Poniższy kod wykrywa retransmisje TCP w pyshark
import pyshark
###################################################
# these filters can be applied under LiveCapture
# display_filter: A display (wireshark) filter to apply on the cap before reading it.
# display_filter='tcp.analysis.fast_retransmission'
# display_filter='tcp.analysis.retransmission'
###################################################
capture = pyshark.LiveCapture(interface='en1', display_filter='tcp.analysis.fast_retransmission')
capture.sniff(timeout=50)
for packet in capture.sniff_continuously(packet_count=5):
print ('Just arrived:', packet)
Powinien wyświetlać to w pakietach:
# display_filter='tcp.analysis.retransmission'
TCP Analysis Flags
Expert Info (Note/Sequence): This frame is a (suspected) retransmission
This frame is a (suspected) retransmission
# display_filter='tcp.analysis.fast_retransmission'
TCP Analysis Flags
This frame is a (suspected) fast retransmission
This frame is a (suspected) retransmission
Expert Info (Note/Sequence): This frame is a (suspected) fast retransmission
Expert Info (Note/Sequence): This frame is a (suspected) retransmission
Jeśli dodasz only_summaries = True w LiveCapture , zobaczysz coś takiego:
Just arrived: 223 71.890878 fe80::cabc:c8ff:feec:d46d fe80::1416:1ca1:307c:b0e6 TCP 86 [TCP Spurious Retransmission] 59005 \xe2\x86\x92 49373 [FIN, ACK] Seq=1855 Ack=2365 Win=4096 Len=0 TSval=930665353 TSecr=692710576
Just arrived: 371 121.293913 fe80::1416:1ca1:307c:b0e6 fe80::cabc:c8ff:feec:d46d TCP 98 [TCP Retransmission] 62078 \xe2\x86\x92 59012 [SYN, ACK] Seq=0 Ack=1 Win=65535 Len=0 MSS=1440 WS=64 TSval=692717653 TSecr=930714614 SACK_PERM=1
Możesz także filtrować te pakiety bardziej szczegółowo, stosując filtr bpf_filter w LiveCapture, aby odfiltrować retransmisję TCP.
import pyshark
capture = pyshark.LiveCapture(interface='en1', bpf_filter='ip and tcp port 443', display_filter='tcp.analysis.retransmission')
capture.sniff(timeout=50)
for packet in capture.sniff_continuously(packet_count=5):
print ('Just arrived:', packet)
Oto jeden ze sposobów na odczytanie pcap za pomocą pyshark:
capture = pyshark.FileCapture('test.pcap', display_filter='tcp.analysis.retransmission')
counter = 0
for packet in capture:
counter +=1
print ('*' * 10, f'Retransmission packet {counter}:', '*' * 10)
# output
********** Retransmission packet 1: **********
********** Retransmission packet 2: **********
********** Retransmission packet 3: **********
********** Retransmission packet 4: **********
********** Retransmission packet 5: **********