pythonnetwork-programmingpcaptsharkpyshark

Pyshark get specific protocol name not just TCP/UDP


I'm building a tool to inspect PCAP files using PyShark, however am struggling to extract the specific protocols from the packets (e.g. SSH, MQTT, ARP) rather than just TCP or UDP.

I'm wondering if anyone has experience with this? I've tried packet.ip.proto but that just returns TCP and UDP ID numbers, not names such as SSH or ARP.

I'm trying to get the same information as Wireshark shows in the below example: enter image description here

Thanks!


Solution

  • Think I've figured it out. Looks like each specific type of protocol adds its own layer to the packet, so by printing out all the layers in a packet, you can identify any non-standard layers.

    with pyshark.FileCapture(TEST_FILE) as cap:
        for i, pkt in enumerate(cap):
            print(pkt.layers)
    

    Output:

    [<ETH Layer>, <IP Layer>, <TCP Layer>, <SYNERGY Layer>]
    [<ETH Layer>, <IP Layer>, <TCP Layer>, <SYNERGY Layer>]
    [<ETH Layer>, <IP Layer>, <TCP Layer>, <SYNERGY Layer>]
    [<ETH Layer>, <IP Layer>, <TCP Layer>]
    [<ETH Layer>, <IP Layer>, <TCP Layer>, <SSH Layer>]
    [<ETH Layer>, <IP Layer>, <TCP Layer>, <SSH Layer>]
    [<ETH Layer>, <IP Layer>, <TCP Layer>, <SSH Layer>]
    

    You can get a usable list of the layer names like so:

    with pyshark.FileCapture(TEST_FILE) as cap:
        for i, pkt in enumerate(cap):
            try:
                print([pkt.layers[i].layer_name for i, lay in enumerate(pkt.layers)])
            except AttributeError as ex:
                print(ex)
    

    Output:

    ['eth', 'ip', 'tcp', 'synergy']
    ['eth', 'ip', 'tcp', 'synergy']
    ['eth', 'ip', 'tcp', 'synergy']
    ['eth', 'ip', 'tcp']
    ['eth', 'ip', 'tcp', 'ssh']
    ['eth', 'ip', 'tcp', 'ssh']
    ['eth', 'ip', 'tcp', 'ssh']