Ask Your Question
0

JSON duplicated keys in Wireshark Windows

asked 2022-02-07 16:43:44 +0000

nmontesino.c gravatar image

updated 2022-02-07 16:51:46 +0000

Hello,

I'm trying to export some packets from a Wireshark capture to JSON format in Windows.

In this case, I'm getting the key "tls" duplied in the JSON file (from a packet that has several TLS informations). As you might have heard (from RFC 8259):

An object structure is represented as a pair of curly brackets surrounding zero or more name/value pairs (or members). A name is a string. A single colon comes after each name, separating the name from the value. A single comma separates a value from a following name. The names within an object SHOULD be unique.

The rule speaks just about a recommendation, and as I have read, in tshark we do have the option to use --no-duplicate-keys. But, is there any option to use it on Windows GUI?

I'm using 3.6.1 (v3.6.1-0-ga0a473c7c1ba). Capture and JSON export is available at https://mega.nz/file/AnRxmQ5R#xpGvVue...

Thank you.

edit retag flag offensive close merge delete

Comments

You can post captures on a public share and then edit your question with a link to the capture.

grahamb gravatar imagegrahamb ( 2022-02-07 16:48:29 +0000 )edit

@grahamb done, thanks!

nmontesino.c gravatar imagenmontesino.c ( 2022-02-07 16:52:03 +0000 )edit

Does tshark--no-duplicate-keys give the output you're looking for? If that style output was available from the Wireshark gui (set as a preference or export checkbox) sufficient?

Chuckc gravatar imageChuckc ( 2022-02-07 18:22:35 +0000 )edit

@Chuckc Yes, it is was exactly what I was looking for.

Whatever, I already solved it by my own (changing my Python code) this way:

def my_obj_pairs_hook(lst):
    result={}
    count={}
    for key,val in lst:
        if key in count:count[key]=1+count[key]
        else:count[key]=1
        if key in result:
            if count[key] > 2:
                result[key].append(val)
            else:
                result[key]=[result[key], val]
        else:
            result[key]=val
    return result
capture = json.load(open('wireshark.json'), object_pairs_hook=my_obj_pairs_hook)

However I think it could be an useful function to be added. Thanks!

nmontesino.c gravatar imagenmontesino.c ( 2022-02-07 21:38:10 +0000 )edit
add a comment

1 Answer

Sort by ยป oldest newest most voted
0

answered 2022-02-07 22:46:11 +0000

Chuckc gravatar image

updated 2022-02-07 22:48:19 +0000

Looks like it was added to tshark in Add --no-duplicate-keys tshark option. to fix 12958 - Wrong JSON format returned by new -T json feature.

"Export Packet Dissections -> As JSON" in the GUI is hardcoded to use
the duplicated keys format.
To have it added to the Wireshark gui, open a Enhancement Request (New issue) on the Wireshark Gitlab Issues page.

edit flag offensive delete link more
add a comment

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account.

Add Answer

Question Tools

1 follower

subscribe to rss feed

Stats

Asked: 2022-02-07 16:43:44 +0000

Seen: 769 times

Last updated: Feb 07 '22

Related questions

Wireshark 2.4.1 GTK Crash on long run

wifi disconnects as wireshark starts

what determines the final windows scaling factor?

Failed to run MSBuild command (CMake Error at CMakeLists.txt:22 (project))

No CMAKE_C(XX)_COMPILER could be found

I am having trouble with Wireshark starting using Windows 10.

Not able to build the wireshark

Error while building wireshark source code using MSbuild

Help to set up a "pass through bridge" sniffer

"No interfaces found" on Windows 10 laptop