search

0x4D31 / fatt

FATT /fingerprintAllTheThings - a pyshark based script for extracting network metadata and fingerprints from pcap files and live network traffic
BSD 3-Clause "New" or "Revised" License
651 stars 93 forks source link

Running fatt with old tshark shows no output #3

Closed jonaslejon closed 5 years ago

jonaslejon commented 5 years ago

Running with an old tshark version and no json loggning:

(fatt-MY6RzNOM) # python3 fatt.py -i eth0 -p
(fatt-MY6RzNOM) #

Running with -j and -p:

# python3 fatt.py -i eth0 -p -j
Traceback (most recent call last):
  File "fatt.py", line 974, in <module>
    main()
  File "fatt.py", line 968, in main
    cap.apply_on_packets(pp.process)
  File "/root/.local/share/virtualenvs/fatt-MY6RzNOM/lib/python3.7/site-packages/pyshark/capture/capture.py", line 248, in apply_on_packets
    return self.eventloop.run_until_complete(coro)
  File "/usr/lib/python3.7/asyncio/base_events.py", line 584, in run_until_complete
    return future.result()
  File "/root/.local/share/virtualenvs/fatt-MY6RzNOM/lib/python3.7/site-packages/pyshark/capture/capture.py", line 264, in packets_from_tshark
    await self._close_async()
  File "/root/.local/share/virtualenvs/fatt-MY6RzNOM/lib/python3.7/site-packages/pyshark/capture/capture.py", line 407, in _close_async
    await self._cleanup_subprocess(process)
  File "/root/.local/share/virtualenvs/fatt-MY6RzNOM/lib/python3.7/site-packages/pyshark/capture/capture.py", line 400, in _cleanup_subprocess
    % process.returncode)
pyshark.capture.capture.TSharkCrashException: TShark seems to have crashed (retcode: 1). Try rerunning in debug mode [ capture_obj.set_debug() ] or try updating tshark.
Exception ignored in: <function Capture.__del__ at 0x7f41763f7378>
Traceback (most recent call last):
  File "/root/.local/share/virtualenvs/fatt-MY6RzNOM/lib/python3.7/site-packages/pyshark/capture/capture.py", line 412, in __del__
  File "/root/.local/share/virtualenvs/fatt-MY6RzNOM/lib/python3.7/site-packages/pyshark/capture/capture.py", line 403, in close
  File "/usr/lib/python3.7/asyncio/base_events.py", line 584, in run_until_complete
  File "/root/.local/share/virtualenvs/fatt-MY6RzNOM/lib/python3.7/site-packages/pyshark/capture/capture.py", line 407, in _close_async
  File "/root/.local/share/virtualenvs/fatt-MY6RzNOM/lib/python3.7/site-packages/pyshark/capture/capture.py", line 400, in _cleanup_subprocess
pyshark.capture.capture.TSharkCrashException: TShark seems to have crashed (retcode: 1). Try rerunning in debug mode [ capture_obj.set_debug() ] or try updating tshark.
(fatt-MY6RzNOM) 
#

When i'm enabling debug in capture.py:

(fatt-MY6RzNOM) # python3 fatt.py -i eth0 -p --json_logging
Capturing on 'eth0'
File: -
Running as user "root" and group "root". This could be dangerous.
tshark: Unknown protocol -- "tls"
tshark: Valid protocols for layer type "tcp.port" are:
..8<..
0x4D31 commented 5 years ago

Yes, the reason is 'ssl' renamed to 'tls' in the new tshark/wireshark versions and fatt is based on the new tshark. I created a separate branch (old-tshark) that works with the old tshark though: https://github.com/0x4D31/fatt/tree/old-tshark Please let me know if it works with your tshark version.

0x4D31 commented 5 years ago

see #2