Conversion of data through tshark

asked 2020-01-07 15:20:35 +0000

Hi Team,

i am using tshark version 2.4.3 for converting files which are in pcap format. While i am trying to convert pcap file to json file, I am not able to find "Field Name" is json file. It seems either data is getting lost or not getting converted.

Command used: tshark -r test.pcap -T ek > test.json

Please suggest.

Thanks & Regards, Neha Malhotra

Are you expecting a header line like that produced with -T fields ?

I need to convert entire pcap log file in to json file. So , I have not specified any fields with paramets -T. Thanks

2.4.3 is obsolete, not sure how well it handles json output. Can you move to a newer, supported, version?

I have tried on latest version, and facing the same issue. Please suggest.

Can you provide a small example of what the current output is and also what the ideal output would look like?

answered 2020-01-09 11:27:08 +0000

The json has those same values but in the display format, i.e. decimal rather than hex. Eg.

"zbee_zcl_se.pp.attr_id": "1308" is the value in decimal from <field name="zbee_zcl_se.pp.attr_id" **showname="Attribute: Current Day Cost Consumption Delivered (0x051c)"** size="2" pos="10" show="1308" value="1c05"/> which has the raw little-endian value, "0x051c" and the raw hex value "1c05".

json just provides field names and values, xml is much more descriptive.

I need to apply the filter on the log file based on the value in showname, for example: "Current Day Cost Consumption Delivered". Is there any way we can make this field mandatory in output file, while converting the whole data from pcap to json

Can we get output like this, where we have showname as well:

 "@name" : "",
          "@show" : "Attribute Field, Uint: 1593116",
          "@size" : "0",
          "@pos" : "10",
          "field" : [ {
            "@name" : "zbee_zcl_se.pp.attr_id",
            "@showname" : "Attribute: Current Day Cost Consumption Delivered (0x051c)",
            "@size" : "2",
            "@pos" : "10",
            "@show" : "1308",
            "@value" : "1c05"
          }, {
            "@name" : "",
            "@showname" : "Data Type: 48-Bit Unsigned Integer (0x25)",
            "@size" : "1",
            "@pos" : "12",
            "@show" : "37",
            "@value" : "25"
          }, {
            "@name" : "zbee_zcl.attr.uint48",
            "@showname" : "Uint48: 1593116 (0x0000000000184f1c)",
            "@size" : "6",
            "@pos" : "13",
            "@show" : "1593116",
            "@value" : "1c4f18000000"
I think you'll need one of the *ml formats for that.

How can we use ml format?

I meant either of the *ml formats, e.g. -T pdml or -T psml, but checking again it would have to be pdml.

