Usage¶
pcapfilter¶
Read packet capture data (pcap) stream from stdin, apply a function and write to stdout. Example (capture from INTERFACE and display in Wireshark): tcpdump -i INTERFACE -s0 -w - | pcapfilter -m myfiltermodule.py | wireshark -k -i -
pcapfilter [OPTIONS]
Options
-
-m
,
--module
<module>
¶ A python module name that contains a packet_filter(packet). You can create one with -w example.py
-
-s
,
--silent
<silent>
¶ Hide log messages from STDERR)
-
-o
,
--oldpcap
¶
Use old pcap for input
-
-r
,
--reload
¶
Reloads the module upon changes
-
-w
,
--create-template
<create_template>
¶ Creates an example file
-
-d
,
--docker-help
¶
Shows help when running from docker
The basic usage is:
INPUT | pcapfilter [options] | OUTPUT
Where INPUT is a package capture provider, such as tcpdump and OUTPUT is some program able to conusme pcap from stdin.
For example, capturing packets from interface en0 (INPUT) and showing the results in wireshark (OUTPUT):
tcpdump -i en0 -s0 -w - | pcapfilter -vm myfilter.py | wireshark -k -i -
You can use ssh packet capture from your router and display it in Wireshark
ssh router "tcpdump -i eth1.2 -i br-lan -s0 -w - " | pcapfilter -vm main.py | wireshark -k -i -
As a docker image¶
You need to provide a volume where your filter file is defined:
INPUT | docker run --rm -i -v $(pwd):/shared pcapfilter pcapfilter -vm /shared/main.py | OUTPUT
Defining a filter¶
A filter is a python module (or file ending in .py) that has a function called packet_filter. This funcion receives an argument named pkg If None is returned, then the package is discarded.
If the packet is returned (modified or not) it will be sent to the OUTPUT.