Ask Your Question

Revision history [back]

click to hide/show revision 1
initial version

Is there any way to convert a JSON packet file into pcap file

Hello everyone :) . I'm trying to use some JSON files about DNP3 packets. The problem is that I haven't got those pcap files and I need it because I want to convert the JSON in order to submit into elasticseacrh.

I give you an example of my JSON packet:

{
"_index": "packets-2020-10-17",
"_type": "doc",
"_score": null,
"_source": {
  "layers": {
    "frame": {
      "frame.interface_id": "0",
      "frame.interface_id_tree": {
        "frame.interface_name": "ens224"
      },
      "frame.encap_type": "1",
      "frame.time": "Oct 17, 2020 10:51:44.072688465 Central Daylight Time",
      "frame.offset_shift": "0.000000000",
      "frame.time_epoch": "1602949904.072688465",
      "frame.time_delta": "0.000000000",
      "frame.time_delta_displayed": "0.000000000",
      "frame.time_relative": "0.000000000",
      "frame.number": "1",
      "frame.len": "72",
      "frame.cap_len": "72",
      "frame.marked": "0",
      "frame.ignored": "0",
      "frame.protocols": "eth:ethertype:ip:tcp:dnp3",
      "frame.coloring_rule.name": "TCP",
      "frame.coloring_rule.string": "tcp"
    },
    "eth": {
      "eth.dst": "00:00:00:aa:00:25",
      "eth.dst_tree": {
        "eth.dst_resolved": "00:00:00_aa:00:25",
        "eth.dst.oui": "0",
        "eth.dst.oui_resolved": "Officially Xerox, but 0:0:0:0:0:0 is more common",
        "eth.addr": "00:00:00:aa:00:25",
        "eth.addr_resolved": "00:00:00_aa:00:25",
        "eth.addr.oui": "0",
        "eth.addr.oui_resolved": "Officially Xerox, but 0:0:0:0:0:0 is more common",
        "eth.dst.lg": "0",
        "eth.lg": "0",
        "eth.dst.ig": "0",
        "eth.ig": "0"
      },
      "eth.src": "00:50:56:9c:5f:cc",
      "eth.src_tree": {
        "eth.src_resolved": "VMware_9c:5f:cc",
        "eth.src.oui": "20566",
        "eth.src.oui_resolved": "VMware, Inc.",
        "eth.addr": "00:50:56:9c:5f:cc",
        "eth.addr_resolved": "VMware_9c:5f:cc",
        "eth.addr.oui": "20566",
        "eth.addr.oui_resolved": "VMware, Inc.",
        "eth.src.lg": "0",
        "eth.lg": "0",
        "eth.src.ig": "0",
        "eth.ig": "0"
      },
      "eth.type": "0x00000800"
    },
    "ip": {
      "ip.version": "4",
      "ip.hdr_len": "20",
      "ip.dsfield": "0x00000000",
      "ip.dsfield_tree": {
        "ip.dsfield.dscp": "0",
        "ip.dsfield.ecn": "0"
      },
      "ip.len": "58",
      "ip.id": "0x000009f9",
      "ip.flags": "0x00004000",
      "ip.flags_tree": {
        "ip.flags.rb": "0",
        "ip.flags.df": "1",
        "ip.flags.mf": "0"
      },
      "ip.frag_offset": "0",
      "ip.ttl": "64",
      "ip.proto": "6",
      "ip.checksum": "0x0000c405",
      "ip.checksum.status": "2",
      "ip.src": "172.16.0.2",
      "ip.addr": "172.16.0.2",
      "ip.src_host": "172.16.0.2",
      "ip.host": "172.16.0.2",
      "ip.dst": "192.168.0.5",
      "ip.addr": "192.168.0.5",
      "ip.dst_host": "192.168.0.5",
      "ip.host": "192.168.0.5"
    },
    "tcp": {
      "tcp.srcport": "41391",
      "tcp.dstport": "20000",
      "tcp.port": "41391",
      "tcp.port": "20000",
      "tcp.stream": "0",
      "tcp.len": "18",
      "tcp.seq": "1",
      "tcp.seq_raw": "3359839259",
      "tcp.nxtseq": "19",
      "tcp.ack": "1",
      "tcp.ack_raw": "1388983197",
      "tcp.hdr_len": "20",
      "tcp.flags": "0x00000018",
      "tcp.flags_tree": {
        "tcp.flags.res": "0",
        "tcp.flags.ns": "0",
        "tcp.flags.cwr": "0",
        "tcp.flags.ecn": "0",
        "tcp.flags.urg": "0",
        "tcp.flags.ack": "1",
        "tcp.flags.push": "1",
        "tcp.flags.reset": "0",
        "tcp.flags.syn": "0",
        "tcp.flags.fin": "0",
        "tcp.flags.str": "·······AP···"
      },
      "tcp.window_size_value": "501",
      "tcp.window_size": "501",
      "tcp.window_size_scalefactor": "-1",
      "tcp.checksum": "0x00006cec",
      "tcp.checksum.status": "2",
      "tcp.urgent_pointer": "0",
      "tcp.analysis": {
        "tcp.analysis.bytes_in_flight": "18",
        "tcp.analysis.push_bytes_sent": "18"
      },
      "Timestamps": {
        "tcp.time_relative": "0.000000000",
        "tcp.time_delta": "0.000000000"
      },
      "tcp.payload": "05:64:0b:c4:59:02:01:00:d4:49:ca:ca:01:3c:01:06:d1:ff",
      "tcp.pdu.size": "18"
    },
    "dnp3": {
      "Data Link Layer, Len: 11, From: 1, To: 601, DIR, PRM, Unconfirmed User Data": {
        "dnp3.start": "0x00000564",
        "dnp3.len": "11",
        "dnp3.ctl": "0x000000c4",
        "dnp3.ctl_tree": {
          "dnp3.ctl.dir": "1",
          "dnp3.ctl.prm": "1",
          "dnp3.ctl.fcb": "0",
          "dnp3.ctl.fcv": "0",
          "dnp3.ctl.prifunc": "4"
        },
        "dnp3.dst": "601",
        "dnp3.addr": "601",
        "dnp3.src": "1",
        "dnp3.addr": "1",
        "dnp3.hdr.CRC": "0x000049d4",
        "dnp.hdr.CRC.status": "1"
      },
      "dnp3.tr.ctl": "0x000000ca",
      "dnp3.tr.ctl_tree": {
        "dnp3.tr.fin": "1",
        "dnp3.tr.fir": "1",
        "dnp3.tr.seq": "10"
      },
      "Data Chunks": {
        "Data Chunk: 0": {
          "dnp.data_chunk": "ca:ca:01:3c:01:06",
          "dnp.data_chunk_len": "6",
          "dnp.data_chunk.CRC": "0x0000ffd1",
          "dnp.data_chunk.CRC.status": "1"
        }
      },
      "dnp3.al.fragments": {
        "dnp3.al.fragment": "1",
        "dnp3.al.fragment.count": "1",
        "dnp3.al.fragment.reassembled.length": "5"
      },
      "Application Layer: (FIR, FIN, Sequence 10, Read)": {
        "dnp3.al.ctl": "0x000000ca",
        "dnp3.al.ctl_tree": {
          "dnp3.al.fir": "1",
          "dnp3.al.fin": "1",
          "dnp3.al.con": "0",
          "dnp3.al.uns": "0",
          "dnp3.al.seq": "10"
        },
        "dnp3.al.func": "1",
        "READ Request Data Objects": {
          "dnp3.al.obj": "15361",
          "dnp3.al.obj_tree": {
            "Qualifier Field, Prefix: None, Range: No Range Field": {
              "dnp3.al.objq.prefix": "0",
              "dnp3.al.objq.range": "6"
            },
            "Number of Items: 0": ""
          }
        }
      }
    }
  }
}

Then, anyone has any idea to make reverse engineering in order to generate this pcap file again?

Thanks in advance :)