Ask Your Question
0

How can I save the packet list exactly as Wireshark is displaying it as a JSON?

asked 2019-11-22 12:51:33 +0000

merangles gravatar image

I'm using company-provided Wireshark dissectors for 3 proprietary network protocols used by that company.

I want to further analyse the packet capture data, so I need Wireshark to transform it into a common format like JSON. Wireshark knows how to interpret the data using the dissectors and I can access all the fields in the Wireshark GUI.

tshark -r file.pcapng -V -Tjson > file.json almost does what I want. But for some reason, it substitutes a lot of, but not all the "field-name":"value"-pairs with "_ws.lua.text":"". The same thing happens if I export the packet dissection to JSON in the GUI. In Wireshark everything looks fine, but the JSON file doesn't.

So I know Wireshark has the data I want. How can I make Wireshark save the packet list, exactly as it displays it with all fields expanded, as a JSON file?

Possibly helpful theory of mine: I noticed that in the .lua dissector file, most of the field names that are substituted are defined like this:

 local table = {
  [0] = {
    [1] = {decription="field name 1"}
    [2] = {description="field name 2"}
     }}

and referenced as table[0][2].description Maybe "_ws.lua.text" is just a stub for any reference that is returned instead of a value? But Wireshark can access the values, so why doesn't it use them when converting the data to JSON?

edit retag flag offensive close merge delete
add a comment

1 Answer

Sort by ยป oldest newest most voted
0

answered 2019-12-06 08:24:23 +0000

merangles gravatar image

I adjusted the dissectors and thus got rid of the "_ws.lua.text"s. My dissector used to look like this:

my_proto=Proto("my_proto", "My custom Protocol", "My custom Protocol")
*something something*
local my_proto_packet = tree:add(my_proto, buffer(),"My custom protocol");
value = buffer(curPos,4):uint();
local valueNode = my_proto_packet:add_le(buffer(curPos, 4), "value = " .. value)

The "value = 3.8"-String was displayed in Wireshark.

I added a ProtoField-variable and added it into the proto.fields-array. And then changed the valueNode definition so it now looks like this:

my_proto=Proto("my_proto", "My custom Protocol", "My custom Protocol")
local field_myproto_intfield = ProtoField.uint32("myproto.intfield", "Integer", base.DEC)
my_proto.fields = { field_myproto_intfield }
local my_proto_packet = tree:add(my_proto, buffer(),"My custom protocol");
*something something*

valueNode:add(field_myproto_intfield, buffer(curPos, 4))
edit flag offensive delete link more
add a comment

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account.

Add Answer

Question Tools

1 follower

subscribe to rss feed

Stats

Asked: 2019-11-22 12:51:33 +0000

Seen: 1,411 times

Last updated: Dec 06 '19

Related questions

Any way to use cmd tshark for a gns3 wire?

Is it possible to disable all TCP expert information in tshark when outputting JSON?

Testing Lua Dissectors [closed]

Is there a simple LUA script as an example for simple pcaps?

Seeing lines with "Capture-DEBUG" string in json output

lua script for 80211ah

Generate dissector from JSON message description

tshark export to ek json too slow?

how to invert two bytes in lua script dissector ?

Adjusting Bit order and Endianess in LUA between Dissectors