How to capture Some IP traffic with PyShark
I'm trying to create a script that should parse .PCAP file and extract data from Some IP packets. I enabled the Some IP packets capturing in Wireshark via Wireshark GUI and that's is why (I believe) the script seem to work on local Host. But when I try the same script on remote server (no UI, same TShark/Wireshark, PyShark versions) it fails to capture Some IP packets. If to change
cap = pyshark.FileCapture(file, display_filter=filter)
to, for instance,
cap = pyshark.FileCapture(file, display_filter=filter, decode_as={'udp.port==30000': 'someip'})
then it can capture the Some IP traffic on port 30000. But The problem is that not in all .PCAP files Some IP traffic generated on the same port.
If to use workaround to handle all UDP traffic as Some IP traffic:
def get_someip_ports(pcap_file):
# Allows to detect all the UDP ports to handle SomeIP packets correctly
cap = pyshark.FileCapture(pcap_file, display_filter="udp")
ports = set()
for packet in cap:
try:
if hasattr(packet.udp, "port"):
ports.add(packet.udp.port)
except AttributeError:
continue
cap.close()
return list(ports) # Return list of detected UDP ports
someip_ports = get_someip_ports(file)
decode_map = {f'udp.port=={port}': 'someip' for port in someip_ports}
cap = pyshark.FileCapture(file, display_filter=filter, decode_as=decode_map)
it takes forever to complete...
Is there easier way to enable Some IP traffic capturing with no access to Wireshark GUI? Maybe some config files or additional pyshark settings?
The issue seem to be fixed with the following code line:
cap = pyshark.FileCapture(file,
display_filter=filter,
custom_parameters={"--enable-protocol": "someip",
"--enable-heuristic": "someip_udp_heur"})
These additional custom_parameters do the same as if to set in Wireshark the following:
- Capture ssl, decode it, and save raw output
- Using Tshark in compiled python exe
- Checking if pcap file is damaged (with tshark or possibly something else)
- How to capture Some IP traffic with PyShark
- Powershell has a problem escaping double quotes in tshark
- Comma separated IP addresses in TShark output
- Merging/appending multiple pcap files to an existing one without overwriting
- Converting pcap format from LINKTYPE_LINUX_SSL to LINKTYPE_ETHERNET
- Azure functions read, process and save file on arrival in blob
- what is the correct tshark capture filter option for the DHCP frame?
- Performance and efficiency comparing between dump tools: tcpdump, tshark, dumpcap
- What are the meanings of the TShark tcp.flags.str labels?
- How to capture live packet count from tshark's stderr?
- How can I configure tshark to parse all BitTorrent messages in the way that Wireshark does?
- multiple pcap files to csv
- How to change a Lua Script designed for Wireshark so it works with Tshark?
- Python File Writing Requires Manual Program Interruption for Completion
- Some fields are empty when using tshark convert to csv
- read domain name from pcapng file
- How to create an audio file from a Pcap file with Tshark?
- Print the "showname" field attribute in tshark
- Line manipulation & sorting
- Understanding [TCP ACKed unseen segment] [TCP Previous segment not captured]
- How To Extract The Name of the Level 7 HTTP2 Application in Tshark
- How do I check if an IP address appears in a PCAP file?
- How can I output packets ASCII on each line? TSHARK AWK DOS
- Exporting encrypted SNMPv3 traps to JSON with TShark
- tshark with --export-dicom gives “Segmentation fault (core dumped)”
- Tshark captures on remote server with foreach -parallel loop on powershell
- pyshark.tshark.tshark.TSharkNotFoundException: TShark not found