nflog requires you to specify the nglog group - an index - you want to capture. in tshart, dumppcap and tcpdump this works as expected. pyshark does not seem to support this.
cap = pyshark.LiveCapture('nflog', bpf_filter='ip and tcp') executes but does not result in packets
cap = pyshark.LiveCapture('nflog:1', bpf_filter='ip and tcp') does in tcpdump and tshark results in packets but in pyshark resuls in below error message:
sudo python3 cap.py
2024-09-22 16:53:15,055 - LiveCapture - DEBUG - Creating Dumpcap subprocess with parameters: /usr/bin/dumpcap -q -i nflog:1 -w -
2024-09-22 16:53:15,056 - LiveCapture - DEBUG - Dumpcap subprocess (pid 12513) created
Traceback (most recent call last):
....
File "/usr/local/lib/python3.10/dist-packages/pyshark/capture/live_capture.py", line 82, in _verify_capture_parameters
raise UnknownInterfaceException(
pyshark.capture.live_capture.UnknownInterfaceException: Interface 'nflog:1' does not exist, unable to initiate capture. Perhaps permissions are missing?
Possible interfaces:
...
nflog
....
See also https://wiki.wireshark.org/CaptureSetup/NFLOG.
It does however start a dumppcap process and leaves it running even after exit.
anvilvapre
commented
1 month ago
nflog requires you to specify the nglog group - an index - you want to capture. in tshart, dumppcap and tcpdump this works as expected. pyshark does not seem to support this.
cap = pyshark.LiveCapture('nflog', bpf_filter='ip and tcp')executes but does not result in packetscap = pyshark.LiveCapture('nflog:1', bpf_filter='ip and tcp')does in tcpdump and tshark results in packets but in pyshark resuls in below error message:See also
https://wiki.wireshark.org/CaptureSetup/NFLOG.It does however start a dumppcap process and leaves it running even after exit.