Pyshark packet.tcp.analysis_ack_rtt不一致

时间:2019-06-24 20:49:32

标签: python tcp pyshark

我正在尝试使用Pyshark捕获有关TCP连接的流量,以确定诸如RTT,吞吐量和数据包丢失之类的指标。但是,这些属性似乎并不总是可用。

我正在使用TCP层成功捕获数据包。但是,当访问packet.tcp.analysis_ack_rtt值时,有时会返回一个值,而有时会抛出AttributeError。 

capture = pyshark.LiveCapture(interface="eno1", bpf_filter="tcp and port 5201")

for packet in capture.sniff_continuously():
    print("RTT", packet.tcp.analysis_ack_rtt)

我有点希望所有数据包都具有该字段,并且看不出为什么有些数据包可以这样做而其他数据包没有这样做的原因。

另外,有人知道如何访问tcp.analysis.lost_segment吗?看来这也不是数据包的属性。

3 个答案:

答案 0 :(得分:0)

好吧,我看到您正在使用以太网接口进行监听。我要说的是,这样做不起作用的原因是,并非所有数据包都不会是tcp。因此,错误。我会考虑您尝试一下(因为属性错误),您应该没事

答案 1 :(得分:0)

here说明了动态层引用的问题:

使用前面提到的动态层属性在分析数据包时为我们提供了一些灵活性。如果您尝试访问每个数据包的pkt.dns.qry_resp属性,如果该数据包没有DNS信息,则会收到AttributeError。这也适用于传输层,因为每个数据包都将具有TCP或UDP层。如果数据包既不是TCP也不是UDP,我们可以打印出源地址和目标地址以及端口(用于IP会话映射),并使用try / except循环来防止AttributeError

答案 2 :(得分:0)

您可能已经解决了这个问题,但是我认为无论如何我都会提供答案,因为我对pyshark及其功能很感兴趣。

希望这些答案对您有用。

示例一 

# Network interface used by TShark for live capture
network_interface = 'en0'

capture = pyshark.LiveCapture(interface=network_interface)
capture.sniff(timeout=50)
for raw_packet in capture.sniff_continuously():
    try:
        # Only looks at TCP packets
        if hasattr(raw_packet, 'tcp'):
           source_address = raw_packet.ip.src
           source_port = raw_packet[raw_packet.transport_layer].srcport
        
           destination_address = raw_packet.ip.dst
           destination_port = raw_packet[raw_packet.transport_layer].dstport
        
           ack_rtt = raw_packet[raw_packet.transport_layer].analysis_ack_rtt

           # analysis_lost_segment can produce multiple messages:
           #
           # (1) 'tcp previous segment not captured.
           # This message is created when TShark didn't see a packet that should have been in the trace.
           # This warning was previously called "tcp previous segment lost"
           #
           # (2) 'Previous segment not captured (common at capture start)'
           # This means that on the receiver side you capture an outgoing ACK packet 
           # for a sequence number where you haven't seen the respective segment. 
           # This is common, as it might be possible that a segment arrived, 
           # you started the capture and afterwards your TCP stack replied 
           # with an ACK. So there was no way to see the incoming packet.
           #
           lost_segment = raw_packet[raw_packet.transport_layer].analysis_lost_segment

           print(f'Source Address: {source_address}\n'
                 f'Source Port: {source_port}\n'
                 f'Destination address: {destination_address}\n'
                 f'Destination port:{destination_port}\n'
                 f'RTT to ACK was: {ack_rtt} seconds\n'
                 f'{lost_segment}\n')
           
           # PRINT OUTPUT
           Source Address: 192.168.86.35
           Source Port: 64490
           Destination address: 31.13.66.174
           Destination port:443
           RTT to ACK was: 0.000162000 seconds
           Previous segment(s) not captured (common at capture start)

     except AttributeError as e:
         pass

示例二 

# Network interface used by TShark for live capture
network_interface = 'en0'

capture = pyshark.LiveCapture(interface='en0', display_filter='tcp.analysis.ack_rtt or tcp.analysis.lost_segment')
capture.sniff(timeout=50)
for raw_packet in capture.sniff_continuously():
    try:
       
        source_address = raw_packet.ip.src
        source_port = raw_packet[raw_packet.transport_layer].srcport
        
        destination_address = raw_packet.ip.dst
        destination_port = raw_packet[raw_packet.transport_layer].dstport
        
        ack_rtt = raw_packet[raw_packet.transport_layer].analysis_ack_rtt

        # analysis_lost_segment can produce multiple messages:
        #
        # (1) 'tcp previous segment not captured.
        # This message is created when TShark didn't see a packet that should have been in the trace.
        # This warning was previously called "tcp previous segment lost"
        #
        # (2) 'Previous segment not captured (common at capture start)'
        # This means that on the receiver side you capture an outgoing ACK packet 
        # for a sequence number where you haven't seen the respective segment. 
        # This is common, as it might be possible that a segment arrived, 
        # you started the capture and afterwards your TCP stack replied 
        # with an ACK. So there was no way to see the incoming packet.
        #
        lost_segment = raw_packet[raw_packet.transport_layer].analysis_lost_segment

        print(f'Source Address: {source_address}\n'
              f'Source Port: {source_port}\n'
              f'Destination address: {destination_address}\n'
              f'Destination port: {destination_port}\n'
              f'RTT to ACK was: {ack_rtt} seconds\n'
              f'{lost_segment}\n')
           
        # PRINT OUTPUT
        Source Address: 192.168.86.35
        Source Port: 64490
        Destination address: 31.13.66.174
        Destination port: 443
        RTT to ACK was: 0.000162000 seconds
        Previous segment(s) not captured (common at capture start)

    except AttributeError as e:
        pass
相关问题
最新问题