Ask Your Question
0

Get _ws.col.Info, plus all packet fields, as a .json exported file

asked 2021-08-03 04:42:25 +0000

larottao gravatar image

updated 2021-08-04 00:52:42 +0000

Guy Harris gravatar image

Hi again guys!

I'm making a little C# code to export expanded PCAP files to a Database.

So far I have succeeded in creating the JSON, however, I noticed that a very nice Wireshark column, _ws.col.Info, is missing on the generated file.

This column would contain very important information for DIAMETER and CAMEL analysis, for example, "SACK invoke InitialDP","invoke eventReportBCSM",""SACK invoke release call", among others.

On previous projects where I was required to export the PCAP as CSV, I was able to do so by using switches like the following one:

-e frame.number -e frame.time -e _ws.col.Info -e diameter.Session-Id -e e164.msisdn -e e212.imsi

However, when I apply the aforementioned filters, I stop getting the whole PCAP file translated as JSON, and only get whichever field is indicated on the filter.

Instead, I would like to get the whole PCAP contents (plus the-e _ws.col.Info field). In that way the user could navigate through the file in a visual way, and later export whatever field he/she wants.

Let me show you some pictures of how the program looks

Picture1

Picture 2

This is part of the code I came up with, if anybody finds it useful

    String fileNameWithoutExtension = Path.GetFileNameWithoutExtension(pcapFilePath);
    String fileNameWithExtension = Path.GetFileName(pcapFilePath);
    String pathWorkingFolder = pcapFilePath.Replace(fileNameWithExtension, "");

    String pathFilteredPcap = "\"" + pathWorkingFolder + fileNameWithoutExtension + "_filtered.pcap\"";
    String argumentsPcapToFilteredPcap = "-r \"" + pcapFilePath + "\" -Y camel -w " + pathFilteredPcap;

    String consoleOutputPcapToFilteredPcap = await new UtilsIO().executeExe(SHARK_INSTALL_FOLDER, argumentsPcapToFilteredPcap);

    Console.WriteLine(consoleOutputPcapToFilteredPcap);
    Console.WriteLine("Filtered PCAP ready...");

    String pathJsonFile = pathWorkingFolder + fileNameWithoutExtension + ".json";
    String argumentsFilteredPcapToJson = "-r " + pathFilteredPcap + " -T json ";

    Console.WriteLine("Generating JSON...");

    String consoleOutputFromPcapToJson = await new UtilsIO().executeExe(SHARK_INSTALL_FOLDER, argumentsFilteredPcapToJson);

    UtilsIO.saveTextFile(consoleOutputFromPcapToJson, pathJsonFile);

    Console.WriteLine("JSON Ready...");

As always thank you very much!

edit retag flag offensive close merge delete

Comments

Edited the question's title and added some screenshots to properly explain my problem

larottao gravatar imagelarottao ( 2021-08-03 16:33:32 +0000 )edit

1 Answer

Sort by ยป oldest newest most voted
1

answered 2021-08-03 06:04:07 +0000

Chuckc gravatar image

updated 2021-08-03 14:23:55 +0000

From the tshark man page:

-e <field>
Add a field to the list of fields to display if -T ek|fields|json|pdml is selected.
C:\>tshark -r p:wap_google.pcap -T json -e frame.number -e frame.time -e _ws.col.Info
[
  {
    "_index": "packets-2005-09-06",
    "_type": "doc",
    "_score": null,
    "_source": {
      "layers": {
        "frame.number": [
          "1"
        ],
        "frame.time": [
          "Sep  6, 2005 01:22:20.851335000 Central Daylight Time"
        ],
        "_ws.col.Info": [
          "WSP Get (0x40) http://wap.google.com/"
        ]
      }
    }
  },
  {
    "_index": "packets-2005-09-06",
-- snip --

Column fields not displaying using -T {pdml,json,ek}

edit flag offensive delete link more

Comments

Thank you as always for your lightning-fast answers @Chuckc. Sadly I did not express my question properly due to my lack of healthy sleep and proper English. I edited it and added some pictures to make my objective more clear. The problem is getting the whole PCAP transcription, plus the ws_col_info.

larottao gravatar imagelarottao ( 2021-08-03 14:59:58 +0000 )edit

There have been requests for something similar (-e ALL_FIELDS) but doesn't exist now.

This is a messy two part solution:
Wireshark doesn't treat columns as fields but there is a Lua plugin (filtcols) that will make new fields and copy over the column contents. For a short term solution, you could add the filtcols plugin (tweak as needed) and export JSON packet dissections in the Wireshark gui.

The longer solution depends on merge request 2473 - tshark: add --columns option

So columns are not fields but _ws.col in tshark kinda makes them act like fields.
tshark only creates them in special cases and Lua scripts is not one.
The MR is to add another option to tshark to create the _ws.col fields. It's been out there long enough that it needs a rebase but I'm not going to do that until there is some interest ...(more)

Chuckc gravatar imageChuckc ( 2021-08-03 22:28:26 +0000 )edit

Sorry for taking such a long time to answer you. I gave the thumbs up without thinking twice! For the forum readers, I temporarily solved the problem by running tshark twice: The first time, to convert the whole .PCAP file into a .JSON (perhaps filtered by the desired protocol, to make a smaller file). The second time, using the parameters from Chuckc answer, to get another .JSON file with only frame numbers and _ws.col values. Then I merged the two JSON, for further filtering and exporting to MySql. I'm not sure if the forum rules allow me to post that C# code here. To summarize, the tshark: add --columns option would be the true solution for this problem.

larottao gravatar imagelarottao ( 2021-08-13 04:56:06 +0000 )edit

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account.

Add Answer

Question Tools

1 follower

Stats

Asked: 2021-08-03 04:42:25 +0000

Seen: 105 times

Last updated: Aug 04