LiveRingCapture Parameters
The LiveRingCapture module within PyShark has several parameters that are configurable.
import pyshark
capture = pyshark.LiveRingCapture(ring_file_size=1024,
num_ring_files=1,
ring_file_name='/tmp/pyshark.pcap',
interface=None,
bpf_filter=None,
display_filter=None,
only_summaries=False,
decryption_key=None,
encryption_type='wpa-pwk',
decode_as=None,
disable_protocol=None,
tshark_path=None,
override_prefs=None,
capture_filter=None,
use_json=False,
use_ek=False,
include_raw=False,
eventloop=None,
custom_parameters=None,
debug=False)
for packet in capture:
# do something with the packet
- ring_file_size:
- type: int
- default: 1024
- description: Size of the ring file in kB.
- num_ring_files:
- type: int
- default: 1
- description: Number of ring files to keep.
- ring_file_name:
- type: string
- default: /tmp/pyshark.pcap
- description: Name of the ring file.
- interface:
- type: string
- default: None
- description: Name of the interface to sniff on or a list of names (str). If not given, runs on all interfaces.
- bpf_filter:
- type: string
- default: None
- description: BPF filter to use on packets.
- display_filter:
- type: string
- default: None
- description: Display (wireshark) filter to use.
- only_summaries:
- type: boolean
- default: False
- description: Only produce packet summaries, much faster but includes very little information.
- decryption_key:
- type: string
- default: None
- description: Optional key used to encrypt and decrypt captured traffic.
- encryption_type:
- type: string
- default: wpa-pwk
- description: Standard of encryption used in captured traffic (must be either 'WEP', 'WPA-PWD', or 'WPA-PWK'.
- decode_as:
- type: dictionary
- default: None
- description: A dictionary of {decode_criterion_string: decode_as_protocol} that are used to tell TShark to decode protocols in situations it wouldn't usually, for instance {'tcp.port==8888': 'http'} would make it attempt to decode any port 8888 traffic as HTTP. See TShark documentation for details.
- tshark_path:
- type: string
- default: None
- description: Path of the TShark binary.
- override_prefs:
- type: dictionary
- default: None
- description: A dictionary of TShark preferences to override, {PREFERENCE_NAME: PREFERENCE_VALUE, ...}
- capture_filter:
- type: string
- default: None
- description: Capture (wireshark) filter to use.
- disable_protocol:
- type: string
- default: None
- description: Tells TShark to remove a dissector for a specific protocol.
- use_ek:
- type: boolean
- default: False
- description: Uses TShark in EK JSON mode. It is faster than XML but has slightly less data.
- use_json:
- type: boolean
- default: False
- description: DEPRECATED. Use use_ek instead.
- include_raw:
- type: boolean
- default: False
- description: Whether to include raw packet data.
- eventloop:
- type: event loop object
- default: None
- description: Event loop to use for asynchronous operations.
- custom_parameters:
- type: dictionary
- default: None
- description: A dict of custom parameters to pass to TShark, i.e. {"--param": "value"} or else a list of parameters in the format ["--foo", "bar", "--baz", "foo"]
- debug:
- type: boolean
- default: False
- description: Whether to enable debug mode.