As far as I know pyshark is a Python wrapper to tshark which is the command line version of Wireshark. Since Wireshark and tshark allow to detect TCP retransmission, I was wondering how I could to that using pyshark. I haven't find any good documentation so I am not sure whether you can't just do that, or whether I just can't find the proper way. Thank you!
The code below detects TCP retransmissions in pyshark
import pyshark
###################################################
# these filters can be applied under LiveCapture
# display_filter: A display (wireshark) filter to apply on the cap before reading it.
# display_filter='tcp.analysis.fast_retransmission'
# display_filter='tcp.analysis.retransmission'
###################################################
capture = pyshark.LiveCapture(interface='en1', display_filter='tcp.analysis.fast_retransmission')
capture.sniff(timeout=50)
for packet in capture.sniff_continuously(packet_count=5):
print ('Just arrived:', packet)
It should display this in the packets:
# display_filter='tcp.analysis.retransmission'
TCP Analysis Flags
Expert Info (Note/Sequence): This frame is a (suspected) retransmission
This frame is a (suspected) retransmission
# display_filter='tcp.analysis.fast_retransmission'
TCP Analysis Flags
This frame is a (suspected) fast retransmission
This frame is a (suspected) retransmission
Expert Info (Note/Sequence): This frame is a (suspected) fast retransmission
Expert Info (Note/Sequence): This frame is a (suspected) retransmission
If you include the only_summaries=True in LiveCapture you would see something like this:
Just arrived: 223 71.890878 fe80::cabc:c8ff:feec:d46d fe80::1416:1ca1:307c:b0e6 TCP 86 [TCP Spurious Retransmission] 59005 \xe2\x86\x92 49373 [FIN, ACK] Seq=1855 Ack=2365 Win=4096 Len=0 TSval=930665353 TSecr=692710576
Just arrived: 371 121.293913 fe80::1416:1ca1:307c:b0e6 fe80::cabc:c8ff:feec:d46d TCP 98 [TCP Retransmission] 62078 \xe2\x86\x92 59012 [SYN, ACK] Seq=0 Ack=1 Win=65535 Len=0 MSS=1440 WS=64 TSval=692717653 TSecr=930714614 SACK_PERM=1
You can also filter these packets more specifically by applying the bpf_filter in LiveCapture to filter the TCP retransmission.
import pyshark
capture = pyshark.LiveCapture(interface='en1', bpf_filter='ip and tcp port 443', display_filter='tcp.analysis.retransmission')
capture.sniff(timeout=50)
for packet in capture.sniff_continuously(packet_count=5):
print ('Just arrived:', packet)
Here is one way to read a pcap with pyshark:
capture = pyshark.FileCapture('test.pcap', display_filter='tcp.analysis.retransmission')
counter = 0
for packet in capture:
counter +=1
print ('*' * 10, f'Retransmission packet {counter}:', '*' * 10)
# output
********** Retransmission packet 1: **********
********** Retransmission packet 2: **********
********** Retransmission packet 3: **********
********** Retransmission packet 4: **********
********** Retransmission packet 5: **********