CODEWITHSUNDEEP
python-3.xpyshark
fusingaardvark8
fusingaardvark8

Reputation: 61

How to extract the payload of a packet using Pyshark

I am trying to read the payload of all packets in a .pcap file using Pyshark. I am able to open and read the file, access the packets and their other information but I am not able to find the correct attribute/method to use to access the payload of a packet. Any suggestions ? Is there any other way to read packet payloads in .pcap files using python for windows 10 ?

(I tried using Scapy instead of Pyshark, but apparently there is some issue with running Scapy on Windows, it does not work on my system as well)

I found these lines in different code snippets of pyshark projects on the Internet and on StackOverflow. I tried them but none of them work : 

import pyshark
cap = pyshark.FileCapture('file.pcap')
pkt = cap[1]

#for other information
print(pkt.tcp.flags_ack) #this works
print(pkt.tcp.flags_syn) #this works
print(pkt.tcp.flags_fin) #this works

#for payload
print(pkt.tcp.data) #does not work, AttributeError
print(pkt.tcp.payload) #does not work, AttributeError
print(pkt.data.data) #does not work, AttributeError

Upvotes: 6

Views: 6934

Answers (3)

Adam Stepniak
Adam Stepniak

Reputation: 877

In order to use that API you have to pass appropriate parameter into constructor of 'FileCapture' class:

import pyshark
cap = pyshark.FileCapture('file.pcap', include_raw=True, use_json=True)
pkt = cap[1]

print(pkt.data.data) # Will work

'include_raw' is the key here, but 'use_json' is needed when when 'include_raw' is used.

Upvotes: 1

Life is complex
Life is complex

Reputation: 15639

This code will print the value associated with the field name tcp.payload.

capture = pyshark.FileCapture(pcap_file, display_filter='tcp')
for packet in capture:
    field_names = packet.tcp._all_fields
    field_values = packet.tcp._all_fields.values()
    for field_name in field_names:
        for field_value in field_values:
            if field_name == 'tcp.payload':
               print(f'{field_name} -- {field_value}')


# outputs 
tcp.payload -- \xc2\xb7\xc2\xb7\xc2\xb7\xc2\xb7\xc2\xb7\xc2\xb7\xc2\xb7AP\xc2\xb7\xc2\xb7\xc2\xb7
tcp.payload -- 0x00001e2c
tcp.payload -- 113977858
...

Upvotes: 3

Aymen Lachkhem
Aymen Lachkhem

Reputation: 1

dir cap[]. This one will give you all accessible attributes related to your capture., look there if there is the payload option.

Upvotes: -2

Related Questions