Ask Your Question
0

Conversion of data through tshark

asked 2020-01-07 15:20:35 +0000

Neha malhotra gravatar image

Hi Team,

i am using tshark version 2.4.3 for converting files which are in pcap format. While i am trying to convert pcap file to json file, I am not able to find "Field Name" is json file. It seems either data is getting lost or not getting converted.

Command used: tshark -r test.pcap -T ek > test.json

Please suggest.

Thanks & Regards, Neha Malhotra

edit retag flag offensive close merge delete

Comments

Are you expecting a header line like that produced with -T fields ?

bubbasnmp gravatar imagebubbasnmp ( 2020-01-07 15:49:29 +0000 )edit

I need to convert entire pcap log file in to json file. So , I have not specified any fields with paramets -T. Thanks

Neha malhotra gravatar imageNeha malhotra ( 2020-01-07 16:33:23 +0000 )edit

2.4.3 is obsolete, not sure how well it handles json output. Can you move to a newer, supported, version?

grahamb gravatar imagegrahamb ( 2020-01-07 16:39:18 +0000 )edit

I have tried on latest version, and facing the same issue. Please suggest.

Neha malhotra gravatar imageNeha malhotra ( 2020-01-08 22:03:25 +0000 )edit

Can you provide a small example of what the current output is and also what the ideal output would look like?

bubbasnmp gravatar imagebubbasnmp ( 2020-01-08 22:43:10 +0000 )edit

1 Answer

Sort by ยป oldest newest most voted
0

answered 2020-01-09 11:27:08 +0000

grahamb gravatar image

The json has those same values but in the display format, i.e. decimal rather than hex. Eg.

"zbee_zcl_se.pp.attr_id": "1308" is the value in decimal from <field name="zbee_zcl_se.pp.attr_id" **showname="Attribute: Current Day Cost Consumption Delivered (0x051c)"** size="2" pos="10" show="1308" value="1c05"/> which has the raw little-endian value, "0x051c" and the raw hex value "1c05".

json just provides field names and values, xml is much more descriptive.

edit flag offensive delete link more

Comments

I need to apply the filter on the log file based on the value in showname, for example: "Current Day Cost Consumption Delivered". Is there any way we can make this field mandatory in output file, while converting the whole data from pcap to json

Neha malhotra gravatar imageNeha malhotra ( 2020-01-09 11:54:05 +0000 )edit

Can we get output like this, where we have showname as well:

 "@name" : "",
          "@show" : "Attribute Field, Uint: 1593116",
          "@size" : "0",
          "@pos" : "10",
          "field" : [ {
            "@name" : "zbee_zcl_se.pp.attr_id",
            "@showname" : "Attribute: Current Day Cost Consumption Delivered (0x051c)",
            "@size" : "2",
            "@pos" : "10",
            "@show" : "1308",
            "@value" : "1c05"
          }, {
            "@name" : "zbee_zcl.attr.data.type",
            "@showname" : "Data Type: 48-Bit Unsigned Integer (0x25)",
            "@size" : "1",
            "@pos" : "12",
            "@show" : "37",
            "@value" : "25"
          }, {
            "@name" : "zbee_zcl.attr.uint48",
            "@showname" : "Uint48: 1593116 (0x0000000000184f1c)",
            "@size" : "6",
            "@pos" : "13",
            "@show" : "1593116",
            "@value" : "1c4f18000000"
Neha malhotra gravatar imageNeha malhotra ( 2020-01-09 12:10:46 +0000 )edit

I think you'll need one of the *ml formats for that.

grahamb gravatar imagegrahamb ( 2020-01-09 12:15:31 +0000 )edit

How can we use ml format?

Neha malhotra gravatar imageNeha malhotra ( 2020-01-09 14:33:54 +0000 )edit

I meant either of the *ml formats, e.g. -T pdml or -T psml, but checking again it would have to be pdml.

grahamb gravatar imagegrahamb ( 2020-01-09 16:06:43 +0000 )edit

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account.

Add Answer

Question Tools

1 follower

Stats

Asked: 2020-01-07 15:20:35 +0000

Seen: 49 times

Last updated: Jan 09