I'm using company-provided Wireshark dissectors for 3 proprietary network protocols used by that company.
I want to further analyse the packet capture data, so I need Wireshark to transform it into a common format like JSON. Wireshark knows how to interpret the data using the dissectors and I can access all the fields in the Wireshark GUI.
tshark -r file.pcapng -V -Tjson > file.json almost does what I want. But for some reason, it substitutes a lot of, but not all the "field-name":"value"-pairs with "_ws.lua.text":"".
The same thing happens if I export the packet dissection to JSON in the GUI. In Wireshark everything looks fine, but the JSON file doesn't.
So I know Wireshark has the data I want. How can I make Wireshark save the packet list, exactly as it displays it with all fields expanded, as a JSON file?
Possibly helpful theory of mine: I noticed that in the .lua dissector file, most of the field names that are substituted are defined like this:
local table = {
[0] = {
[1] = {decription="field name 1"}
[2] = {description="field name 2"}
}}
and referenced as table[0][2].description
Maybe "_ws.lua.text" is just a stub for any reference that is returned instead of a value? But Wireshark can access the values, so why doesn't it use them when converting the data to JSON?
