Ask Your Question
0

Tshark output single line json

asked 2019-11-23 13:25:40 +0000

mpk93 gravatar image

I want to live analyze packets captured with tshark in python.

tshark -i <interface> -T ek -l

Is pretty close to what I need. The problem is the naming. I get much better results with -T json but the results are not a single line for a single packet.

So before writing complicated logic to parse -T json output, I wanted to ask for any other ideas.

edit retag flag offensive close merge delete

1 Answer

Sort by ยป oldest newest most voted
0

answered 2019-11-23 15:52:20 +0000

Chuckc gravatar image

updated 2019-11-23 15:52:52 +0000

It is best if you can define an end condition where the capture ends on its own.
Doing a ^c stops capture but doesn't write a complete last packet captured.
Defining a finish condition get the final "]" to match the opening "[".

tshark -Tjson -c 10 | tr -d '\n' > json.out
cat json.out | sed -e "s/},  {/},\n  {/g" > json2.out
edit flag offensive delete link more

Comments

If by

Doing a ^c stops capture but doesn't write a complete last packet captured.

you mean, for example, that if you do

tshark -i <interface> -T ek -l | {program that reads the Elasticsearch output}

and interrupt TShark with ^C, there's no final "]", that's a bug - and, in fact, I just tried

tshark -i en0 -T ek -l | cat >/tmp/testfile

and ^C'ed it, and /tmp/testfile did, in fact, have no final "]" - that's a bug, and it should be reported on the Wireshark Bugzilla.

Guy Harris gravatar imageGuy Harris ( 2019-11-24 03:42:04 +0000 )edit

tshark catches ^c and exits clean.
I think it is the second command after the pipe that exits abruptly.
If I kill dumpcap then everything exits clean and writes the "]".
So either define tshark capture end condition or open another shell, look for dumpcap and kill it.

root@kali:~# tshark -Tjson > ctrl_c.out
Running as user "root" and group "root". This could be dangerous.
Capturing on 'eth0'
14 ^C
root@kali:~# tail -2 ./ctrl_c.out
  }
]

root@kali:~# tshark -Tjson | tr -d '\n' > ctrl_c.out
Running as user "root" and group "root". This could be dangerous.
Capturing on 'eth0'
8 ^Ctshark: An error occurred while printing packets: Broken pipe.

root@kali:~#
Chuckc gravatar imageChuckc ( 2019-11-24 14:18:12 +0000 )edit

Thanks for your answer. Unfortunately thats not what I am searching for. I want to analyze live traffic for an undefined amount of time, so a capture is a long running task. My question was simply if there is some way to force tshark to output one line for each packet received as json. Just like -T ek does but better formatted and named. Thanks

mpk93 gravatar imagempk93 ( 2019-11-24 17:01:30 +0000 )edit

Ok. Perhaps someone else can get sed to act on the stream.
The output from tr -d '\n' is one continuous stream without packet breaks.
Need something like fold but doing it on a string not number of characters.

Chuckc gravatar imageChuckc ( 2019-11-24 18:37:17 +0000 )edit

This will work unless the input data has a \r in it.

    tshark -Tjson  | sed -e "s/^  },$/ },\r/g" | tr -d '\n' | tr -s '\r' '\n'
Chuckc gravatar imageChuckc ( 2019-11-24 23:04:42 +0000 )edit

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account.

Add Answer

Question Tools

Stats

Asked: 2019-11-23 13:25:40 +0000

Seen: 3,524 times

Last updated: Nov 23 '19