First time here? Check out the FAQ!
THIS IS A TEST INSTANCE. Feel free to ask and answer questions, but take care to avoid triggering too many notifications.
Ask Your Question
0

Filter fields in JSON export

Hi Team,

I am trying to read one pcap file, & convert it into Json file using tshark. After converting to Json file, It takes 250Mb per file. There are some fields like frame length, frame number, frame delta difference which are not required in json. Is there any way by which i can discard some of the fields related to frame information while converting to json. Please suggest.

Thanks & Regards, Neha Malhotra

Neha malhotra's avatar
1
Neha malhotra
asked 2020-01-27 12:09:02 +0000
Jaap's avatar
13.7k
Jaap
updated 2020-01-27 13:49:24 +0000
edit flag offensive 0 remove flag close merge delete

Comments

There's no explicit way to exclude protocols or fields.
You would need to make a pass through the capture to get a protocol list, remove the not needed ones then run another pass with "-J" to only include those protocols. Or grep out what is not needed.

tshark -T json -r ./wireshark_issue.pcap | grep -v "\"frame\."

Not sure what your receiver will do with the empty frame section:

"frame": {
},
Chuckc's avatar Chuckc (2020-01-27 15:17:27 +0000) edit
more
  • delete

Thanks for providing your inputs. Tried using the above mentioned command, It seems it did not filter out the data.

Do we have any command by which we can remove frame related information. For example, I want to remove rows with field name =frame.encap_type & frame.offset_shift

 <proto name="frame" showname="Frame 1: 56 bytes on wire (448 bits), 56 bytes captured (448 bits)" size="56" pos="0">
    <field name="frame.encap_type" showname="Encapsulation type: IEEE 802.15.4 Wireless PAN (104)" size="0" pos="0" show="104"/>
    <field name="frame.time" showname="Arrival Time: Sep 20, 2019 15:30:02.799216000 GMT Daylight Time" size="0" pos="0" show="Sep 20, 2019 15:30:02.799216000 GMT Daylight Time"/>
    <field name="frame.offset_shift" showname="Time shift for this packet: 0.000000000 seconds" size="0" pos="0" show="0.000000000"/>
    <field name="frame.time_epoch" showname ...
(more)
Neha malhotra's avatar Neha malhotra (2020-01-30 12:02:02 +0000) edit
more
  • delete

What is the command string used to produce the output above?

Chuckc's avatar Chuckc (2020-01-30 13:44:31 +0000) edit
more
  • delete

tshark -r file.pcap -T pdml > file.xml

Neha malhotra's avatar Neha malhotra (2020-01-30 15:05:19 +0000) edit
more
  • delete

Can't you use xml tools such as an xml transform (xslt) to post-process the xml? That's assuming the pdml output is well-formed.

grahamb's avatar grahamb (2020-01-30 19:24:35 +0000) edit
more
  • delete
add a comment see more comments

1 Answer

0

(trouble formatting as a comment with the special characters)

image description

Chuckc's avatar
3k
Chuckc
answered 2020-01-30 19:04:03 +0000
edit flag offensive 0 remove flag delete link
more

Comments

Thanks for providing your inputs. I have tried above mentioned command. But I coudnt find filtered data. Fields with frame are getting reflected in output file. Please suggest. Thanks

Neha malhotra's avatar Neha malhotra (2020-01-31 11:25:38 +0000) edit
more
  • delete
add a comment see more comments

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account. This space is reserved only for answers. If you would like to engage in a discussion, please instead post a comment under the question or an answer that you would like to discuss.

Add Answer