Basic Usage
PyShark has several capture modes to process and dissect packet data. These modes are FileCapture, LiveCapture, RemoteCapture, InMemCapture and PipeCapture. Each capture mode has various filters that can be applied to the packets being collected.
FileCapture Usage🔗
FileCapture is designed to read and process data from a packet capture (PCAP) file.
import pyshark
capture = pyshark.FileCapture(input_file='your pcap file')
for packet in capture:
# do something with the packet
LiveCapture Usage🔗
LiveCapture is designed to perform a live capture from a network interface.
import pyshark
capture = pyshark.LiveCapture(interface='your capture interface')
for packet in capture:
# do something with the packet
RemoteCapture Usage🔗
RemoteCapture is designed to perform a live capture from a network interface on a remote machine which has a rpcapd service running.
import pyshark
capture = pyshark.RemoteCapture(remote_host='192.168.1.1', remote_interface='eth0')
for packet in capture:
# do something with the packet
LiveRingCapture Usage🔗
LiveRingCapture is designed to perform a live capture from a network interface.
import pyshark
capture = pyshark.LiveRingCapture(interface='your capture interface')
for packet in capture:
# do something with the packet
InMemCapture Usage🔗
InMemCapture is designed to perform a live capture directly in memory instead of saving them to a file. This capture method can be useful for real-time packet analysis or when you want to process packets as soon as they are captured.
import pyshark
capture = pyshark.InMemCapture()
for packet in capture:
# do something with the packet
PipeCapture Usage🔗
PipeCapture is designed to perform a capture from a named pipe rather than directly from a network interface or a file. A named pipe is a special file that is used to transfer data between unrelated processes. Here is a Microsoft reference on named pipes.
import pyshark
capture = pyshark.PipeCapture(pipe='your pipe path')
for packet in capture:
# do something with the packet