Ask Your Question
0

json export multiple layers

asked 2022-04-21 14:34:07 +0000

Rev gravatar image

updated 2022-05-04 18:50:42 +0000

I have a captured structure package

[
  {
    "_index": "packets-2022-01-25",
    "_type": "doc",
    "_score": null,
    "_source": {
      "layers": {
        "frame": {
          "filtered": "frame"
        },
        "eth": {
          "filtered": "eth"
        },
        "ip": {
          "filtered": "ip"
        },
        "sctp": {
          "filtered": "sctp"
        },
        "s1ap": {
          "filtered": "s1ap"
        },
        "sctp": {
          "filtered": "sctp"
        },
        "s1ap": {
          "filtered": "s1ap"
        }
      }
    }
  }
]

command -T json -e s1ap.CellIdentity -e s1ap.ENB_UE_S1AP_ID -e s1ap.m_TMSI return

[
  {
    "_index": "packets-2022-01-25",
    "_type": "doc",
    "_score": null,
    "_source": {
      "layers": {
        "s1ap.CellIdentity": [
          "0x06eddd33",
          "0x06eddd34"
        ],
        "s1ap.ENB_UE_S1AP_ID": [
          "278442",
          "278472"
        ],
        "s1ap.m_TMSI": [
          "4195248394"
        ]
      }
    }
  }
]

how can I find out which layer belongs to "s1ap.m_TMSI": ["4195248394"]

perhaps there are ways to fill in fields in the absence of values?

edit retag flag offensive close merge delete

Comments

Can you share a packet capture file with this structure?

Chuckc gravatar imageChuckc ( 2022-05-04 20:34:17 +0000 )edit

60 points required to upload files

Sample packet capture file http://filesharing24.com/d/N8n

0000   b0 8b cf 87 47 b7 10 f3 11 20 d8 9f 08 00 45 60
0010   01 1c 30 5d 00 00 3b 84 e4 17 0d 21 31 8d 0d e7
0020   21 f5 8e 46 8e 3c 2f e4 a8 d2 3c 47 9f c0 00 03
0030   00 aa 02 2d e6 9e 00 01 d4 20 00 00 00 12 00 0c
0040   40 80 95 00 00 05 00 08 00 04 80 04 3f aa 00 1a
0050   00 6b 6a 17 7c 82 df d6 25 07 48 e2 0b f6 32 f0
0060   30 27 6f e9 f4 11 70 87 86 50 0b f6 32 f0 30 80
0070   ff a0 d4 26 b8 a9 55 5d a6 fe 9c 58 05 f0 f0 ...
(more)
Rev gravatar imageRev ( 2022-05-05 11:54:39 +0000 )edit
add a comment

1 Answer

Sort by ยป oldest newest most voted
0

answered 2022-05-05 15:01:50 +0000

Chuckc gravatar image

-T json with -e options loses the tree structure and is only printing fields.

print.c:

    if (fields == NULL || fields->fields == NULL) {
        /* Write out all fields */
...
        data.node_children_grouper = node_children_grouper;

        write_json_proto_node_children(edt->tree, &data);
    } else {
        write_specified_fields(FORMAT_JSON, fields, edt, cinfo, NULL, dumper);
    }
edit flag offensive delete link more
add a comment

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account.

Add Answer

Question Tools

1 follower

subscribe to rss feed

Stats

Asked: 2022-04-21 14:34:07 +0000

Seen: 196 times

Last updated: May 05 '22

Related questions

Is it possible to disable all TCP expert information in tshark when outputting JSON?

Seeing lines with "Capture-DEBUG" string in json output

tshark export to ek json too slow?

Deduplication in tshark -T ek [closed]

filtering out protocol, sequence number, and ack using tshark

Using tshark filters to extract only interesting traffic from 12GB trace

Any way to use cmd tshark for a gns3 wire?

authority RRs tshark

can I install only tshark?

How do I change the interface on Tshark?