Hello everyone :) . I'm trying to use some JSON files about DNP3 packets. The problem is that I haven't got those pcap files and I need it because I want to convert the JSON in order to submit into elasticseacrh.
I give you an example of my JSON packet:
{
"_index": "packets-2020-10-17",
"_type": "doc",
"_score": null,
"_source": {
"layers": {
"frame": {
"frame.interface_id": "0",
"frame.interface_id_tree": {
"frame.interface_name": "ens224"
},
"frame.encap_type": "1",
"frame.time": "Oct 17, 2020 10:51:44.072688465 Central Daylight Time",
"frame.offset_shift": "0.000000000",
"frame.time_epoch": "1602949904.072688465",
"frame.time_delta": "0.000000000",
"frame.time_delta_displayed": "0.000000000",
"frame.time_relative": "0.000000000",
"frame.number": "1",
"frame.len": "72",
"frame.cap_len": "72",
"frame.marked": "0",
"frame.ignored": "0",
"frame.protocols": "eth:ethertype:ip:tcp:dnp3",
"frame.coloring_rule.name": "TCP",
"frame.coloring_rule.string": "tcp"
},
"eth": {
"eth.dst": "00:00:00:aa:00:25",
"eth.dst_tree": {
"eth.dst_resolved": "00:00:00_aa:00:25",
"eth.dst.oui": "0",
"eth.dst.oui_resolved": "Officially Xerox, but 0:0:0:0:0:0 is more common",
"eth.addr": "00:00:00:aa:00:25",
"eth.addr_resolved": "00:00:00_aa:00:25",
"eth.addr.oui": "0",
"eth.addr.oui_resolved": "Officially Xerox, but 0:0:0:0:0:0 is more common",
"eth.dst.lg": "0",
"eth.lg": "0",
"eth.dst.ig": "0",
"eth.ig": "0"
},
"eth.src": "00:50:56:9c:5f:cc",
"eth.src_tree": {
"eth.src_resolved": "VMware_9c:5f:cc",
"eth.src.oui": "20566",
"eth.src.oui_resolved": "VMware, Inc.",
"eth.addr": "00:50:56:9c:5f:cc",
"eth.addr_resolved": "VMware_9c:5f:cc",
"eth.addr.oui": "20566",
"eth.addr.oui_resolved": "VMware, Inc.",
"eth.src.lg": "0",
"eth.lg": "0",
"eth.src.ig": "0",
"eth.ig": "0"
},
"eth.type": "0x00000800"
},
"ip": {
"ip.version": "4",
"ip.hdr_len": "20",
"ip.dsfield": "0x00000000",
"ip.dsfield_tree": {
"ip.dsfield.dscp": "0",
"ip.dsfield.ecn": "0"
},
"ip.len": "58",
"ip.id": "0x000009f9",
"ip.flags": "0x00004000",
"ip.flags_tree": {
"ip.flags.rb": "0",
"ip.flags.df": "1",
"ip.flags.mf": "0"
},
"ip.frag_offset": "0",
"ip.ttl": "64",
"ip.proto": "6",
"ip.checksum": "0x0000c405",
"ip.checksum.status": "2",
"ip.src": "172.16.0.2",
"ip.addr": "172.16.0.2",
"ip.src_host": "172.16.0.2",
"ip.host": "172.16.0.2",
"ip.dst": "192.168.0.5",
"ip.addr": "192.168.0.5",
"ip.dst_host": "192.168.0.5",
"ip.host": "192.168.0.5"
},
"tcp": {
"tcp.srcport": "41391",
"tcp.dstport": "20000",
"tcp.port": "41391",
"tcp.port": "20000",
"tcp.stream": "0",
"tcp.len": "18",
"tcp.seq": "1",
"tcp.seq_raw": "3359839259",
"tcp.nxtseq": "19",
"tcp.ack": "1",
"tcp.ack_raw": "1388983197",
"tcp.hdr_len": "20",
"tcp.flags": "0x00000018",
"tcp.flags_tree": {
"tcp.flags.res": "0",
"tcp.flags.ns": "0",
"tcp.flags.cwr": "0",
"tcp.flags.ecn": "0",
"tcp.flags.urg": "0",
"tcp.flags.ack": "1",
"tcp.flags.push": "1",
"tcp.flags.reset": "0",
"tcp.flags.syn": "0",
"tcp.flags.fin": "0",
"tcp.flags.str": "·······AP···"
},
"tcp.window_size_value": "501",
"tcp.window_size": "501",
"tcp.window_size_scalefactor": "-1",
"tcp.checksum": "0x00006cec",
"tcp.checksum.status": "2",
"tcp.urgent_pointer": "0",
"tcp.analysis": {
"tcp.analysis.bytes_in_flight": "18",
"tcp.analysis.push_bytes_sent": "18"
},
"Timestamps": {
"tcp.time_relative": "0.000000000",
"tcp.time_delta": "0.000000000"
},
"tcp.payload": "05:64:0b:c4:59:02:01:00:d4:49:ca:ca:01:3c:01:06:d1:ff",
"tcp.pdu.size": "18"
},
"dnp3": {
"Data Link Layer, Len: 11, From: 1, To: 601, DIR, PRM, Unconfirmed User Data": {
"dnp3.start": "0x00000564",
"dnp3.len": "11",
"dnp3.ctl": "0x000000c4",
"dnp3.ctl_tree": {
"dnp3.ctl.dir": "1",
"dnp3.ctl.prm": "1",
"dnp3.ctl.fcb": "0",
"dnp3.ctl.fcv": "0",
"dnp3.ctl.prifunc": "4"
},
"dnp3.dst": "601",
"dnp3.addr": "601",
"dnp3.src": "1",
"dnp3.addr": "1",
"dnp3.hdr.CRC": "0x000049d4",
"dnp.hdr.CRC.status": "1"
},
"dnp3.tr.ctl": "0x000000ca",
"dnp3.tr.ctl_tree": {
"dnp3.tr.fin": "1",
"dnp3.tr.fir": "1",
"dnp3.tr.seq": "10"
},
"Data Chunks": {
"Data Chunk: 0": {
"dnp.data_chunk": "ca:ca:01:3c:01:06",
"dnp.data_chunk_len": "6",
"dnp.data_chunk.CRC": "0x0000ffd1",
"dnp.data_chunk.CRC.status": "1"
}
},
"dnp3.al.fragments": {
"dnp3.al.fragment": "1",
"dnp3.al.fragment.count": "1",
"dnp3.al.fragment.reassembled.length": "5"
},
"Application Layer: (FIR, FIN, Sequence 10, Read)": {
"dnp3.al.ctl": "0x000000ca",
"dnp3.al.ctl_tree": {
"dnp3.al.fir": "1",
"dnp3.al.fin": "1",
"dnp3.al.con": "0",
"dnp3.al.uns": "0",
"dnp3.al.seq": "10"
},
"dnp3.al.func": "1",
"READ Request Data Objects": {
"dnp3.al.obj": "15361",
"dnp3.al.obj_tree": {
"Qualifier Field, Prefix: None, Range: No Range Field": {
"dnp3.al.objq.prefix": "0",
"dnp3.al.objq.range": "6"
},
"Number of Items: 0": ""
}
}
}
}
}
}
Then, anyone has any idea to make reverse engineering in order to generate this pcap file again?
Thanks in advance :)