Login/Register
How to read pcapng (wireshark) files in Python?
Asked Answered
Solved pythonnetwork-programmingtcpwireshark
P

1

5

I have a capture of some TCP packets in pcapng format and I'd like to open it in python to inspect the TCP payloads with address 192.168.1.198. I've only found this library: https://python-pcapng.readthedocs.io/en/latest/api/blocks.html but it does not support inspecting TCP payloads.

Is there an easy way?

Perform answered 16/8, 2020 at 20:48 Comment(2)
pyshark?Scruffy
scapy? Apart from that: you ask about reading pcapng. You don't ask about reading pcapng and also do more (somehow inspect TCP payloads) - yet you complain that the one you've found does not support this additional requirement.Emanuel
A
6

You can use python-pcapng package. First install python-pcapng package by following command.

pip install python-pcapng

Then use following sample code.

from pcapng import FileScanner

with open(r'C:\Users\zahangir\Downloads\MDS19 Wireshark Log 08072021.pcapng', 'rb') as fp:
    scanner = FileScanner(fp)
    for block in scanner:
        print(block)
        print(block._raw) #byte type raw data

Above code worked for me.

Reference: https://pypi.org/project/python-pcapng/

Antietam answered 8/7, 2021 at 4:55 Comment(3)
This does not work for me. $ pip install pcapng Requirement already satisfied: pcapng in /home/bryan/.local/lib/python3.8/site-packages (0.1.25) $ python ./ReadWireSharkPoC.py Traceback (most recent call last): File "./ReadWireSharkPoC.py", line 1, in <module> from pcapng import FileScanner ImportError: cannot import name 'FileScanner' from 'pcapng' (/home/bryan/.local/lib/python3.8/site-packages/pcapng/__init__.py) Supporting
notice the package name is python-pcapng so pip install python-pcapngMaighdiln
how do I get packet tuples from these blocks?Maighdiln

© 2022 - 2024 — McMap. All rights reserved.