Ask Your Question
0

Filter fields in JSON export

asked 2020-01-27 12:09:02 +0000

Neha malhotra gravatar image

updated 2020-01-27 13:49:24 +0000

Jaap gravatar image

Hi Team,

I am trying to read one pcap file, & convert it into Json file using tshark. After converting to Json file, It takes 250Mb per file. There are some fields like frame length, frame number, frame delta difference which are not required in json. Is there any way by which i can discard some of the fields related to frame information while converting to json. Please suggest.

Thanks & Regards, Neha Malhotra

edit retag flag offensive close merge delete

Comments

There's no explicit way to exclude protocols or fields.
You would need to make a pass through the capture to get a protocol list, remove the not needed ones then run another pass with "-J" to only include those protocols. Or grep out what is not needed.

tshark -T json -r ./wireshark_issue.pcap | grep -v "\"frame\."

Not sure what your receiver will do with the empty frame section:

"frame": {
},
Chuckc gravatar imageChuckc ( 2020-01-27 15:17:27 +0000 )edit

Thanks for providing your inputs. Tried using the above mentioned command, It seems it did not filter out the data.

Do we have any command by which we can remove frame related information. For example, I want to remove rows with field name =frame.encap_type & frame.offset_shift

 <proto name="frame" showname="Frame 1: 56 bytes on wire (448 bits), 56 bytes captured (448 bits)" size="56" pos="0">
    <field name="frame.encap_type" showname="Encapsulation type: IEEE 802.15.4 Wireless PAN (104)" size="0" pos="0" show="104"/>
    <field name="frame.time" showname="Arrival Time: Sep 20, 2019 15:30:02.799216000 GMT Daylight Time" size="0" pos="0" show="Sep 20, 2019 15:30:02.799216000 GMT Daylight Time"/>
    <field name="frame.offset_shift" showname="Time shift for this packet: 0.000000000 seconds" size="0" pos="0" show="0.000000000"/>
    <field name="frame.time_epoch" showname ...
(more)
Neha malhotra gravatar imageNeha malhotra ( 2020-01-30 12:02:02 +0000 )edit

What is the command string used to produce the output above?

Chuckc gravatar imageChuckc ( 2020-01-30 13:44:31 +0000 )edit

tshark -r file.pcap -T pdml > file.xml

Neha malhotra gravatar imageNeha malhotra ( 2020-01-30 15:05:19 +0000 )edit

Can't you use xml tools such as an xml transform (xslt) to post-process the xml? That's assuming the pdml output is well-formed.

grahamb gravatar imagegrahamb ( 2020-01-30 19:24:35 +0000 )edit
add a comment

1 Answer

Sort by ยป oldest newest most voted
0

answered 2020-01-30 19:04:03 +0000

Chuckc gravatar image

(trouble formatting as a comment with the special characters)

image description

edit flag offensive delete link more

Comments

Thanks for providing your inputs. I have tried above mentioned command. But I coudnt find filtered data. Fields with frame are getting reflected in output file. Please suggest. Thanks

Neha malhotra gravatar imageNeha malhotra ( 2020-01-31 11:25:38 +0000 )edit
add a comment

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account.

Add Answer

Question Tools

1 follower

subscribe to rss feed

Stats

Asked: 2020-01-27 12:09:02 +0000

Seen: 1,486 times

Last updated: Jan 30 '20

Related questions

What does "absent" mean on some fields of the radiotap header?

Getting specific fields from packets

Extraction of field names using tshark

save fields with different mask as an unique field

How can we show long fields in wireshark?

Trying to Combine fields and Stats in an Output File with Tshark

tshark: '-T fields' - Missing MACs in output

Type for Dissecting n-bit Quantities

Meraki Netflow 9 template / analysis mismatch

Displaying custom HTTP2 field in the Transaction