things manually in real time or from saved packet captures after the fact. On top of that wouldn’t it be great if you could analyze network packets in your own code and act when a defined set of conditions are met? For a long time I thought that this would be a lot of hassle to pull off but it’s actually a lot easier than I thought.

Recently, a colleague of mine introduced me to pyshark, a wrapper for Wireshark’s command line companion tshark. Pyshark makes it almost trivial to analyze network traffic in Python as everything Wireshark decodes in each packet is made available as a variable!

Here’s a simple example taken from pyshark’s Github page that shows how the Python command line interpreter (I used python3 and not the older python 2.x) can be used to access packets in a pcap file:

>>> import pyshark
>>> cap = pyshark.FileCapture('/tmp/mycapture.cap')
>>> cap
<FileCapture /tmp/mycapture.cap (589 packets)>
>>> print cap[0]
Packet (Length: 698)
Layer ETH:
 Destination: BLANKED
 Source: BLANKED
 Type: IP (0x0800)
Layer IP:
 Version: 4
 Header Length: 20 bytes
 Differentiated Services Field: 0x00 (DSCP 0x00: Default; ECN: 0x00: Not-ECT (Not ECN-Capable Transport))
 Total Length: 684
[...]

Three commands and you are there. Incredible! It’s also possible to analyze network traffic in real time in exactly the same way by sniffing on a live network interface on the machine instead of specifying a capture file.

Since I don’t use Python every day, it took me a while to find out how to get the object and variable names that are generated for each packet to access their contents as the print command above only prints the content but not the variable names. Eventually I found out that a combination of ‘pprint’ and ‘vars’ does the trick. Here’s how the commands look like to get all objects/variables for the udp part of the 3rd packet of a capture that is accessed with the commands above:

>>> from pprint import pprint
>>> pprint(vars(cap[3].udp))
{'_all_fields': {'udp.checksum': '0x0000e99e',
                 'udp.checksum_bad': '0',
                 'udp.checksum_good': '0',
                 'udp.dstport': '6000',
                 'udp.length': '7611',
                 'udp.port': '5064',
                 'udp.srcport': '5064',
                 'udp.stream': '0'},
 '_layer_name': 'udp',
 'raw_mode': False}

In your own code, the UDP destination port of that packet can then be accessed via cap[3].udp.dstport. Getting the variable used to describe the content of other layers works in the same way.

It’s going to be fun to explore this further!