low performance in parsing pcap file

[fanbin]

I have a pcap file of around 3MB. Parsing it using pyshark through FileCapture(xxx)(and iterate through it without doing operation) takes around 1min, while using tshark -r xxx.pcap takes only several seconds.

My code is like

fl = FileCapture(fd, keep_packets=False)
for packet in fl:
      xxxx  // this operation is minimum, takes almost no time

I understand pyshark will call tshark in parsing pcap file, but I do not yet find the reason of the huge performance gap.

Is that a normal case or I misused pyshark, any idea how to improve this speed?

[senft]

pyshark calls tshark -T pdml, which enables parsing into "Packet Details Markup Language, an XML-based format for the details of a decoded packet."

What did you compare pyshark to?

[suntanu]

Hello I have a pcap file of 50Mb. i need to verify each packet and say its pass or fail. To parse and validate 9000pcakets its taking more than 1min. Is there a better solution? my sample code i have pasted here.

data_record = pyshark.FileCapture('D:\Automation_Tool_Working\Automation_FrameWork\Demo_Automation_tool\MGU_RAM.pcap',keep_packets=False,display_filter='ieee1722') for record in data_record:

    avtp_data_record = record
    if (avtp_data_record.frame_info.protocols == 'eth:ethertype:vlan:ethertype:ieee1722:1722a'): avtp1 = 3
    else: avtp1 = avtp

    if (avtp_data_record.ieee1722.subtype == '4'or avtp_data_record.ieee1722.subtype == '2'):
        AAF_Count = AAF_Count + 1

    else:
       continue

    timelist.append(float(avtp_data_record.frame_info.time_relative))

    avtpcount = avtpcount + 1

Am i doing something wrong?? How do i validate the complete pcap file