How to access a packet arrival time field using pyshark?

Question

I'm trying to a access the arrival time field using pyshark with no success.

The first solution I thought of was obviously packet.frame.time which generally looks like it supposed to work, except I get: raise AttributeError(f"No attribute named {item}") AttributeError: No attribute named frame

even though all packets have this layer in my pcap file anybody know how can I go around it?

Answer 1

Here is some usage documentation that I developed for PyShark and have been updating the documentation for about 4 years.

With that being said...

Parsing a packet using PyShark has some difficulties if you don't know all the underlying syntax related to a specific part of the packet.

For example, the LiveCapture below is showing the layers of the each packet. You will not see anything related to Frame in these layers.

network_interface = 'your network interface'
capture = pyshark.LiveCapture(interface=network_interface)
try:
    for packet in capture:
        layers = packet.layers
        print(layers)

except AttributeError as error:
    print(error)
    pass

Print Output:

[<ETH Layer>, <IP Layer>, <TCP Layer>, <DATA Layer>, <TLS Layer>]
[<ETH Layer>, <IP Layer>, <TCP Layer>]
[<ETH Layer>, <IP Layer>, <TCP Layer>, <TLS Layer>]
[<ETH Layer>, <IP Layer>, <TCP Layer>, <DATA Layer>, <TLS Layer>]
[<ETH Layer>, <IP Layer>, <TCP Layer>, <TLS Layer>]
[<ETH Layer>, <IP Layer>, <TCP Layer>, <DATA Layer>, <TLS Layer>]

These packets do contain Frame information, which has to be accessed this way.

network_interface = 'your network interface'
capture = pyshark.LiveCapture(interface=network_interface)
try:
    for packet in capture:
        print(packet.frame_info)

except AttributeError as error:
    print(error)
    pass

Print Output:

Layer FRAME
:   Section number: 1
    Interface id: 0 (en0)
    Interface name: en0
    Interface description: Wi-Fi
    Encapsulation type: Ethernet (1)
    Arrival Time: Jun 16, 2024 10:14:09.164182000 EDT
    UTC Arrival Time: Jun 16, 2024 14:14:09.164182000 UTC
    Epoch Arrival Time: 1718547249.164182000
    Time shift for this packet: 0.000000000 seconds
    Time delta from previous captured frame: 0.000008000 seconds
    Time delta from previous displayed frame: 0.000008000 seconds
    Time since reference or first frame: 0.819306000 seconds
    Frame Number: 21
    Frame Length: 102 bytes (816 bits)
    Capture Length: 102 bytes (816 bits)
    Frame is marked: False
    Frame is ignored: False
    Protocols in frame: eth:ethertype:ip:udp:mdns

Here is one way that you can access the names and values within the Frame information.

network_interface = 'your network interface'
capture = pyshark.LiveCapture(interface=network_interface)
try:
    for packet in capture:
        # obtain all the field names for the Frame
        field_names = packet.frame_info._all_fields

        # obtain all the field values
        field_values = packet.frame_info._all_fields.values()

        # enumerate the field names and field values
        for field_name, field_value in zip(field_names, field_values):
            print(f'{field_name}:  {field_value}')

except AttributeError as error:
    print(error)
    pass

Print Output:

frame.section_number:  1
frame.interface_id:  0
frame.interface_name:  en0
frame.interface_description:  Wi-Fi
frame.encap_type:  1
frame.time:  Jun 16, 2024 10:20:41.924056000 EDT
frame.time_utc:  Jun 16, 2024 14:20:41.924056000 UTC
frame.time_epoch:  1718547641.924056000
frame.offset_shift:  0.000000000
frame.time_delta:  0.000000000
frame.time_delta_displayed:  0.000000000
frame.time_relative:  0.000000000
frame.number:  1
frame.len:  54
frame.cap_len:  54
frame.marked:  False
frame.ignored:  False
frame.protocols:  eth:ethertype:ip:tcp

Hopefully, this information helps you. I will update the usage documentation with this information.

Answer 2

As suggested by Barmar, using dir(packet) will print you all the attributes you can use from this object.

frame_info is the attribute you're looking for and if you do a dir() on it, you will get several time related fields as : time, time_delta, time_delta_displayed, time_epoch, time_relative.

Pick the one that best fits your needs and just call it like you did in the question but with frame_info :

packet.frame_info.time

Answer 3

below, a rudimentary example - to dump a capture, you can then (at least examine the packet structures) and apply the appropriate methods for accessing the fields you need. As mentioned, documentation should also be consulted.

cat dgstar.py
from pyshark import FileCapture
data=FileCapture(input_file='pcap.pcapng')

iters=1

for frame in data:
  print( 'packet {iters}', frame )
  iters += 1
  if iters > 10:
    break

python3 dgstar.py
packet 1: Packet (Length: 218)
Layer ETH
:       Destination: ac:f8:cc:cb:c7:1e
        Address: ac:f8:cc:cb:c7:1e
        .... ..0. .... .... .... .... = LG bit: Globally unique address (factory default)
        .... ...0 .... .... .... .... = IG bit: Individual address (unicast)
        Source: 1c:c1:de:33:9d:9c
        .... ..0. .... .... .... .... = LG bit: Globally unique address (factory default)
        .... ...0 .... .... .... .... = IG bit: Individual address (unicast)
        Type: IPv4 (0x0800)
        Address: 1c:c1:de:33:9d:9c
Layer IP
:       0100 .... = Version: 4
        .... 0101 = Header Length: 20 bytes (5)
        Differentiated Services Field: 0x00 (DSCP: CS0, ECN: Not-ECT)
        0000 00.. = Differentiated Services Codepoint: Default (0)
        .... ..00 = Explicit Congestion Notification: Not ECN-Capable Transport (0)
        Total Length: 204
        Identification: 0x3b79 (15225)
        Flags: 0x0000
        0... .... .... .... = Reserved bit: Not set
        .0.. .... .... .... = Don't fragment: Not set
        ..0. .... .... .... = More fragments: Not set
        Fragment offset: 0
        Time to live: 64
        Protocol: UDP (17)
        Header checksum: 0x4765 [validation disabled]
        Header checksum status: Unverified
        Source: 192.168.0.17
        Destination: 217.146.92.247
Layer UDP
:       Source Port: 36963
        Destination Port: 51820
        Length: 184
        Checksum: 0xf80c [unverified]
        Checksum Status: Unverified
        Stream index: 0
        Timestamps
        Time since first frame: 0.000000000 seconds
        Time since previous frame: 0.000000000 seconds
Layer WG
:       Type: Transport Data (4)
        Reserved: 000000
        Receiver: 0x16ff7c22
        Counter: 9
        Encrypted Packet

...

hopefully this is of some help.