Ask Your Question
0

duplicated headers in json conversion

asked 2022-11-15 08:38:34 +0000

nasa203 gravatar image

I am doing some capturing using tshark for troubleshooting and got a strange behavior:

I produced a capture file (pcap) with dumpcap and converted it to json with tshark. I then noticed that the headers of some requests (http.request.line) got duplicates of various values (like a long list of headers and values).

For example, I got in the same http.request.line 24 unique User-Agent values, 5 unique Accept values etc...

I did the conversion on an Ubnutu 18.04.4 LTS and tshark version 2.6.10.

I then tries this conversion on a different Ubuntu distribution (Ubuntu 20.04.4 LTS and tshark version 3.2.3) with the same pcap file and got no duplication.

Did you encounter anything like this between those versions?

edit retag flag offensive close merge delete
add a comment

1 Answer

Sort by » oldest newest most voted
0

answered 2022-11-16 18:11:12 +0000

André gravatar image

Note that the support of version 2.6 ended on October 18, 2020.

Add the tshark option --no-duplicate-keys as described on the man-page of tshark https://www.wireshark.org/docs/man-pa... :

If a key appears multiple times in an object, only write it a single time with as value a json array containing all the separate values. (Only works with -T json)

edit flag offensive delete link more

Comments

Thanks for the help.

I tried to add this flag (--no-duplicate-keys) but got the same result.

The strangest behavior is in the http.request line: "http.request": ["1","1","1","1","1","1","1","1","1","1","1","1","1","1","1","1","1","1","1","1","1","1","1","1","1","1","1","1","1","1","1","1",...

Should that be happening even when using the suggested flag?

nasa203 gravatar imagenasa203 ( 2022-11-17 06:33:09 +0000 )edit

I cannot reproduce that, but I don't have these old versions of Wireshark. Also without your pcap I just have to guess what happened.

http.request == 1 means 'this packet contains a http request'. So in itself this is not strange.
http.request.line should be an array now.

André gravatar imageAndré ( 2022-11-17 16:52:29 +0000 )edit

Is this behavior rare? What is the usual cause for it?

nasa203 gravatar imagenasa203 ( 2022-11-20 09:37:19 +0000 )edit

Does this also happen when you use version 3.6 or higher (not EoS)?

André gravatar imageAndré ( 2022-11-22 23:02:29 +0000 )edit

I have tested it on Ubuntu 22.04.1 LTS with tshark v3.6.2 and it doesn't happen (no duplications) (works the same as the windows/ubuntu 20 with tshark 4.0.0 and 3.2.3 respectively).

nasa203 gravatar imagenasa203 ( 2022-11-23 15:10:36 +0000 )edit
add a comment

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account.

Add Answer

Question Tools

2 followers

subscribe to rss feed

Stats

Asked: 2022-11-15 08:38:34 +0000

Seen: 934 times

Last updated: Nov 16 '22

Related questions

Is it possible to disable all TCP expert information in tshark when outputting JSON?

Seeing lines with "Capture-DEBUG" string in json output

tshark export to ek json too slow?

Dumpcap captures traffic, but Wireshark and Tshark can't see the interfaces

dumpcap using frame contains and write to file

Deduplication in tshark -T ek [closed]

filtering out protocol, sequence number, and ack using tshark

Using tshark filters to extract only interesting traffic from 12GB trace

Any way to use cmd tshark for a gns3 wire?

authority RRs tshark