PyShark Proof of Concept for Airstream
This is an alternative implementation of Airstream using PyShark instead of Scapy. PyShark leverages Wireshark's powerful dissector engine for comprehensive protocol support.
Key Advantages
1. Full Wireshark Protocol Support
- Automatically uses ALL installed Wireshark dissectors
- Supports 2000+ protocols out of the box
- Better decoding for complex protocols (PTP, IENA, Chapter 10)
2. Custom Dissector Support
- Any Lua dissector installed in Wireshark works automatically
- See
lua_dissectors/for examples - No code changes needed to support new protocols
3. Advanced Filtering
- Full Wireshark display filter syntax
- BPF capture filters for performance
- Protocol-specific field access
Installation
# Install PyShark (requires tshark/Wireshark)
pip install pyshark
# On macOS
brew install wireshark
# On Ubuntu/Debian
sudo apt-get install tshark
# On RHEL/CentOS
sudo yum install wireshark
Usage
# Basic PCAP analysis
./airstream_pyshark.py -p capture.pcap
# Live capture with filter
./airstream_pyshark.py -i eth0 -c 1000 --filter "tcp.port==443"
# Use BPF filter for efficient capture
./airstream_pyshark.py -i eth0 --bpf "port 80 or port 443"
# Export results to CSV
./airstream_pyshark.py -p capture.pcap -o results.csv
# Use PTP-specific statistics
./airstream_pyshark.py -p ptp_traffic.pcap -s ptp
Architecture
airstream_pyshark.py # Main entry point (CLI)
pyshark_poc/
├── __init__.py # Package initialization
├── analyzer.py # PySharkAnalyzer class
├── models.py # Data models (FlowKey)
├── stats.py # Statistics classes
└── README.md # This file
lua_dissectors/ # Custom Wireshark dissectors
├── example_custom_protocol.lua
└── README.md
Performance Comparison
| Aspect | Scapy | PyShark |
|---|---|---|
| Packet Parsing Speed | Faster | Slower (XML overhead) |
| Protocol Support | Limited | Comprehensive |
| Custom Dissectors | Python only | Lua + C |
| Memory Usage | Lower | Higher |
| Dependencies | Python only | Requires tshark |
When to Use PyShark
✅ Use PyShark when:
- You need comprehensive protocol decoding
- Working with proprietary protocols
- Need Wireshark's advanced filtering
- Protocol accuracy is critical
❌ Use Scapy when:
- Performance is critical
- Need packet crafting/modification
- Minimal dependencies required
- Simple protocol analysis
Custom Protocol Support
To add custom protocol support:
- Create a Lua dissector (see
lua_dissectors/example_custom_protocol.lua) - Install in Wireshark plugins directory
- PyShark automatically uses it
Example accessing custom fields:
# After installing custom dissector
capture = pyshark.FileCapture('custom_protocol.pcap')
for packet in capture:
if hasattr(packet, 'custom'):
print(f"Message type: {packet.custom.msg_type}")
print(f"Sequence: {packet.custom.sequence}")
Limitations
- Performance: Slower than Scapy due to XML parsing overhead
- Dependencies: Requires Wireshark/tshark installation
- Read-only: Cannot modify or craft packets
- Platform-specific: tshark paths may vary
Future Enhancements
- Parallel packet processing
- Caching for improved performance
- Integration with existing frametypes
- Protocol-specific analyzers
- Real-time streaming analysis
- Custom field extractors
Testing
# Test with sample PCAP
./airstream_pyshark.py -p "1 PTPGM.pcapng"
# List available interfaces
./airstream_pyshark.py -l
# Verbose mode for debugging
./airstream_pyshark.py -p capture.pcap -v
Conclusion
This PyShark implementation provides a powerful alternative when comprehensive protocol support is needed. While it trades performance for functionality, it enables analysis of complex protocols that would be difficult to implement in pure Python.