pcapng_utils.tshark package

Subpackages

• pcapng_utils.tshark.protocols package
  • Submodules
  • pcapng_utils.tshark.protocols.http1 module
    • Http1Traffic
      • Http1Traffic.get_har_entries()
      • Http1Traffic.parse_traffic()
    • HttpConversation
      • HttpConversation.to_har()
      • HttpConversation.community_id
      • HttpConversation.waiting_duration
    • HttpRequest
      • HttpRequest.to_har()
      • HttpRequest.http_version_method
      • HttpRequest.raw_headers
      • HttpRequest.sending_duration
      • HttpRequest.uri
    • HttpRequestResponse
      • HttpRequestResponse.FALLBACK_CONTENT_TYPE
      • HttpRequestResponse.common_har_props
      • HttpRequestResponse.community_id
      • HttpRequestResponse.content_length
      • HttpRequestResponse.content_type
      • HttpRequestResponse.dst_host
      • HttpRequestResponse.dst_ip
      • HttpRequestResponse.dst_port
      • HttpRequestResponse.frame_nb
      • HttpRequestResponse.header_length
      • HttpRequestResponse.headers
      • HttpRequestResponse.http_layer
      • HttpRequestResponse.ip_version_and_layer
      • HttpRequestResponse.packet
      • HttpRequestResponse.payload
      • HttpRequestResponse.raw_headers
      • HttpRequestResponse.src_host
      • HttpRequestResponse.src_ip
      • HttpRequestResponse.src_port
      • HttpRequestResponse.timestamp
    • HttpResponse
      • HttpResponse.to_har()
      • HttpResponse.http_version_status_code_message
      • HttpResponse.raw_headers
      • HttpResponse.receiving_duration
  • pcapng_utils.tshark.protocols.http2 module
    • Http2Helper
      • Http2Helper.get_headers_and_data()
      • Http2Helper.get_data()
      • Http2Helper.get_headers()
      • Http2Helper.substream_is_data()
      • Http2Helper.substream_is_header()
      • Http2Helper.to_har()
    • Http2Request
      • Http2Request.uri
    • Http2RequestResponse
      • Http2RequestResponse.get_duration_ms()
      • Http2RequestResponse.FALLBACK_CONTENT_TYPE
      • Http2RequestResponse.body_length
      • Http2RequestResponse.community_id
      • Http2RequestResponse.content_type
      • Http2RequestResponse.dst_host
      • Http2RequestResponse.dst_ip
      • Http2RequestResponse.dst_port
      • Http2RequestResponse.frames_nbs
      • Http2RequestResponse.header_length
      • Http2RequestResponse.headers_map
      • Http2RequestResponse.http_method
      • Http2RequestResponse.http_status
      • Http2RequestResponse.http_version
      • Http2RequestResponse.src_host
      • Http2RequestResponse.src_ip
      • Http2RequestResponse.src_port
      • Http2RequestResponse.timestamp
    • Http2Response
    • Http2Stream
      • Http2Stream.get_raw_data()
      • Http2Stream.__init__()
      • Http2Stream.append()
      • Http2Stream.har_entry()
      • Http2Stream.process()
      • Http2Stream.id
      • Http2Stream.waiting_duration
    • Http2Substream
      • Http2Substream.KEEP_LAYERS
      • Http2Substream.community_id
      • Http2Substream.dst_host
      • Http2Substream.dst_ip
      • Http2Substream.dst_port
      • Http2Substream.frame_layer
      • Http2Substream.frame_nb
      • Http2Substream.http2_flags
      • Http2Substream.http2_type
      • Http2Substream.ip_version_and_layer
      • Http2Substream.raw_headers
      • Http2Substream.src_host
      • Http2Substream.src_ip
      • Http2Substream.src_port
      • Http2Substream.timestamp
    • Http2Traffic
      • Http2Traffic.get_har_entries()
      • Http2Traffic.get_http2_streams()
      • Http2Traffic.parse_traffic()
  • Module contents
    • Http1Traffic
      • Http1Traffic.get_har_entries()
      • Http1Traffic.parse_traffic()
    • Http2Traffic
      • Http2Traffic.get_har_entries()
      • Http2Traffic.get_http2_streams()
      • Http2Traffic.parse_traffic()

Submodules

pcapng_utils.tshark.traffic module

class pcapng_utils.tshark.traffic.NetworkTrafficDump(tshark_output)

Bases: object

The NetworkTrafficDump class is designed to handle and process network traffic data.

creation_metadata

Some metadata of input file to export in HAR creator comment

Type:

dict

traffic

A list of dictionaries containing traffic data.

Type:

list[dict]

parsed_traffic

Mapping of parsed traffic per protocol class (e.g. Http1Traffic, Http2Traffic)

Type:

dict[class, instance]

parse_traffic()

Parse the HTTP1 and HTTP2 network traffic.

to_har()

Convert the network traffic data to HTTP Archive (HAR) format.

Returns:

the network traffic data in HAR format

Return type:

dict[str, Any]

pcapng_utils.tshark.types module

class pcapng_utils.tshark.types.ParsedTrafficProtocol(traffic)

Bases: Protocol

get_har_entries()

Return type:

list[dict[str, Any]]

pcapng_utils.tshark.utils module

pcapng_utils.tshark.utils.get_layers_mapping(traffic)

Get mapping of layers by frame number (once for all).

Return type:

Mapping[int, Mapping[str, Any]]

pcapng_utils.tshark.utils.get_tshark_bytes_from_raw(r)

Format of ‘*_raw’ fields produced with ‘-x’ flag: [hexa: str, *sizes: int]

Return type:

bytes

pcapng_utils.tshark.utils.har_entry_with_common_fields(har_entry)

Return provided HAR entry together with common fields.

In particular, we add the non-standard _sha1Id field that serves both as entry identifier + easy changes-tracker across different releases of this software.

Return type:

dict[str, Any]

pcapng_utils.tshark.wrapper module

class pcapng_utils.tshark.wrapper.Tshark(tshark_cmd='tshark', hash_algo='sha1')

Bases: object

A class to interact with tshark for loading and parsing network traffic data from a PCAPNG file.

tshark is a command-line tool for capturing and analyzing network traffic. It is part of the Wireshark suite and provides similar functionality to the Wireshark GUI in a terminal environment.

• Packet capture and analysis: tshark can capture live network traffic and analyze packets from capture files (e.g., PCAP, PCAPNG).

• Protocol decoding: It supports decoding a wide range of network protocols, providing detailed information about each packet.

• Filtering: tshark allows filtering packets using display filters to focus on specific traffic.

• Statistics: It can generate various statistics about the captured traffic, such as protocol hierarchy, endpoint statistics, and conversation lists.

• Exporting data: tshark can export packet data to different formats, including JSON, CSV, and plain text.

• Decryption: tshark supports decryption of encrypted traffic using SSL/TLS keys provided in an SSLKEYLOG file.

tshark can convert PCAPNG files to JSON format using the -T json option. This allows for easy parsing and analysis of network traffic data in a structured format.

Useful commands:

• Capture live traffic: tshark -i <interface>

• Read from a PCAP file: tshark -r <file.[pcap|pcapng]>

• Display packet details: tshark -V

• Filter packets: tshark -Y <filter>

• Export to JSON: tshark -r <file.[pcap|pcapng]> -T json

• Decrypt SSL/TLS traffic: tshark -r <file.[pcap|pcapng]> -o “ssl.keys_list: <key_file>”

• Inject the TLS secrets: editcap –inject-secrets tls,<keylog_file> <file.pcap> <output.pcapng>

tshark_cmd

The path to the tshark executable.

Type:

str

load_traffic(pcapng_file)

Loads network traffic data from the provided pcapng file using tshark.

This method runs the tshark command to read the pcapng file and parse the output as JSON. The parsed traffic data is then returned, together with some metadata.

Raises:

subprocess.CalledProcessError – If the tshark command fails.

Return type:

TsharkOutput

Note that no HTTP3 traffic is expected since it is rejected by Pirogue.

hash_algo: str = 'sha1'

tshark_cmd: str = 'tshark'

property version: str

class pcapng_utils.tshark.wrapper.TsharkOutput(list_packets, metadata)

Bases: object

Output of tshark network traffic dump, together with some metadata of about it.

property list_layers: Sequence[Mapping[str, Any]]

for each packet, it extracts the layers from the _source key.

Type:

Extract layers

list_packets: Sequence[Mapping[str, Any]]

metadata: Mapping[str, Any]

Module contents

class pcapng_utils.tshark.NetworkTrafficDump(tshark_output)

Bases: object

The NetworkTrafficDump class is designed to handle and process network traffic data.

creation_metadata

Some metadata of input file to export in HAR creator comment

Type:

dict

traffic

A list of dictionaries containing traffic data.

Type:

list[dict]

parsed_traffic

Mapping of parsed traffic per protocol class (e.g. Http1Traffic, Http2Traffic)

Type:

dict[class, instance]

parse_traffic()

Parse the HTTP1 and HTTP2 network traffic.

to_har()

Convert the network traffic data to HTTP Archive (HAR) format.

Returns:

the network traffic data in HAR format

Return type:

dict[str, Any]

class pcapng_utils.tshark.Tshark(tshark_cmd='tshark', hash_algo='sha1')

Bases: object

A class to interact with tshark for loading and parsing network traffic data from a PCAPNG file.

tshark is a command-line tool for capturing and analyzing network traffic. It is part of the Wireshark suite and provides similar functionality to the Wireshark GUI in a terminal environment.

• Packet capture and analysis: tshark can capture live network traffic and analyze packets from capture files (e.g., PCAP, PCAPNG).

• Protocol decoding: It supports decoding a wide range of network protocols, providing detailed information about each packet.

• Filtering: tshark allows filtering packets using display filters to focus on specific traffic.

• Statistics: It can generate various statistics about the captured traffic, such as protocol hierarchy, endpoint statistics, and conversation lists.

• Exporting data: tshark can export packet data to different formats, including JSON, CSV, and plain text.

• Decryption: tshark supports decryption of encrypted traffic using SSL/TLS keys provided in an SSLKEYLOG file.

tshark can convert PCAPNG files to JSON format using the -T json option. This allows for easy parsing and analysis of network traffic data in a structured format.

Useful commands:

• Capture live traffic: tshark -i <interface>

• Read from a PCAP file: tshark -r <file.[pcap|pcapng]>

• Display packet details: tshark -V

• Filter packets: tshark -Y <filter>

• Export to JSON: tshark -r <file.[pcap|pcapng]> -T json

• Decrypt SSL/TLS traffic: tshark -r <file.[pcap|pcapng]> -o “ssl.keys_list: <key_file>”

• Inject the TLS secrets: editcap –inject-secrets tls,<keylog_file> <file.pcap> <output.pcapng>

tshark_cmd

The path to the tshark executable.

Type:

str

load_traffic(pcapng_file)

Loads network traffic data from the provided pcapng file using tshark.

This method runs the tshark command to read the pcapng file and parse the output as JSON. The parsed traffic data is then returned, together with some metadata.

Raises:

subprocess.CalledProcessError – If the tshark command fails.

Return type:

TsharkOutput

Note that no HTTP3 traffic is expected since it is rejected by Pirogue.

hash_algo: str = 'sha1'

tshark_cmd: str = 'tshark'

property version: str