I'm trying to create a script that should parse .PCAP file and extract data from Some IP packets. I enabled the Some IP packets capturing in Wireshark via Wireshark GUI and that's is why (I believe) the script seem to work on local Host. But when I try the same script on remote server (no UI, same TShark/Wireshark, PyShark versions) it fails to capture Some IP packets. If to change

cap = pyshark.FileCapture(file, display_filter=filter)

to, for instance,

cap = pyshark.FileCapture(file, display_filter=filter, decode_as={'udp.port==30000': 'someip'})

then it can capture the Some IP traffic on port 30000. But The problem is that not in all .PCAP files Some IP traffic generated on the same port.

If to use workaround to handle all UDP traffic as Some IP traffic:

def get_someip_ports(pcap_file):
    # Allows to detect all the UDP ports to handle SomeIP packets correctly
    cap = pyshark.FileCapture(pcap_file, display_filter="udp")
    ports = set()

    for packet in cap:
        try:
            if hasattr(packet.udp, "port"):
                ports.add(packet.udp.port)
        except AttributeError:
            continue

    cap.close()
    return list(ports)  # Return list of detected UDP ports


someip_ports = get_someip_ports(file)
decode_map = {f'udp.port=={port}': 'someip' for port in someip_ports}
cap = pyshark.FileCapture(file, display_filter=filter, decode_as=decode_map)

it takes forever to complete...

Is there easier way to enable Some IP traffic capturing with no access to Wireshark GUI? Maybe some config files or additional pyshark settings?

I'm trying to create a script that should parse .PCAP file and extract data from Some IP packets. I enabled the Some IP packets capturing in Wireshark via Wireshark GUI and that's is why (I believe) the script seem to work on local Host. But when I try the same script on remote server (no UI, same TShark/Wireshark, PyShark versions) it fails to capture Some IP packets. If to change

cap = pyshark.FileCapture(file, display_filter=filter)

to, for instance,

cap = pyshark.FileCapture(file, display_filter=filter, decode_as={'udp.port==30000': 'someip'})

then it can capture the Some IP traffic on port 30000. But The problem is that not in all .PCAP files Some IP traffic generated on the same port.

If to use workaround to handle all UDP traffic as Some IP traffic:

def get_someip_ports(pcap_file):
    # Allows to detect all the UDP ports to handle SomeIP packets correctly
    cap = pyshark.FileCapture(pcap_file, display_filter="udp")
    ports = set()

    for packet in cap:
        try:
            if hasattr(packet.udp, "port"):
                ports.add(packet.udp.port)
        except AttributeError:
            continue

    cap.close()
    return list(ports)  # Return list of detected UDP ports


someip_ports = get_someip_ports(file)
decode_map = {f'udp.port=={port}': 'someip' for port in someip_ports}
cap = pyshark.FileCapture(file, display_filter=filter, decode_as=decode_map)

it takes forever to complete...

Is there easier way to enable Some IP traffic capturing with no access to Wireshark GUI? Maybe some config files or additional pyshark settings?

• tshark
• pyshark
• vsomeip

Share Improve this question Follow asked Mar 19 at 12:54 Curious koalaCurious koala 31933 silver badges1010 bronze badges

Add a comment  | 

1 Answer 1

Sorted by: Reset to default 0

The issue seem to be fixed with the following code line:

cap = pyshark.FileCapture(file, 
                          display_filter=filter,
                          custom_parameters={"--enable-protocol": "someip",
                                             "--enable-heuristic": "someip_udp_heur"})

These additional custom_parameters do the same as if to set in Wireshark the following: