This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

How to write a pcap file with PyShark?

0

I have a captured pcap file which I want to filter for a certain http host. Because I not only want the http packets I search first for the http streams and save their stream numbers. In a second step I filter the pcap file for these found stream numbers.

Here ist what I do:


import pyshark 
INFILE = './xy_2017-03-30.pcapng'

def get_http_streams(host): pcap = pyshark.FileCapture(INFILE, only_summaries=False, display_filter=f'http.host contains "{host}"') streams = set() for p in pcap: stream_nr = int(p.tcp.stream) streams.add(stream_nr) print() print(f'Found {len(streams)} "{host}" streams.') return streams

s = get_http_streams('google') pcap = pyshark.FileCapture(INFILE)

pkt_list = [] print('Filtering…') for i, p in enumerate(pcap): try: stream_nr = int(p.tcp.stream) except AttributeError: stream_nr = -1 if stream_nr in s: pkt_list.append(p)

—————————————————————————–

How to write a pcap file now? pyshark.WriteFile(pkt_list, 'result.pcap') ?!

—————————————————————————–

print('END')


Now I have a list with the filtered packets. How would I write them out now to a new pcap file?

Thanks for any help!

Regards, Marcel

BTW: The captured pcap files are big (> 300 MB). Scapy eats all my memory while reading…

asked 24 May ‘17, 05:38

mluethi's gravatar image

mluethi
6113
accept rate: 0%

edited 24 May ‘17, 05:40


One Answer:

0

I don't think saving a capture is supported. Regardless, pyshark is not part of the Wireshark project so you'll find support for pyshark over here.

answered 24 May '17, 05:48

grahamb's gravatar image

grahamb ♦
19.8k330206
accept rate: 22%

Thanks for your quick reply! I saw other questions with PyShark and therefore tried to ask here. Will open an issue.

Do you think what I try so achieve would be possible with tshark alone?

(24 May '17, 05:54) mluethi

Not with tshark alone, you'll need some external scripting tool. The basic approach looks good, filter on the host required outputting the stream index (-T fields -e tcp.stream), then re-filter with those streams.

(24 May '17, 06:17) grahamb ♦