I have a problem when going througt an openfpc pcap file(1gb) with pyshark. When i use (in console, as root):
lst = pyshark.FileCapture(TMP_NAME):
for p in lst:
if(p.highest_layer=="FTP"):
print "win"
It does not print anything, even if i am sure there are ftp packets in the file. If i go like this:
lst = pyshark.FileCapture(TMP_NAME, display_filter="ftp"):
for p in lst:
if(p.highest_layer=="FTP"):
print "win"
It prints "win". My questions are:
1) How can we explain this behaviour?
2) How can I see the ftp packets without filter?
EDIT: I have seen that this only happens when using .pcap files.The first code works flawlessly when using .cap files downloaded from the wireshark website. Which I find wierd since pyshark uses TShark, and should be able to read pcaps no problem.
Thanks