1

我正在尝试使用 Pyshark 捕获有关 tcp 连接的流量,以确定 RTT、吞吐量和数据包丢失等指标。但是,这些属性似乎并不总是可用。

我使用 TCP 层成功捕获了数据包。但是,在访问 packet.tcp.analysis_ack_rtt 值时,有时会返回一个值,而有时会抛出 AttributeError。

capture = pyshark.LiveCapture(interface="eno1", bpf_filter="tcp and port 5201")

for packet in capture.sniff_continuously():
    print("RTT", packet.tcp.analysis_ack_rtt)

我有点期待所有数据包都有这个字段,并且看不到为什么有些数据包有而其他数据包没有的原因。

另外,有人知道如何访问 tcp.analysis.lost_segment 吗?似乎它也不是数据包的属性。

4

3 回答 3

0

好吧,我看到您正在收听以太网接口。我会说这不起作用的原因是并非所有数据包都不会是 tcp。因此错误。我会考虑你做一个尝试和捕捉(对于属性错误),你应该没问题。

见下文:

import pyshark

capture = pyshark.FileCapture(<path to pcap file>)

for packet in capture:
    try:
        print("Protocol: "+ packet.highest_layer +"source:"+ packet.ip.src +" Destination:"+ packet.ip.dst  +" RTT:"+ packet.tcp.analysis_ack_rtt)

    except AttributeError as e:
        pass
于 2019-12-28T00:22:11.317 回答
0

动态层引用的问题在这里解释:

使用我前面提到的动态层属性在分析数据包时给了我们一些灵活性。如果您尝试访问每个数据包的 pkt.dns.qry_resp 属性,如果数据包没有 DNS 信息,您将收到 AttributeError。这也适用于传输层,因为每个数据包都有 TCP 或 UDP 层。如果数据包既不是 TCP 也不是 UDP,我们可以打印出源和目标地址和端口(用于 IP 会话映射)并使用 try/except 循环来防止 AttributeError

于 2020-07-29T17:39:37.200 回答
0

您可能已经解决了这个问题,但我认为无论如何我都会提供答案,因为我对pyshark及其功能感兴趣。

希望这些答案对您有用。

示例一

# Network interface used by TShark for live capture
network_interface = 'en0'

capture = pyshark.LiveCapture(interface=network_interface)
capture.sniff(timeout=50)
for raw_packet in capture.sniff_continuously():
    try:
        # Only looks at TCP packets
        if hasattr(raw_packet, 'tcp'):
           source_address = raw_packet.ip.src
           source_port = raw_packet[raw_packet.transport_layer].srcport
        
           destination_address = raw_packet.ip.dst
           destination_port = raw_packet[raw_packet.transport_layer].dstport
        
           ack_rtt = raw_packet[raw_packet.transport_layer].analysis_ack_rtt

           # analysis_lost_segment can produce multiple messages:
           #
           # (1) 'tcp previous segment not captured.
           # This message is created when TShark didn't see a packet that should have been in the trace.
           # This warning was previously called "tcp previous segment lost"
           #
           # (2) 'Previous segment not captured (common at capture start)'
           # This means that on the receiver side you capture an outgoing ACK packet 
           # for a sequence number where you haven't seen the respective segment. 
           # This is common, as it might be possible that a segment arrived, 
           # you started the capture and afterwards your TCP stack replied 
           # with an ACK. So there was no way to see the incoming packet.
           #
           lost_segment = raw_packet[raw_packet.transport_layer].analysis_lost_segment

           print(f'Source Address: {source_address}\n'
                 f'Source Port: {source_port}\n'
                 f'Destination address: {destination_address}\n'
                 f'Destination port:{destination_port}\n'
                 f'RTT to ACK was: {ack_rtt} seconds\n'
                 f'{lost_segment}\n')
           
           # PRINT OUTPUT
           Source Address: 192.168.86.35
           Source Port: 64490
           Destination address: 31.13.66.174
           Destination port:443
           RTT to ACK was: 0.000162000 seconds
           Previous segment(s) not captured (common at capture start)

     except AttributeError as e:
         pass

示例二

# Network interface used by TShark for live capture
network_interface = 'en0'

capture = pyshark.LiveCapture(interface='en0', display_filter='tcp.analysis.ack_rtt or tcp.analysis.lost_segment')
capture.sniff(timeout=50)
for raw_packet in capture.sniff_continuously():
    try:
       
        source_address = raw_packet.ip.src
        source_port = raw_packet[raw_packet.transport_layer].srcport
        
        destination_address = raw_packet.ip.dst
        destination_port = raw_packet[raw_packet.transport_layer].dstport
        
        ack_rtt = raw_packet[raw_packet.transport_layer].analysis_ack_rtt

        # analysis_lost_segment can produce multiple messages:
        #
        # (1) 'tcp previous segment not captured.
        # This message is created when TShark didn't see a packet that should have been in the trace.
        # This warning was previously called "tcp previous segment lost"
        #
        # (2) 'Previous segment not captured (common at capture start)'
        # This means that on the receiver side you capture an outgoing ACK packet 
        # for a sequence number where you haven't seen the respective segment. 
        # This is common, as it might be possible that a segment arrived, 
        # you started the capture and afterwards your TCP stack replied 
        # with an ACK. So there was no way to see the incoming packet.
        #
        lost_segment = raw_packet[raw_packet.transport_layer].analysis_lost_segment

        print(f'Source Address: {source_address}\n'
              f'Source Port: {source_port}\n'
              f'Destination address: {destination_address}\n'
              f'Destination port: {destination_port}\n'
              f'RTT to ACK was: {ack_rtt} seconds\n'
              f'{lost_segment}\n')
           
        # PRINT OUTPUT
        Source Address: 192.168.86.35
        Source Port: 64490
        Destination address: 31.13.66.174
        Destination port: 443
        RTT to ACK was: 0.000162000 seconds
        Previous segment(s) not captured (common at capture start)

    except AttributeError as e:
        pass
于 2020-08-01T17:20:59.930 回答