search

KimiNewt / pyshark

Python wrapper for tshark, allowing python packet parsing using wireshark dissectors
MIT License
2.25k stars 422 forks source link

Does RemoteCapture only works on windows? #95

Closed kkxue closed 3 years ago

kkxue commented 9 years ago

Hi, I want to use pyshark to reading from a remote interface,but i found that RemoteCapture only works on windows.

here's my step: 192.168.1.72(remote server)

//download rpcapd-linux
# apt-get build-dep libpcap -y
# git clone https://github.com/frgtn/rpcapd-linux

//install rpcapd
# cd ./rpcapd-linux/libpcap
# ./configure && make
# cd ../ && make

//start rpcapd
# ./rpcapd  -n

when i execute code below:

>>> capture = pyshark.RemoteCapture('192.168.1.72', 'eth0')
>>> capture.sniff(timeout=50)
>>> capture

on linux:

>>> capture
<LiveCapture (0 packets)>

but on windows:

>>> cap
<RemoteCapture (58 packets)>

why? maybe winpcap works but libpcap not?

KimiNewt commented 9 years ago

It's odd that the reprs appear the same. Are you running the same version of pyshark and python?

Also attempt to run "cap.set_debug()" before running "sniff()" and see if anything interesting comes up.

kkxue commented 9 years ago

Hi,KimiNewt, python & pyshark versions:

linux(centos7):

[root@localhost ~]# python
Python 2.7.5 (default, Jun 24 2015, 00:41:19)
[GCC 4.8.3 20140911 (Red Hat 4.8.3-9)] on linux2

[root@localhost ~]# pip show pyshark

---
Metadata-Version: 1.0
Name: pyshark
Version: 0.3.3
Summary: Python wrapper for tshark, allowing python packet parsing using wireshark dissectors
Home-page: https://github.com/KimiNewt/pyshark
Author: KimiNewt
Author-email: UNKNOWN
License: UNKNOWN
Location: /usr/lib/python2.7/site-packages
Requires: lxml, py, trollius, logbook

windows(win8):

D:\TDDownload$ python
Python 2.7.9 (default, Dec 10 2014, 12:28:03) [MSC v.1500 64 bit (AMD64)] on win32

D:\TDDownload$ pip show pyshark
---
Name: pyshark
Version: 0.3.6
Location: d:\python27\lib\site-packages\pyshark-0.3.6-py2.7.egg
Requires: lxml, py, trollius, logbook
D:\TDDownload$
kkxue commented 9 years ago

i think libpcap 1.5.3(centos7) is not support remote interface capture. attempt to run "cap.set_debug()":

linux(centos7):

[root@localhost ~]# python
Python 2.7.5 (default, Jun 24 2015, 00:41:19)
[GCC 4.8.3 20140911 (Red Hat 4.8.3-9)] on linux2
Type "help", "copyright", "credits" or "license" for more information.
>>> import pyshark
>>>
>>> cap = pyshark.RemoteCapture('192.168.1.72','eth0')
>>> cap.set_debug()
>>> cap.sniff(timeout=10)
[2015-08-26 10:04] DEBUG: RemoteCapture: Creating TShark subprocess with parameters: /usr/sbin/tshark -n -T pdml -i rpcap://192.168.1.72:2002/eth0
[2015-08-26 10:04] DEBUG: RemoteCapture: TShark subprocess created
[2015-08-26 10:04] DEBUG: RemoteCapture: Starting to go through packets
[2015-08-26 10:04] DEBUG: RemoteCapture: EOF reached
>>> cap
<RemoteCapture (0 packets)>

[root@localhost ~]# tshark -n -T pdml -i rpcap://192.168.1.72:2002/eth0
<?xml version="1.0"?>
<?xml-stylesheet type="text/xsl" href="pdml2html.xsl"?>
<!-- You can find pdml2html.xsl in /usr/share/wireshark or at http://anonsvn.wireshark.org/trunk/wireshark/pdml2html.xsl. -->
<pdml version="0" creator="wireshark/1.10.3" time="Wed Aug 26 06:14:03 2015" capture_file="">
Running as user "root" and group "root". This could be dangerous.
Capturing on 'rpcap://192.168.1.72:2002/eth0'
tshark: The capture session could not be initiated (No such device exists).
Please check to make sure you have sufficient permissions, and that you have the proper interface or pipe specified.
</pdml>

windows(win8):

D:\TDDownload$ python
Python 2.7.9 (default, Dec 10 2014, 12:28:03) [MSC v.1500 64 bit (AMD64)] on win32
Type "help", "copyright", "credits" or "license" for more information.
>>>
>>> import pyshark
>>> cap = pyshark.RemoteCapture('192.168.1.72','eth0')
>>> cap.set_debug()
>>> cap.sniff(timeout=10)
Capturing on 'rpcap://192.168.1.72:2002/eth0'
tshark: Couldn't set the capture buffer size!
The capture buffer size of 2 MiB seems to be too high for your machine,
the default of 2 MiB will be used.

Nonetheless, the capture is started.

Traceback (most recent call last):
  File "<stdin>", line 1, in <module>
  File "D:\Python27\lib\site-packages\pyshark-0.3.6-py2.7.egg\pyshark\capture\capture.py", line 109, in load_packets
    self.apply_on_packets(keep_packet, timeout=timeout)
  File "D:\Python27\lib\site-packages\pyshark-0.3.6-py2.7.egg\pyshark\capture\capture.py", line 201, in apply_on_packets

    return self.eventloop.run_until_complete(coro)
  File "D:\Python27\lib\site-packages\trollius-2.0-py2.7-win-amd64.egg\trollius\base_events.py", line 350, in run_until_
complete
    return future.result()
  File "D:\Python27\lib\site-packages\trollius-2.0-py2.7-win-amd64.egg\trollius\futures.py", line 286, in result
    raise self._exception
UnicodeEncodeError: 'ascii' codec can't encode characters in position 32-37: ordinal not in range(128)
>>>
>>> import sys
>>> sys.setdefaultencoding('utf8')
Traceback (most recent call last):
  File "<stdin>", line 1, in <module>
AttributeError: 'module' object has no attribute 'setdefaultencoding'
>>> reload(sys)
<module 'sys' (built-in)>
>>>
>>> sys.setdefaultencoding('utf8')
>>>
>>> cap.sniff(timeout=10)
Capturing on 'rpcap://192.168.1.72:2002/eth0'
tshark: Couldn't set the capture buffer size!
The capture buffer size of 2 MiB seems to be too high for your machine,
the default of 2 MiB will be used.

Nonetheless, the capture is started.

40 >>>
>>> cap
<RemoteCapture (40 packets)>
>>>