Pyshark分析pcap文件

这篇博客介绍了如何利用Pyshark库来过滤和分析pcap文件中的ARP包。内容包括了BPF和显示过滤器的区别,提醒了BPF过滤器在FileCapture中的问题,并推荐使用Wireshark的过滤功能。此外,还通过三个步骤展示了加载带显示过滤器的捕获文件,以及如何显示ARP负载中的源IP地址。
摘要由CSDN通过智能技术生成

Filtering packets:

Filtering packets can be done with any capture object, like so:

filtered_cap = pyshark.FileCapture(path_to_file, display_filter='http')
filtered_cap2 = pyshark.LiveCapture('eth0', bpf_filter='tcp port 80')

There are two types of filters, BPF filters and display filters. Generally, bpf filters are more limited but are faster while display filters can be used on pretty much any attribute of the packet but are much slower.

Note: there is currently an ISSUE with BPF filters on FileCapture and it is not recommended it be used.

See BPF syntax help HERE and display filters help HERE.

Note: we recommended using “Wireshark - Preparing and Applying Filters Feature” to select the filters.

Demo for analyzing arp packet

$ ipython
Python 2.7.8 (default, Jul  2 2014, 22:10:09)
Type "copyright", "credits" or "license" for more information.

IPython 4.2.0 -- An enhanced Interactive Python.
?         -> Introduction and overview of IPython's features.
%quickref -> Quick reference.
help      -> Python
  • 1
    点赞
  • 9
    收藏
    觉得还不错? 一键收藏
  • 0
    评论
评论
添加红包

请填写红包祝福语或标题

红包个数最小为10个

红包金额最低5元

当前余额3.43前往充值 >
需支付:10.00
成就一亿技术人!
领取后你会自动成为博主和红包主的粉丝 规则
hope_wisdom
发出的红包
实付
使用余额支付
点击重新获取
扫码支付
钱包余额 0

抵扣说明:

1.余额是钱包充值的虚拟货币,按照1:1的比例进行支付金额的抵扣。
2.余额无法直接购买下载,可以购买VIP、付费专栏及课程。

余额充值