7.4. PCAP API

Most operations can be performed with the :py:class`PcapFile` class. The public methods are as follows:

7.4.1. PcapFile Objects

class steelscript.wireshark.core.pcap.PcapFile(filename)
delete()

Removes the filename from PcapFile object and deletes the file

export(filename, starttime=None, endtime=None, duration=None)

Returns a PCAP file, potentially including your specified starttime, endtime or duration. Internally uses editcap

Parameters:
  • filename (str) – the name of the new PCAP file to be created/exported from the existing PCAP file
  • starttime (str) – defines a start time filter
  • endtime (str) – defines an end time filter
  • duration (str) – defines a duration filter
info()

Returns info on pcap file, uses capinfos -A -m -T or steelscript’s pcap library internally depending on environment.

query(fieldnames, filterexpr=None, starttime=None, endtime=None, duration=None, use_tshark_fields=True, occurrence='a', aggregator=', ', as_dataframe=False, use_ss_packets=True)

Parses the PCAP file, returning the data in a tabular format. NOTE: When using OCCURRENCE_ALL you can generate an exception if there are multiple fields that have multiple values.

Parameters:
  • fieldnames (list) – a list of field names for the desired values. Use the aggregator string for seperating columns
  • filterexpr (str) – the filter expression used by tshark for refining your data
  • starttime (str) – defines a start time filter for the query
  • endtime (str) – defines an end time filter for the query
  • duration (str) – defines a duration filter for the query
  • use_tshark_fields (bool) – use the internal class TSharkField for more flexibility during data manipulation. Defaults to True.
  • occurrence (str) –

    defines if you want the first, last, or all occurrences. Values:

    • ‘f’ (PcapFile.OCCURRENCE_FIRST) - First
    • ‘l’ (PcapFile.OCCURRENCE_LAST) - Last
    • ‘a’ (PcapFile.OCCURRENCE_ALL) - All
  • aggregator (str) – delimiter string for seperating columns (aka tshark fields)
  • as_dataframe (bool) – if true, returns a Pandas dataframe object with the results of the query. If false returns a list. Defaults to false.
  • use_ss_packets (bool) – if allows the use of steelscript.packets pcap_query. Forces use of tshark if false.