Ask Your Question
0

Use Wireshark I/O Graph to display decoded JSON field value

asked 2021-04-19 10:11:59 +0000

Ganindu gravatar image

updated 2021-04-19 13:09:26 +0000

I have a UDP stream of data coming from a driver, The data is in JSON format:

Screenshot-from-2021-04-19-11-01-36

I want to use the highlighted Number field and plot the value.

I believe the IO graphs are capable of doing this given that I can set the correct "Y axis" and the "Y Field". I tried right clicking on the field to get a filter string the result of "copy as filter" is frame[111:22] == 22:50:4d:32:35:4d:61:73:73:50:65:72:4d:33:22:3a:09:31:32:2e:32:38 and I/O graphs doesn't seem to like that.

Can you please help me fix this?

I've asked on StackOverflow as well (https://stackoverflow.com/questions/6...)

Cheers, Ganindu

edit retag flag offensive close merge delete
add a comment

1 Answer

Sort by ยป oldest newest most voted
0

answered 2021-04-19 14:02:03 +0000

Chuckc gravatar image

json.value.number is a string field:
Display Filter Reference: JavaScript Object Notation

FIELD NAME             DESCRIPTION       TYPE                  VERSIONS
json.value.number   Number value     Character string     1.6.0 to 3.4.4

You might look at exporting it with tshark then graphing in a different program

edit flag offensive delete link more

Comments

Hi Chuck, thanks, I think inside the proverbial wire (where pcap does the intercepting) it's a string. but shouldn't that be understood as a number after going through the Wireshark's JSON parser?

tshark seems interesting but I was hoping that there is a plotting tool within wireshark that would do the job. for me; in this particular case it isn't really a problem because I can easily plot with a simple python script with a JSON parser and matplotlib.

I was just wondering because these kind of tools exist (with i.e. CAN tools) and are quite handy sometimes.

Cheers

Ganindu gravatar imageGanindu ( 2021-04-20 07:47:56 +0000 )edit

You could open an enhancement request.

Based on these comments in packet-json.c, the field type was questioned:

static header_field_info hfi_json_value_number JSON_HFI_INIT = /* FT_DOUBLE/ FT_INT64? */
    { "Number value", "json.value.number", FT_STRING, BASE_NONE, NULL, 0x00, "JSON number value", HFILL };


(not tested) You might try adding a Lua dissector to create a new numeric field and feed that to IO graph.

Chuckc gravatar imageChuckc ( 2021-04-20 16:19:37 +0000 )edit

Hi Chuck, Thanks for the answer. I fixed my problem by making a custom plotter but I think This will be a cool feature for wireshark. Will be a super handy tool.

Ganindu gravatar imageGanindu ( 2021-04-21 15:12:42 +0000 )edit
add a comment

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account.

Add Answer

Question Tools

1 follower

subscribe to rss feed

Stats

Asked: 2021-04-19 10:11:59 +0000

Seen: 1,374 times

Last updated: Apr 19 '21

Related questions

How to trace json in udp data bytes?

My UDP packets aren't showing

What is the udp.length display filter actually for?

how to capture udp traffic with a length of 94

I can't capture anything with the filter (udp port 67) or (udp port 68)

Capture incoming packets from remote web server

Localhost capturing

Why would I be getting "LEN 1 (Malformed Packet)"... "(Malformed Packet: RTCP)" on UDP Packets

How to filter out TCP retransmissions

How to get TLSv1.2 to decode