search

KimiNewt / pyshark

Python wrapper for tshark, allowing python packet parsing using wireshark dissectors
MIT License
2.24k stars 421 forks source link

TShark seems to have crashed (retcode: 2). Try rerunning in debug mode [ capture_obj.set_debug() ] or try updating tshar #514

Open seanachao opened 2 years ago

seanachao commented 2 years ago

my code example1

        caps = pyshark.FileCapture(self.filename)
        caps.set_debug()
        #self.caps_len = len(caps)

        src_host = ""
        dst_host = ""
        flow_packet = 0
        flow_bytes = 0
        index = 0 
        for counter,packet in enumerate(caps):
            if 'tcp' in dir(packet):
                #print(packet.tcp.stream)
                print(counter)
                src_host = packet.ip.src
                dst_host = packet.ip.dst
                flow_packet += 1
                flow_bytes += int(packet.tcp.len,10)
                if packet.tcp.stream not in self.features:
                    self.features.update({packet.tcp.stream:[src_host,dst_host,flow_packet,flow_bytes]})
                else:
                    self.features[packet.tcp.stream][2]+=1  #ToDoList
                    self.features[packet.tcp.stream][3]+=flow_bytes
                    pass #todo list

        return src_host,dst_host,flow_packet,flow_bytes

there was wrong 

TShark seems to have crashed (retcode: 2). Try rerunning in debug mode [ capture_obj.set_debug() ] or try updating tshar

but if I use code example2

    file = './peer0.org1.pcap'
    cap = pyshark.FileCapture(file)
    #cap.load_packets(timeout=100000000)
    #cap.set_debug()
    for counter, pkt in enumerate(cap):
        if "tcp" in dir(pkt):
            print(pkt.tcp.stream)
            print(counter)

there not any wrong , what should I do my example1 could work normal?

emptymo commented 2 years ago

I have the same problem :(

luoyexiaohe commented 2 years ago

same problem but happened on sniff method

GiovanniColonni commented 2 years ago

Same problem here when reading a capture with FileCapture

luoyexiaohe commented 2 years ago

gays, I know how to deal with this. call the function named set_debug ,then you could see what's the problem in console. my problem is that my wireshark is break. when I install it again , problem gone . good luck !

wangzeyu9766 commented 2 years ago

You need version correspondence me : Wireshark-win64-2.4.2/ pyshark==0.4.2.7 This error will also occur if you illegally block and intercept good luck!

vladenache13 commented 1 year ago

Is there any mapping for Wireshark-Version / pyshark_version compatibility?

herugen commented 1 year ago

same question. It turns out that the pcap file was appears to have been cut short in the middle of a packet.. This should not cause a crash, pyshark should just ignore the notice.

sindhuh1 commented 8 months ago

Same issue, need support in handling this error "appears to have been cut short in the middle of a packet"

sindhuh1 commented 8 months ago

gays, I know how to deal with this. call the function named set_debug ,then you could see what's the problem in console. my problem is that my wireshark is break. when I install it again , problem gone . good luck !

does this mean you reinstalled wireshark and the issue is fixed after that?

luoyexiaohe commented 8 months ago

gays, I know how to deal with this. call the function named set_debug ,then you could see what's the problem in console. my problem is that my wireshark is break. when I install it again , problem gone . good luck !

does this mean you reinstalled wireshark and the issue is fixed after that?

yes

luoyexiaohe commented 8 months ago

gays, I know how to deal with this. call the function named set_debug ,then you could see what's the problem in console. my problem is that my wireshark is break. when I install it again , problem gone . good luck !

does this mean you reinstalled wireshark and the issue is fixed after that?

but U should call the function first ,and get what's the problem with you.

vladenache13 commented 4 months ago

Hello everybody, I think I have found a solution for this.

MY SITUATION: I am logging something with "tcpdump" in the background of a Ubuntu server. After some time I was stopping the tcpdump with "sudo kill -SIGKILL " NOTE: When you open that pcap log into a Wireshark, Wireshark would pop-up an error message saying that "the captured file appears to have been cut short in the middle"

Then I was copying the pcap file onto a Windows Machine and manipulate it with pyshark

This was cutting the package while it was written and made the tshark tool from pyshark call to crash. I should have had an uncorrupted pcap file for pyshark to read.

I did this by stopping the tcpdump process from the Ubuntu background with "sudo kill -SIGINT " . This command makes the log to stop clean and interrupt after the last package has been nicely written.

I hope this helps.

lowmao19 commented 3 months ago

When you got an error like "have been cut short in the middle of a packet", if you want to preserve the parsing results of the cap , you can modify pyshark\capture\capture.py, starting at line 378, Try to ignore this exception, as in my code below:

  `if "cut short in the middle of a packet" in self._last_error_line:

           self._log.debug(f"err: {self._last_error_line}")

           # return

  else:
         raise TSharkCrashException........`
Tayoou commented 3 months ago

Same problem when i use tshark to read FileCapture. I find a solution in the tshark website and it's useful for me. You can try to use "reordercap" to fix your packets. Here is usage: reordercap your_source.pcap temp.pcap However, I don not know if "reordercap" will have any effect on the packets. So be careful.

Here is the webpage of tshark: https://tshark.dev/share/pcap_preparation/