How to write a pcap file with PyShark?

Question

I have a captured pcap file which I want to filter for a certain http host. Because I not only want the http packets I search first for the http streams and save their stream numbers. In a second step I filter the pcap file for these found stream numbers.

Here ist what I do:

import pyshark 
INFILE = './xy_2017-03-30.pcapng'
def get_http_streams(host):
pcap = pyshark.FileCapture(INFILE, only_summaries=False, display_filter=f'http.host contains "{host}"')
streams = set()
for p in pcap:
stream_nr = int(p.tcp.stream)
streams.add(stream_nr)
print()
print(f'Found {len(streams)} "{host}" streams.')
return streams
s = get_http_streams('google')
pcap = pyshark.FileCapture(INFILE)
pkt_list = []
print('Filtering…')
for i, p in enumerate(pcap):
try:
stream_nr = int(p.tcp.stream)
except AttributeError:
stream_nr = -1
if stream_nr in s:
pkt_list.append(p)
—————————————————————————–
How to write a pcap file now? pyshark.WriteFile(pkt_list, 'result.pcap') ?!
—————————————————————————–
print('END')

Now I have a list with the filtered packets. How would I write them out now to a new pcap file?

Thanks for any help!

Regards, Marcel

BTW: The captured pcap files are big (> 300 MB). Scapy eats all my memory while reading…

Answer 1

0

I don't think saving a capture is supported. Regardless, pyshark is not part of the Wireshark project so you'll find support for pyshark over here.

answered 24 May '17, 05:48

grahamb ♦
19.8k●3●30●206
accept rate: 22%

Thanks for your quick reply! I saw other questions with PyShark and therefore tried to ask here. Will open an issue.

Do you think what I try so achieve would be possible with tshark alone?

(24 May '17, 05:54) mluethi

Not with tshark alone, you'll need some external scripting tool. The basic approach looks good, filter on the host required outputting the stream index (-T fields -e tcp.stream), then re-filter with those streams.

(24 May '17, 06:17) grahamb ♦