Get _ws.col.Info, plus all packet fields, as a .json exported file

retag add tags

Hi again guys!

I'm making a little C# code to export expanded PCAP files to a Database.

So far I have succeeded in creating the JSON, however, I noticed that a very nice Wireshark column, _ws.col.Info, is missing on the generated file.

This column would contain very important information for DIAMETER and CAMEL analysis, for example, "SACK invoke InitialDP","invoke eventReportBCSM",""SACK invoke release call", among others.

On previous projects where I was required to export the PCAP as CSV, I was able to do so by using switches like the following one:

-e frame.number -e frame.time -e _ws.col.Info -e diameter.Session-Id -e e164.msisdn -e e212.imsi

However, when I apply the aforementioned filters, I stop getting the whole PCAP file translated as JSON, and only get whichever field is indicated on the filter.

Instead, I would like to get the whole PCAP contents (plus the-e _ws.col.Info field). In that way the user could navigate through the file in a visual way, and later export whatever field he/she wants.

Let me show you some pictures of how the program looks

Picture1

Picture 2

This is part of the code I came up with, if anybody finds it useful

    String fileNameWithoutExtension = Path.GetFileNameWithoutExtension(pcapFilePath);
    String fileNameWithExtension = Path.GetFileName(pcapFilePath);
    String pathWorkingFolder = pcapFilePath.Replace(fileNameWithExtension, "");

    String pathFilteredPcap = "\"" + pathWorkingFolder + fileNameWithoutExtension + "_filtered.pcap\"";
    String argumentsPcapToFilteredPcap = "-r \"" + pcapFilePath + "\" -Y camel -w " + pathFilteredPcap;

    String consoleOutputPcapToFilteredPcap = await new UtilsIO().executeExe(SHARK_INSTALL_FOLDER, argumentsPcapToFilteredPcap);

    Console.WriteLine(consoleOutputPcapToFilteredPcap);
    Console.WriteLine("Filtered PCAP ready...");

    String pathJsonFile = pathWorkingFolder + fileNameWithoutExtension + ".json";
    String argumentsFilteredPcapToJson = "-r " + pathFilteredPcap + " -T json ";

    Console.WriteLine("Generating JSON...");

    String consoleOutputFromPcapToJson = await new UtilsIO().executeExe(SHARK_INSTALL_FOLDER, argumentsFilteredPcapToJson);

    UtilsIO.saveTextFile(consoleOutputFromPcapToJson, pathJsonFile);

    Console.WriteLine("JSON Ready...");

As always thank you very much!

menticol

asked 2021-08-03 04:42:25 +0000

19.9k

Guy Harris

updated 2021-08-04 00:52:42 +0000

edit flag offensive 0 remove flag close merge delete

Comments

Edited the question's title and added some screenshots to properly explain my problem

menticol (2021-08-03 16:33:32 +0000) edit

add a comment see more comments

1 Answer

Sort by

oldest

newest

most voted

From the tshark man page:

-e <field>
Add a field to the list of fields to display if -T ek|fields|json|pdml is selected.

C:\>tshark -r p:wap_google.pcap -T json -e frame.number -e frame.time -e _ws.col.Info
[
  {
    "_index": "packets-2005-09-06",
    "_type": "doc",
    "_score": null,
    "_source": {
      "layers": {
        "frame.number": [
          "1"
        ],
        "frame.time": [
          "Sep  6, 2005 01:22:20.851335000 Central Daylight Time"
        ],
        "_ws.col.Info": [
          "WSP Get (0x40) http://wap.google.com/"
        ]
      }
    }
  },
  {
    "_index": "packets-2005-09-06",
-- snip --

Column fields not displaying using -T {pdml,json,ek}

Chuckc

answered 2021-08-03 06:04:07 +0000, updated 2021-08-03 14:23:55 +0000

edit flag offensive 0 remove flag delete link

Comments

Thank you as always for your lightning-fast answers @Chuckc. Sadly I did not express my question properly due to my lack of healthy sleep and proper English. I edited it and added some pictures to make my objective more clear. The problem is getting the whole PCAP transcription, plus the ws_col_info.

menticol (2021-08-03 14:59:58 +0000) edit

There have been requests for something similar (-e ALL_FIELDS) but doesn't exist now.

This is a messy two part solution:
Wireshark doesn't treat columns as fields but there is a Lua plugin (filtcols) that will make new fields and copy over the column contents. For a short term solution, you could add the filtcols plugin (tweak as needed) and export JSON packet dissections in the Wireshark gui.

The longer solution depends on merge request 2473 - tshark: add --columns option

So columns are not fields but _ws.col in tshark kinda makes them act like fields.
tshark only creates them in special cases and Lua scripts is not one.
The MR is to add another option to tshark to create the _ws.col fields. It's been out there long enough that it needs a rebase but I'm not going to do that until there is some interest ... (more)

Chuckc (2021-08-03 22:28:26 +0000) edit

Sorry for taking such a long time to answer you. I gave the thumbs up without thinking twice! For the forum readers, I temporarily solved the problem by running tshark twice: The first time, to convert the whole .PCAP file into a .JSON (perhaps filtered by the desired protocol, to make a smaller file). The second time, using the parameters from Chuckc answer, to get another .JSON file with only frame numbers and _ws.col values. Then I merged the two JSON, for further filtering and exporting to MySql. I'm not sure if the forum rules allow me to post that C# code here. To summarize, the tshark: add --columns option would be the true solution for this problem.

menticol (2021-08-13 04:56:06 +0000) edit

add a comment see more comments

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account. This space is reserved only for answers. If you would like to engage in a discussion, please instead post a comment under the question or an answer that you would like to discuss.

Add Answer

Get _ws.col.Info, plus all packet fields, as a .json exported file edit

Comments

1 Answer

Comments