pyshark icon indicating copy to clipboard operation
pyshark copied to clipboard

Published 20 hours ago verified publisher icon KimiNewt

Nothing shows in `Layer XXX_RAW` when calling `pretty_print` with `include_raw=True`

Open miaotony opened this issue 3 years ago • 2 comments

Describe the bug No matter use_ek=True, include_raw=True or use_json=True, include_raw=True, nothing shows in Layer XXX_RAW when calling pretty_print.

To Reproduce

import pyshark

def tshark_callback(packet):
    packet.pretty_print()
    # print(packet.__str__())

cap = pyshark.LiveCapture(use_ek=True, include_raw=True, interface='wlan')
cap.set_debug()
cap.apply_on_packets(tshark_callback)

图片

Replace use_ek with use_json, and as the same nothing shows in xxx_raw layer.

图片

Expected behavior Show the raw hex data in the specific xxx_raw fields.

Versions (please complete the following information):

  • OS: Windows 10
  • pyshark version: v0.5.3
  • tshark version: TShark (Wireshark) 3.6.6 (v3.6.6-0-g7d96674e2a30)

The bug also occurs on Linux (Ubuntu 20.04) with pyshark v0.5.3 and TShark (Wireshark) 3.2.3 (Git v3.2.3 packaged as 3.2.3-1).

miaotony avatar Aug 19 '22 20:08 miaotony 

sudo tshark -l -n -T ek -x -P -V  -i eth0 -c 1

Using ek mode, tshark return a JSON object which the type of xxx_raw layers (just like frame_raw) is str rather than dict.

图片

However, in the source code the author parses it as dict. https://github.com/KimiNewt/pyshark/blob/60f08211ae79e9ca185b5cefd5039029b2b85d84/src/pyshark/packet/layers/ek_layer.py#L42-L44

The function pretty_print gets all keys in the dict, and in detail it gets field_names... https://github.com/KimiNewt/pyshark/blob/60f08211ae79e9ca185b5cefd5039029b2b85d84/src/pyshark/packet/layers/ek_layer.py#L109-L126

https://github.com/KimiNewt/pyshark/blob/60f08211ae79e9ca185b5cefd5039029b2b85d84/src/pyshark/packet/layers/ek_layer.py#L63-L76

The raw layers belong to str type, which have no keys. So maybe you have to judge the type first before processing it...

It seems that another issue #586 is also caused by this problem.

miaotony avatar Aug 19 '22 20:08 miaotony

This is still a problem today. This function that's in packet doesn't work either. The assert checks that FRAME_RAW is in the packet, which it is, but self.frame_raw.value isn't valid.

def get_raw_packet(self) -> bytes:
        assert "FRAME_RAW" in self, "Packet contains no raw data. In order to contains it, " \
                                    "make sure that use_json and include_raw are set to True " \
                                    "in the Capture object"
        raw_packet = b''
        byte_values = [''.join(x) for x in zip(self.frame_raw.value[0::2], self.frame_raw.value[1::2])]
        for value in byte_values:
            raw_packet += binascii.unhexlify(value)
        return raw_packet

I've tried updating the code to put frame_raw into the frame dictionary so that the EkLayer can access it that way, but that didn't work either. There must be some lookup table indicating what the valid fields are.

chrisawad avatar Jan 04 '24 21:01 chrisawad