Getting a deep look into .pcap files from Python

Have you ever found yourself with a huge .pcap file, containing tons of information that you would like to process but find it too tiresome to twitch all the knobs in Wireshark? Do it from Python!

Sharktools will help you to do just that. Just capture in Wireshark or TCPDump and export to a packet capture (pcap) file. Then, from Python you will be able to import whole pcap files and retrieve each captured packet information (from all the layers).


It is very well detailed in the README of the project: they have only tested this under very determined system configurations. I have successfully installed it using the Ubuntu 10.04.1 setup they point out in the README.

I did it from from scratch: used a Virtual Machine (VM) to install Ubuntu 10.04.1 and all the requirements pointed out in the README. I also avoided updating the operating system before the installation.

Once you get into the manual configuration of Wireshark (line 265 of README file: ./configure –disable-wireshark) a problem is likely to arise. Sharktools assumes that your system PATH environment variable has all the addresses that it needs. Because of this, you should add to your PATH: “:/path/to/sharktools-master/src:/and/the/path/to/wireshark-x-y-z”. This way you avoid nasty errors while making Sharktools.

Continue with the instructions for pyshark installation. After the make command successfully finishes, then you should tell your PYTHONPATH where the pyshark module is. I added a line pointing to/the/sharktools-master/src.


I think that this very short explanation of the considerations that should be taken to install Sharktools and pyshark would have saved me HOURS!




Posted under: VM

Tagged as: , , , , , , ,

Leave a Reply