pyshark icon indicating copy to clipboard operation
pyshark copied to clipboard

Published 20 hours ago verified publisher icon KimiNewt

nflog, "nflog:<group_num>" not supported as interface name

Open anvilvapre opened this issue 5 months ago • 1 comments

nflog requires you to specify the nglog group - an index - you want to capture. in tshart, dumppcap and tcpdump this works as expected. pyshark does not seem to support this.

cap = pyshark.LiveCapture('nflog', bpf_filter='ip and tcp') executes but does not result in packets

cap = pyshark.LiveCapture('nflog:1', bpf_filter='ip and tcp') does in tcpdump and tshark results in packets but in pyshark resuls in below error message:

sudo python3  cap.py
2024-09-22 16:53:15,055 - LiveCapture - DEBUG - Creating Dumpcap subprocess with parameters: /usr/bin/dumpcap -q -i nflog:1 -w -
2024-09-22 16:53:15,056 - LiveCapture - DEBUG - Dumpcap subprocess (pid 12513) created
Traceback (most recent call last):

....
 File "/usr/local/lib/python3.10/dist-packages/pyshark/capture/live_capture.py", line 82, in _verify_capture_parameters
    raise UnknownInterfaceException(
pyshark.capture.live_capture.UnknownInterfaceException: Interface 'nflog:1' does not exist, unable to initiate capture. Perhaps permissions are missing?
Possible interfaces:
...
nflog
....

See also https://wiki.wireshark.org/CaptureSetup/NFLOG.

It does however start a dumppcap process and leaves it running even after exit.

anvilvapre avatar Sep 22 '24 15:09 anvilvapre