Hello,
I would prefer a description of the format of the data when I read pcapng data
with python. I do e.g.
cap = pyshark.FileCapture("myfile.pcapng")
then what is "cap"? Seems that this is a list of different "packages". So next
I do
for pkt in cap: ...
But then what is the content of "pgk"? Is it a list? A dict? A special format?
With what elements? What are these elements? What types are they (list, dict,
int, str, something else)?
It turns out each "pkt" object has "layers". What does this mean?
For my task I need to take the 4th layer
Layer = pkt.layets[3]
But again, what does a layer contain? What elements? What formats? And so on.
I managed to figure out myself to extract the data I want, but it might
probably be much easier if this python structure is somewhere described in a
proper way.
Thanks
-----Original Message-----
From: Wireshark-users <[email protected]> On Behalf Of Guy
Harris
Sent: Dienstag, 24. Januar 2023 22:22
To: Community support list for Wireshark <[email protected]>
Subject: Re: [Wireshark-users] Where to find documentation about the formats
when to read pcapng data with python?
[You don't often get email from [email protected]. Learn why this is important
at https://aka.ms/LearnAboutSenderIdentification ]
This email is not from Hexagon's Office 365 instance. Please be careful while
clicking links, opening attachments, or replying to this email.
On Jan 24, 2023, at 12:37 AM, DIETZ Alexander <[email protected]>
wrote:
> I am very new to wireshark and the pcapng data format used to save wireshark
> recorded data. I want to read that data with python using the "pyshark"
> module, but I cannot find proper documentation on the data format(s). The
> only "extended" documentation I could find is here
>
> https://eur02.safelinks.protection.outlook.com/?url=https%3A%2F%2Fkiminewt.github.io%2Fpyshark%2F&data=05%7C01%7C%7Caa9d9f65c9264943bbf608dafe50fd11%7C1b16ab3eb8f64fe39f3e2db7fe549f6a%7C0%7C0%7C638101921063595507%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=PpdOnY2SNNOksB9zjQldXnUicfGKDVa8ob1MoKNQz1Q%3D&reserved=0
>
> which I would not consider as extended at all, as the documentation on the
> data format seems to be missing?
>
> Is there some other place where the formats of the packages, the layers etc.
> is described in more detail?
Pcapng files, like pcap files, Sniffer files, Network Monitor files, etc., are
sequences of one or more records, in a particular format. Packet records
contain metadata such as packet lengths and time stamps, as well as a blob of
raw data.
The blob of raw data may contain additional metadata, followed by raw packet
data.
Do you want the format of the records in those files described, do you want the
format of the raw data blobs described, or both?
From "the formats of the packages, the layers etc." it sounds as if you want
the format of the raw data blobs described. For example, if the packets are
Ethernet packets, they begin with a 14-byte Ethernet header; if the type/length
field in the Ethernet header has a type value rather than a length value, the
type value indicates the type of packet that follows the 14-byte header. A
value of 0x0800, for example, means that the packet is an IPv4 packet, which
begins with a header as described by RFC 791, and so on.
___________________________________________________________________________
Sent via: Wireshark-users mailing list <[email protected]>
Archives:
https://eur02.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.wireshark.org%2Flists%2Fwireshark-users&data=05%7C01%7C%7Caa9d9f65c9264943bbf608dafe50fd11%7C1b16ab3eb8f64fe39f3e2db7fe549f6a%7C0%7C0%7C638101921063595507%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=ZUuiWvYo%2FtGss59fAaZgYihmLnkcaAluFwB2z%2FVq4iU%3D&reserved=0
Unsubscribe:
https://eur02.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.wireshark.org%2Fmailman%2Foptions%2Fwireshark-users&data=05%7C01%7C%7Caa9d9f65c9264943bbf608dafe50fd11%7C1b16ab3eb8f64fe39f3e2db7fe549f6a%7C0%7C0%7C638101921063595507%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=0cXEzGEHmsF0W3vCPKB%2FdHoXBydPGrEcacsQ8ZX7Pcw%3D&reserved=0
mailto:[email protected]?subject=unsubscribe
___________________________________________________________________________
Sent via: Wireshark-users mailing list <[email protected]>
Archives: https://www.wireshark.org/lists/wireshark-users
Unsubscribe: https://www.wireshark.org/mailman/options/wireshark-users
mailto:[email protected]?subject=unsubscribe
