Load a PCAP/PCAPNG file into a fresh sharkd session.

alias defaults to the basename. Each loaded PCAP keeps a dedicated sharkd subprocess warm so subsequent queries are interactive. Returns the alias and basic status (frame count, duration, file size).

List every loaded PCAP with its current sharkd status.

Terminate the sharkd session for alias and free its memory.

Combined status + analyse: filename, size, frame count, duration, protocols seen, first/last timestamps.

List all types available in this sharkd session: tap identifiers, follow protocols, column fields, and stats tree entries.

Useful for discovering valid values before calling conversations, endpoints, follow_stream, or protocol_hierarchy.

Page through packets via sharkd frames.

display_filter accepts Wireshark display-filter syntax. columns overrides the default column set with arbitrary field names (e.g. ["frame.number", "ip.src", "tcp.dstport"]). refs is a list of reference frame numbers for delta-time calculations.

Full protocol tree for one frame.

include_bytes — add raw bytes (base64) per layer. include_hidden — include hidden protocol tree fields. ref_frame — reference frame number for delta-time display. prev_frame — previous frame number for delta-time display.

Extract arbitrary fields per packet, e.g. ["ip.src", "tcp.dstport", "http.host"]. Returns rows of dicts keyed by field name.

Validate a display-filter expression and/or a field name.

filter — Wireshark display filter (e.g. tcp.port == 443). field — fully qualified field name (e.g. http.request.method).

Returns {"status":"OK"} on success or an error object. At least one of filter or field must be provided.

Autocomplete field names or preference names by prefix.

field — field prefix, e.g. "tcp." → all tcp.* dissector fields. pref — preference prefix, e.g. "tcp." → all tcp.* preferences.

At least one of field or pref must be provided. Dense protocols (e.g. "opcua.") can return thousands of entries; limit caps the list (0 = no cap).

Read one or all sharkd dissector preferences.

Pass a dotted preference name (e.g. "tcp.check_checksum") to read a single value, or omit to dump all preferences. Useful for checking whether a dissector is enabled or what port a protocol is bound to.

Set a sharkd dissector preference for this session.

Changes are session-scoped and do not persist after the server restarts. Common uses: forcing a non-standard port to decode as a specific protocol (e.g. name="http.tcp.port", value="8080"), or enabling/disabling a dissector option.

Set a comment on a frame for the duration of this session (non-persistent).

Pass an empty string to clear an existing comment. Useful for annotating frames during forensic analysis.

Protocol hierarchy stats — nested tree of frame/byte counts per protocol.

Per-interval frame and byte counts. interval_ms is the bucket size.

Results are in chronological order and paged with skip/limit. The PCAP is scanned only on the first call for a given (interval, filter) combination; subsequent pages are served from cache. Default limit is 300 intervals (~5 min at 1 s buckets). Set limit=0 for all.

Per-interval traffic graph for up to 8 simultaneous lines.

Each entry in graphs must be one of: "packets" | "bytes" | "bits" — basic counters "sum:" | "avg:" — aggregate a numeric field per interval "min:" | "max:" — min/max of a numeric field per interval "load:" | "frames:" — bit-rate or frame count for a field

filters — optional per-graph display filters (parallel list to graphs); enables multi-line graphs of different protocol streams.

Results are paged with skip/limit (default 300 buckets ≈ 5 min at 1 s).

Reassemble a stream. display_filter selects it (e.g. tcp.stream eq 3). Returns client/server addrs and base64 payload chunks with direction.

Long-lived streams can produce huge payload lists; max_payloads caps how many chunks are returned. Set to 0 for no cap.

Conversation table for a given layer. Sums frames/bytes per peer pair.

Results are sorted by sort_by (descending) and paged with skip/limit. The PCAP is scanned only on the first call for a given filter; all subsequent pages are served from an in-memory cache. Set limit=0 for all.

Endpoint table for a given layer. Sums tx/rx frames and bytes per host.

Results are sorted by sort_by (descending) and paged with skip/limit. The PCAP is scanned only on the first call for a given filter; all subsequent pages are served from an in-memory cache. Set limit=0 for all.

Per-frame expert diagnostics — errors, warnings, notes, and chats.

Returns Wireshark's built-in anomaly detection results: TCP retransmissions, malformed packets, unusual sequences, and protocol violations. Each entry contains frame number (f), severity (s), protocol (p), and message (m). Results are cached after the first scan.

Protocol-level aggregate statistics.

protocol options: dns — query/response counts by type and return code http — HTTP request/response packet counters http_requests — requests grouped by URI http_server — load distribution across servers http_seq — HTTP request sequences http2 — HTTP/2 stream statistics rtsp — RTSP packet counters sip — SIP response code counters dhcp — DHCP message type distribution h225 — H.225 message and response status

Service response time statistics — min/max/avg latency per request type.

Measures the elapsed time between a protocol request and its response. Useful for detecting slow servers, network congestion, or anomalous response-time patterns in application protocols.

Response time delay statistics for signalling protocols.

Measures per-transaction round-trip delay: h225_ras — H.225 RAS registration/admission delays megaco — MEGACO/H.248 gateway control delays mgcp — MGCP gateway control delays radius — RADIUS authentication/accounting delays

Flow sequence diagram data for visualising packet exchanges.

Returns time-ordered node and flow entries suitable for rendering a sequence diagram (equivalent to Wireshark's Flow Graph window). any — all flows tcp — TCP flows (handshakes, data, teardowns) icmp — ICMP echo request/reply flows icmpv6 — ICMPv6 flows

VoIP call list with state, duration, and participant addresses.

Detects SIP, H.323, MGCP, and SKINNY calls in the capture and reconstructs the call flow from signalling messages.

RTP stream inventory and per-stream quality analysis.

Without stream_spec — returns all RTP streams with SSRC, codec, packet count, and timing.

With stream_spec — returns jitter, packet loss, and sequence error statistics for one stream. Format: <src_ip>_<src_port>_<dst_ip>_<dst_port>_<ssrc> e.g. 200.57.7.195_9762_200.57.7.196_26946_0xd2bd4e3e

UDP multicast stream statistics.

Returns per-stream packet counts, byte rates, and burst statistics for all UDP multicast flows in the capture.

List exportable objects of the given type found in the capture.

Each returned object includes a _download token that can be passed to download_object to retrieve the raw content. Supported types: http, dicom, smb, tftp, imf, ftp-data.

The PCAP is scanned only on the first call for a given type; subsequent pages are served from cache.

Download the raw content of an exportable object, TLS secrets, or RTP audio.

Tokens come from: export_objects → "eo:http_0", "eo:imf_0", etc. TLS session keys → "ssl-secrets" (NSS Key Log format, if embedded) RTP audio stream → "rtp:<src_ip>_<src_port>_<dst_ip>_<dst_port>_<ssrc>"

Content is returned base64-encoded under the data key along with the MIME type and original filename where available.

Run one or more sharkd statistics taps in a single PCAP scan.

specs — tap identifiers from server_info, e.g. ["expert", "conv:TCP", "stat:dns", "srt:smb"] filter — global display filter applied to all taps (sharkd supports only one filter per tap call; per-tap filters are iograph-only) skip / limit — pagination applied to each tap's flat list result

Up to 16 specs per call (sharkd limit). Results are cached after the first scan; paginated follow-up calls are served from memory. Use server_info to discover all valid tap identifiers.