How to get raw data for fields and layers in sorted way

[Isdriai]

Hi,

I want to reproduce a behavior I have with Wireshark (the GUI), the behavior is when I put my mouse on an element, wireshark shows me what is it:

(The PCAP comes from a public dataset)
Here, I can see the bytes I select are the source address

I tried to see if I could do the same thing with pyshark and the result is "almost", I explain:
I want to have for each layer the hex representation of it and its fields, something like

{
    "name": layer.name,
    "raw_data": get_raw_layer(layer),
    "fields": [
        {
            "name": field_name,
             "raw_data": get_raw_field(layer, field_name),
             "position": field_position_in_layer
        }
    ]
}

Using

pyshark.FileCapture(pcap_file, keep_packets=False, include_raw=True, use_json=True)

I can find the raw data for my fields, the issue is I can't find the order of these fields in the packet, also I can get the raw data for each field with

def get_raw_field(layer, field_name):
     getattr(layer, f'{layer_name}_raw')[0] 

Btw, why the raw data is a list with many elements ? I checked some fields and apparently I have to select the first element only

The problem is with some fields, for example there are "dst" ('192.168.10.3') and "dst_host' ('192.168.10.3'), and their raw representations are respectively "['c0a80a03', '30', '4', 'None', '32']" and "['c0a80a03', '30', '4', 'None', '26']" (Don't understand why there is difference between them with the last element but never mind I get only the first ones) so it's an issue for me because I have a part of raw data twice. I will be able to do a script to detect them after I explore all the pcap. But if there is a solution to do it when I explore the pcap at the first time I take it :)

The main issue I have is the fact I can't find the way to get the raw data for the layer, and without order and with duplicates, it will be impossible to get it, maybe there is a way to have it ?

When I debug with Pycharm to inspect a packet, I can see what I want (the last line):

But IMPOSSIBLE to find the way to get it in my script !

I tried

packet.ip.value
packet.ip._value
packet.ip["value"]
getattr(packet.ip, "value")
str(packet.ip)

I just don't know how Pycharm does to do it

So I need to get either the raw data of the layer OR the fields order to be able to have the result I want (the data structure I showed)

[Isdriai]

Ok I found .....

Instead

packet.ip.value
or
packet["ip"].value

I do

packet.ip_raw.value
packet["ip_raw"].value

If you also want to have this raw data, be sure you do

pyshark.FileCapture(pcap_file, keep_packets=False, include_raw=True, use_json=True)

You have to include "include_raw=True" and this option works only when "use_json=True"