As far as I know pyshark is a Python wrapper to tshark which is the command line version of Wireshark. Since Wireshark and tshark allow to detect TCP retransmission, I was wondering how I could to that using pyshark. I haven't find any good documentation so I am not sure whether you can't just do that, or whether I just can't find the proper way. Thank you!
Asked
Active
Viewed 3,096 times
11
-
By "detect TCP transmission", do you mean to just see if a TCP packet is seen at all? Or do you mean something more specific like TCP, but for specific remote hosts/posts? – Ross Jacobs Oct 09 '19 at 19:51
-
My knowledge of telecommunication systems is a bit rusty. I would like to detect (or estimate) the number of packets lost in both outgoing and incoming directions. Does that clarify? – user1315621 Oct 09 '19 at 20:46
-
2You could use the display filter `tcp.analysis.retransmission`, which can be used with both Wireshark and PyShark. Failing that, you may want to ask your question (with more context) on [Wireshark's Forum](https://ask.wireshark.org) if you want help leveraging Wireshark or [Server Fault](https://serverfault.com) if you want help tracking down the loss. – Ross Jacobs Oct 10 '19 at 05:18
-
I think tcp.analysis.retransmission would probably work fine. But can you provide me with an example in PyShark on how to use it? – user1315621 Oct 10 '19 at 15:53
-
[This article](https://subscription.packtpub.com/book/networking_and_servers/9781789958096/1/ch01lvl1sec15/interacting-with-wireshark-with-pyshark) about interacting with Wireshark using Pyshark is about the closest I could find to your question. – Linny Oct 14 '19 at 07:22
1 Answers
6
The code below detects TCP retransmissions in pyshark
import pyshark
###################################################
# these filters can be applied under LiveCapture
# display_filter: A display (wireshark) filter to apply on the cap before reading it.
# display_filter='tcp.analysis.fast_retransmission'
# display_filter='tcp.analysis.retransmission'
###################################################
capture = pyshark.LiveCapture(interface='en1', display_filter='tcp.analysis.fast_retransmission')
capture.sniff(timeout=50)
for packet in capture.sniff_continuously(packet_count=5):
print ('Just arrived:', packet)
It should display this in the packets:
# display_filter='tcp.analysis.retransmission'
TCP Analysis Flags
Expert Info (Note/Sequence): This frame is a (suspected) retransmission
This frame is a (suspected) retransmission
# display_filter='tcp.analysis.fast_retransmission'
TCP Analysis Flags
This frame is a (suspected) fast retransmission
This frame is a (suspected) retransmission
Expert Info (Note/Sequence): This frame is a (suspected) fast retransmission
Expert Info (Note/Sequence): This frame is a (suspected) retransmission
If you include the only_summaries=True in LiveCapture you would see something like this:
Just arrived: 223 71.890878 fe80::cabc:c8ff:feec:d46d fe80::1416:1ca1:307c:b0e6 TCP 86 [TCP Spurious Retransmission] 59005 \xe2\x86\x92 49373 [FIN, ACK] Seq=1855 Ack=2365 Win=4096 Len=0 TSval=930665353 TSecr=692710576
Just arrived: 371 121.293913 fe80::1416:1ca1:307c:b0e6 fe80::cabc:c8ff:feec:d46d TCP 98 [TCP Retransmission] 62078 \xe2\x86\x92 59012 [SYN, ACK] Seq=0 Ack=1 Win=65535 Len=0 MSS=1440 WS=64 TSval=692717653 TSecr=930714614 SACK_PERM=1
You can also filter these packets more specifically by applying the bpf_filter in LiveCapture to filter the TCP retransmission.
import pyshark
capture = pyshark.LiveCapture(interface='en1', bpf_filter='ip and tcp port 443', display_filter='tcp.analysis.retransmission')
capture.sniff(timeout=50)
for packet in capture.sniff_continuously(packet_count=5):
print ('Just arrived:', packet)
Here is one way to read a pcap with pyshark:
capture = pyshark.FileCapture('test.pcap', display_filter='tcp.analysis.retransmission')
counter = 0
for packet in capture:
counter +=1
print ('*' * 10, f'Retransmission packet {counter}:', '*' * 10)
# output
********** Retransmission packet 1: **********
********** Retransmission packet 2: **********
********** Retransmission packet 3: **********
********** Retransmission packet 4: **********
********** Retransmission packet 5: **********
Life is complex
- 15,374
- 5
- 29
- 58
-
Thank you! I am reading a PCAP file so with your code, I should read it twice: the first time to process the retransmitted packets and the second time to process all the other packets. Is there a solution? – user1315621 Oct 14 '19 at 14:37
-
I updated the code to read a pcap file and filter the retransmissions. – Life is complex Oct 14 '19 at 19:32
-
The thing is that if I print all the packets (without any filter when reading), I can find some retransmitted packets by printing the packets. For instance, packet.summary_line, returns " 2 4.1e-05 175.45.176.3 149.171.126.16 TCP 77 [TCP Retransmission] 22592 \\xe2\\x86\\x92 143 [PSH, ACK] Seq=1 Ack=1 Win=16383 Len=21 ". Therefore I suppose there should be an attribute of the packet that tells that it is a possible retransmission. – user1315621 Oct 14 '19 at 19:34
-
My pcap has these under TCP Analysis Flags. Are you using my code example to query your file? – Life is complex Oct 14 '19 at 19:43
-
You mean packet.tcp.analysis.flags ? Because my packets don't have it. – user1315621 Oct 14 '19 at 19:47
-
-
I received it so I don't know. The thing is that packet.tcp.analysis doesn't have the attribute flags: 'LayerField' object has no attribute 'flags' – user1315621 Oct 14 '19 at 20:14
-
I created my pcap with Wireshark, so the Layer TCP section has the TCP Analysis Flags. Can you provide a sample of your pcap? – Life is complex Oct 14 '19 at 20:20
-
1@user1315621 - If your capture is critical to the question, you should [edit](https://stackoverflow.com/posts/58311303/edit) your post to include a link to the capture and modify your question. Otherwise, I would mark this answer as accepted because *it answers the question that is currently posted*. – Ross Jacobs Oct 17 '19 at 18:16