Ask Your Question
0

Is there any way to convert a JSON packet file into pcap file

asked 2022-03-24 19:26:50 +0000

Hello everyone :) . I'm trying to use some JSON files about DNP3 packets. The problem is that I haven't got those pcap files and I need it because I want to convert the JSON in order to submit into elasticseacrh.

I give you an example of my JSON packet:

{
"_index": "packets-2020-10-17",
"_type": "doc",
"_score": null,
"_source": {
  "layers": {
    "frame": {
      "frame.interface_id": "0",
      "frame.interface_id_tree": {
        "frame.interface_name": "ens224"
      },
      "frame.encap_type": "1",
      "frame.time": "Oct 17, 2020 10:51:44.072688465 Central Daylight Time",
      "frame.offset_shift": "0.000000000",
      "frame.time_epoch": "1602949904.072688465",
      "frame.time_delta": "0.000000000",
      "frame.time_delta_displayed": "0.000000000",
      "frame.time_relative": "0.000000000",
      "frame.number": "1",
      "frame.len": "72",
      "frame.cap_len": "72",
      "frame.marked": "0",
      "frame.ignored": "0",
      "frame.protocols": "eth:ethertype:ip:tcp:dnp3",
      "frame.coloring_rule.name": "TCP",
      "frame.coloring_rule.string": "tcp"
    },
    "eth": {
      "eth.dst": "00:00:00:aa:00:25",
      "eth.dst_tree": {
        "eth.dst_resolved": "00:00:00_aa:00:25",
        "eth.dst.oui": "0",
        "eth.dst.oui_resolved": "Officially Xerox, but 0:0:0:0:0:0 is more common",
        "eth.addr": "00:00:00:aa:00:25",
        "eth.addr_resolved": "00:00:00_aa:00:25",
        "eth.addr.oui": "0",
        "eth.addr.oui_resolved": "Officially Xerox, but 0:0:0:0:0:0 is more common",
        "eth.dst.lg": "0",
        "eth.lg": "0",
        "eth.dst.ig": "0",
        "eth.ig": "0"
      },
      "eth.src": "00:50:56:9c:5f:cc",
      "eth.src_tree": {
        "eth.src_resolved": "VMware_9c:5f:cc",
        "eth.src.oui": "20566",
        "eth.src.oui_resolved": "VMware, Inc.",
        "eth.addr": "00:50:56:9c:5f:cc",
        "eth.addr_resolved": "VMware_9c:5f:cc",
        "eth.addr.oui": "20566",
        "eth.addr.oui_resolved": "VMware, Inc.",
        "eth.src.lg": "0",
        "eth.lg": "0",
        "eth.src.ig": "0",
        "eth.ig": "0"
      },
      "eth.type": "0x00000800"
    },
    "ip": {
      "ip.version": "4",
      "ip.hdr_len": "20",
      "ip.dsfield": "0x00000000",
      "ip.dsfield_tree": {
        "ip.dsfield.dscp": "0",
        "ip.dsfield.ecn": "0"
      },
      "ip.len": "58",
      "ip.id": "0x000009f9",
      "ip.flags": "0x00004000",
      "ip.flags_tree": {
        "ip.flags.rb": "0",
        "ip.flags.df": "1",
        "ip.flags.mf": "0"
      },
      "ip.frag_offset": "0",
      "ip.ttl": "64",
      "ip.proto": "6",
      "ip.checksum": "0x0000c405",
      "ip.checksum.status": "2",
      "ip.src": "172.16.0.2",
      "ip.addr": "172.16.0.2",
      "ip.src_host": "172.16.0.2",
      "ip.host": "172.16.0.2",
      "ip.dst": "192.168.0.5",
      "ip.addr": "192.168.0.5",
      "ip.dst_host": "192.168.0.5",
      "ip.host": "192.168.0.5"
    },
    "tcp": {
      "tcp.srcport": "41391",
      "tcp.dstport": "20000",
      "tcp.port": "41391",
      "tcp.port": "20000",
      "tcp.stream": "0",
      "tcp.len": "18",
      "tcp.seq": "1",
      "tcp.seq_raw": "3359839259",
      "tcp.nxtseq": "19",
      "tcp.ack": "1",
      "tcp.ack_raw": "1388983197",
      "tcp.hdr_len": "20",
      "tcp.flags": "0x00000018",
      "tcp.flags_tree": {
        "tcp.flags.res": "0",
        "tcp.flags.ns": "0",
        "tcp.flags.cwr": "0",
        "tcp.flags.ecn": "0",
        "tcp.flags.urg": "0",
        "tcp.flags.ack": "1",
        "tcp.flags.push": "1",
        "tcp.flags.reset": "0",
        "tcp.flags.syn": "0",
        "tcp.flags.fin": "0",
        "tcp.flags.str": "·······AP···"
      },
      "tcp.window_size_value": "501",
      "tcp.window_size": "501",
      "tcp.window_size_scalefactor": "-1",
      "tcp.checksum": "0x00006cec",
      "tcp.checksum.status": "2",
      "tcp.urgent_pointer": "0",
      "tcp.analysis": {
        "tcp.analysis.bytes_in_flight": "18",
        "tcp.analysis ...
(more)
edit retag flag offensive close merge delete

Comments

There's not much (any?) documentation but you could start with json2pcap.py
Mentioned in this question: Where is tshark -T jsonraw documented?

Chuckc gravatar imageChuckc ( 2022-03-24 20:01:44 +0000 )edit

1 Answer

Sort by » oldest newest most voted
0

answered 2022-03-24 19:51:31 +0000

Guy Harris gravatar image

No tool I know of exists to do that. It could perhaps be done by a tedious manual process of translating field names to the byte offsets, or one could instead go through a tedious manual process of writing code to do that.

Note that nowhere in the Wireshark code is there a table to map field names to offsets - for some named fields, there isn't even a guarantee that the field will always appear at the same offset in a packet!

edit flag offensive delete link more

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account.

Add Answer

Question Tools

Stats

Asked: 2022-03-24 19:24:28 +0000

Seen: 76 times

Last updated: Mar 24