Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Sniff_continuously collects less packets than Wireshark GUI does? #706

Open
chu55 opened this issue Aug 23, 2024 · 0 comments
Open

Sniff_continuously collects less packets than Wireshark GUI does? #706

chu55 opened this issue Aug 23, 2024 · 0 comments
Labels
bug

Comments

@chu55
Copy link

chu55 commented Aug 23, 2024
edited
Loading

Describe the bug
I want to write a function which can count the total length of data sent to specific ip addresses, running with async. But it turns out that the function can only counts 50%-60% of the total data. In case the problem comes from async, I wrote a simplified test program to see if the sniff_continuously works properly. But seems like the total data it counts is also 50-60% of the number from wireshark.

To Reproduce
Here is the test file I wrote:

import pyshark
def live():
    capture = pyshark.LiveCapture(interface='any')
    total_data_sent_by_ip = {}
    ip_frequency_count = {}
    print("--------------------------------------------started!")
    for packet in capture.sniff_continuously():
        try:
            if hasattr(packet,'ip'):
                dst = packet.ip.dst
                if dst in total_data_sent_by_ip:
                    total_data_sent_by_ip[dst] += int(packet.length)
                    ip_frequency_count[dst] += 1
                else:
                    total_data_sent_by_ip[dst] = int(packet.length)
                    ip_frequency_count[dst] = 1
        except AttributeError as e:
            print(f"Attribute error:{e}")
        except Exception as e:
            print(f"other error:{e}")

        with open("test_result.txt", "w") as file:
            file.write(str(total_data_sent_by_ip)+'\n' +str(ip_frequency_count))
live()

When I run my upload client to upload a file (I know the destination ip), I ran this test file together with Wireshark, without any filter applied. And when the upload is complete, I stopped both python and Wireshark. I used pandas to deal with the Wireshark csv, also counted sum length of packet for every ip.

Expected behavior
I believe the results from both ways should be at least almost the same, considering there's a small difference of time when I started each program one by one. But actually a huge difference is shown, not only for the upload destination ip, but also for other ips.

For example, the test python said there're totally 24,532 packets sending to destination A, with total length of 113Mb, but for Wireshark it's 52,387 packets with 230Mb. The proportion of missing packets for each destination is not the same, and also when I rerun both programs the proportion behavior differed as well. So I cannot find a certain pattern in it.

Versions (please complete the following information):

  • OS: Linux Ubuntu 20
  • pyshark version: 0.6
  • tshark version: TShark (Wireshark) 3.2.3 (Git v3.2.3 packaged as 3.2.3-1)

Example pcap / packet
If applicable, add an example pcap file as an attachment, or post the packet as a hex string or a JSON/XML (export packet dissection in wireshark/tshark).
@chu55 chu55 added the bug label Aug 23, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@chu55