TechQA.

Read pcapng file and get the headers in json format

1.5k views Asked by At

I have a wireshark packet capture (.pcapng) and the file has to be read to memory of a python programme. It is desired to convert the packets to the JSON format like so:

$ tshark -r cap.pcapng -T json > ip.json

I need the write the json data back to a pcapng file. Please tell me how to do that.

json python-3.x wireshark packet-capture pcap-ng
Original Q&A
1

There are 1 answers

0
Ross Jacobs On

-T json

If you output as JSON as in the question, you will not be able to convert back to pcap. The problem is that the standalone JSON does not have the byte offsets or bytes to tell the converter what bytes to store and where.

If this is your JSON, it may be possible to handcode a new pcap with the data, depending on how verbose the JSON values are. This is the kind of laborious hardcoding you do if you are absolutely desperate (i.e. avoid this method).

-T json values look like this:

[
  {
    "_index": "packets-2020-05-09",
    "_type": "doc",
    "_score": null,
    "_source": {
      "layers": {
        "frame": {
          "frame.interface_id": "0",
          "frame.interface_id_tree": {
            "frame.interface_name": "en0",
            "frame.interface_description": "Wi-Fi"
          },
          "frame.encap_type": "1",
          "frame.time": "May  9, 2020 20:03:11.303663000 PDT",
          "frame.offset_shift": "0.000000000",
          "frame.time_epoch": "1589079791.303663000",
          "frame.time_delta": "0.000000000",
          "frame.time_delta_displayed": "0.000000000",
          "frame.time_relative": "0.000000000",
          "frame.number": "1",
          "frame.len": "92",
          "frame.cap_len": "92",
          "frame.marked": "0",
          "frame.ignored": "0",
...

-T jsonraw / -T json -x

These options are equivalent and output the bytes and byte offsets for each field. Wireshark has a built-in python utility for this exact purpose called json2pcap, but will only consume this type of output.

Martin Kacer wrote this utility and has documentation for it on his website. This article provides a step by step guide, translating from pcap to json to pcap. You can find the source code and use it separately: json2pcap.py is in Wireshark's github repo.

-T jsonraw output looks like this:

[
  {
    "_index": "packets-2020-05-09",
    "_type": "doc",
    "_score": null,
    "_source": {
      "layers": {
        "frame_raw": [
          "cc65adda39706c96cfd87fe70800450000a40000400040061ec4c0a801f69765c18cd13b01bb72f797c64990e967801826c562c300000101080a52be1ece06253aa9170303006b00000000000043350c719c8d15f3339346992e557abac51ade350316082fa92225912552dde4ccec7197c6c7745b91b66747c1c8bea3337656213e59425f35c13fdf1739a174a7528d97b0eb10fce4daaba613840d8ce7f28bbbe094abd97db97da3f8f91b68e4db30d982",
          0,
          178,
          0,
          1
        ],
        "frame": {
          "frame.interface_id": "0",
          "frame.interface_id_tree": {
            "frame.interface_name": "en0",
            "frame.interface_description": "Wi-Fi"
          },
          "frame.encap_type": "1",
          "frame.time": "May  9, 2020 20:02:25.845268000 PDT",
          "frame.offset_shift": "0.000000000",
          "frame.time_epoch": "1589079745.845268000",
          "frame.time_delta": "0.000000000",
...

As you can see, frame_raw has the complete bytes of the packet, which is important in reconstruction.

Related Questions in JSON

Related Questions in PYTHON-3.X

Related Questions in WIRESHARK

Related Questions in PACKET-CAPTURE

Related Questions in PCAP-NG

Popular Questions

Popular Tags

javascript python java c# php android html jquery c++ css ios sql mysql r reactjs node.js arrays c asp.net json python-3.x ruby-on-rails .net sql-server swift django angular objective-c pandas excel

Trending Questions