Run pyshark in background

Question

I'd like to run pyshark in the background so while its running I'll still be able to perform some web actions and capture them. One mandatory condition is that I must be able to parse using tshark because I have some proprietary Wireshark dissectors.

Basically what I need to do is this:

Start network capture
Perform some web actions
Stop capture (or wait for a stop condition)
Iterate over capture object and check each packet's properties

I can't use capture.sniff() as-is because it's working in blocking mode, and can't use capture.sniff_continuously() because it's a generator.

Problem: I tried calling sniff() from a thread, then wait for it to end with join(). But when I reach the iterator, tshark.exe relaunch and overwrites the capture file:

print('Background sniffing:')
capture = pyshark.LiveCapture(interface='Ethernet', bpf_filter='host 10.20.30.40', output_file='bg_capture.pcapng')
t = threading.Thread(target=capture.sniff, kwargs={'timeout': 30, 'packet_count': 5000}, daemon=True)
t.start()
print('Do some stuff web action here...')
t.join()
print('Done sniffing')
for p in capture: # At this point, tshark re-launch itself
    print(f'Packet number {p.number}')

Unfortunately, no. I'm thinking of opening tshark in a background process, capturing to a file. Then open the file with pyshark and use it's parsing capabilities. — someuser, Nov 08 '20 at 08:24
I found the solution. Just record the traffic with dumpcap into a file and after open this file with pyshark. — Mister_Jesus, Nov 08 '20 at 23:05

score 0 · Answer 1 · answered May 10 '23 at 12:33

Solution: start network traffic capture on a background thread, then initiate some network traffic on the main thread and use captured traffic for analysis whatever you need.

import pyshark
import sh
import threading
import time

#we want observe network traffic just to this destination
dst_ip = "172.217.16.14"

#background thread task
def capture_task():
    capture = pyshark.LiveCapture('any')
    capture.sniff(timeout=1)

    for packet in capture:
        if 'ip' in packet:
            protocol = packet.layers
            dst = packet['ip'].dst
            if dst == dst_ip:
                print("got it: proto:{}, dst:{}".format(protocol, dst))


def mainfn():
    #start a background thread
    thread = threading.Thread(target=capture_task)
    thread.start()

    print("start...")
    #some sleep - it is needed for other threads to have possibility to get CPU cycles
    time.sleep(1)

    #initiate some network traffic
    for i in range(5):
        print("doing my ping[{}] traffic...".format(i))
        sh.ping("-q", "-c", "1", dst_ip)
        time.sleep(0.3)

    #handle exit as you like...
    try:
        while True:
            time.sleep(0.1)
            pass
    except KeyboardInterrupt:
        print("exiting...")
        thread.join()


#run main fn
mainfn()

Run pyshark in background

1 Answers1