{"id":5029,"library":"pyshark","title":"PyShark","description":"PyShark is a Python wrapper for TShark, the command-line network protocol analyzer that comes with Wireshark. It allows for Pythonic packet parsing and analysis by leveraging Wireshark's powerful dissection engine. The library is currently at version 0.6 and sees active development with several minor and patch releases per year, addressing compatibility and adding features.","status":"active","version":"0.6","language":"en","source_language":"en","source_url":"https://github.com/KimiNewt/pyshark","tags":["network-analysis","packet-capture","wireshark","tshark","cybersecurity","networking"],"install":[{"cmd":"pip install pyshark","lang":"bash","label":"Install PyShark"}],"dependencies":[{"reason":"PyShark is a wrapper around TShark, the command-line utility for Wireshark. TShark must be installed and accessible in your system's PATH for PyShark to function. It is typically installed as part of the Wireshark suite.","package":"tshark"},{"reason":"Runtime dependency for directory management.","package":"appdirs","optional":false},{"reason":"Runtime dependency for colored terminal output. Replaced 'py' dependency in v0.6.","package":"termcolor","optional":false},{"reason":"Runtime dependency for version parsing.","package":"packaging","optional":false},{"reason":"Runtime dependency for XML parsing, as PyShark utilizes TShark's XML export capabilities.","package":"lxml","optional":false}],"imports":[{"symbol":"LiveCapture","correct":"from pyshark import LiveCapture"},{"symbol":"FileCapture","correct":"from pyshark import FileCapture"}],"quickstart":{"code":"import pyshark\nimport os\n\n# Ensure TShark is installed and in your system's PATH.\n# For Windows, you might need to specify the interface like r'\\Device\\NPF_{YOUR-GUID}'\n# For macOS, 'en0' or 'en1' are common.\n# For Linux, 'eth0' or 'wlan0' are common.\ninterface_name = os.environ.get('PYSHARK_INTERFACE', 'eth0')\n\ntry:\n    # Create a LiveCapture object to sniff on the specified interface\n    # Use display_filter for Wireshark-style filtering, e.g., 'http or dns'\n    capture = pyshark.LiveCapture(interface=interface_name)\n    \n    print(f\"Capturing 5 packets on {interface_name}...\")\n    for packet in capture.sniff_continuously(packet_count=5):\n        # Access packet layers and fields\n        protocol = packet.highest_layer\n        src = packet.ip.src if 'IP' in packet else 'N/A'\n        dst = packet.ip.dst if 'IP' in packet else 'N/A'\n        print(f\"Packet: {packet.number} | Time: {packet.sniff_time} | Protocol: {protocol} | Source: {src} -> Dest: {dst}\")\n        \n        # Example: print DNS query name if available\n        if 'DNS' in packet and hasattr(packet.dns, 'qry_name'):\n            print(f\"    DNS Query: {packet.dns.qry_name}\")\n\nexcept FileNotFoundError:\n    print(\"Error: TShark not found. Please ensure Wireshark/TShark is installed and in your system's PATH.\")\nexcept Exception as e:\n    print(f\"An error occurred during capture: {e}\")\nfinally:\n    if 'capture' in locals() and capture:\n        capture.close() # Important: ensure the capture process is closed to prevent resource leaks\n","lang":"python","description":"This quickstart demonstrates how to perform a live packet capture using `pyshark.LiveCapture`. It sniffs 5 packets on a specified network interface (defaulting to 'eth0' or an environment variable) and prints basic information about each packet. It also includes error handling for the common `TShark not found` issue and ensures the capture process is properly closed. Remember to replace 'eth0' with your actual network interface name or set the `PYSHARK_INTERFACE` environment variable."},"warnings":[{"fix":"Upgrade to Python 3.7 or newer. Python 3.7+ is officially supported.","message":"PyShark dropped official support for Python 3.5 and 3.6 starting with version 0.6.","severity":"breaking","affected_versions":">=0.6"},{"fix":"Install Wireshark (which includes TShark) for your operating system and ensure `tshark` is added to your system's PATH environment variable. Verify installation by running `tshark --version` in your terminal.","message":"PyShark fundamentally relies on `tshark` (the command-line tool for Wireshark) being installed and accessible in your system's PATH. Without `tshark`, PyShark cannot function and will raise a `FileNotFoundError` or similar exception.","severity":"gotcha","affected_versions":"All"},{"fix":"Migrate your parsing logic to use the EK (Elasticsearch-compatible JSON) mode for improved performance and future compatibility. Enable it by passing `use_ek=True` to your capture object.","message":"The older JSON parsing mode is 'likely to be eventually deprecated' in favor of the newer, faster, and easier-to-use EK parsing mode introduced in v0.5.","severity":"deprecated","affected_versions":">=0.5"},{"fix":"Identify the correct NPF interface name for your adapter. You can often find this by running `pyshark.LiveCapture.interfaces()` or checking TShark's output directly. Example: `capture = pyshark.LiveCapture(interface=r'\\Device\\NPF_{YOUR-ADAPTER-GUID}')`.","message":"When capturing on Windows, network interface names are typically in the format `\\Device\\NPF_{GUID}` rather than common names like 'Wi-Fi' or 'Ethernet'. Using the wrong format will result in capture failure.","severity":"gotcha","affected_versions":"All"},{"fix":"Run `xcode-select --install` and `pip install libxml` (or `brew install libxml2` if using Homebrew) to resolve potential compilation issues.","message":"On macOS, `pyshark` might require `libxml` and Xcode command-line developer tools to be installed due to underlying dependencies.","severity":"gotcha","affected_versions":"All"},{"fix":"If experiencing issues with missing or malformed fields in EK mode, try disabling `include_raw=True` if raw packet data is not strictly required for that specific operation. Check GitHub issues for potential workarounds or updates.","message":"There have been reports of parsing errors or incomplete data when using EK mode (`use_ek=True`) in combination with `include_raw=True`, particularly where fields like flags might appear empty.","severity":"gotcha","affected_versions":">=0.5"}],"env_vars":null,"last_verified":"2026-04-12T00:00:00.000Z","next_check":"2026-07-11T00:00:00.000Z"}