First time here? Check out the FAQ!
THIS IS A TEST INSTANCE. Feel free to ask and answer questions, but take care to avoid triggering too many notifications.
Ask Your Question
0

JSON duplicated keys in Wireshark Windows

Hello,

I'm trying to export some packets from a Wireshark capture to JSON format in Windows.

In this case, I'm getting the key "tls" duplied in the JSON file (from a packet that has several TLS informations). As you might have heard (from RFC 8259):

An object structure is represented as a pair of curly brackets surrounding zero or more name/value pairs (or members). A name is a string. A single colon comes after each name, separating the name from the value. A single comma separates a value from a following name. The names within an object SHOULD be unique.

The rule speaks just about a recommendation, and as I have read, in tshark we do have the option to use --no-duplicate-keys. But, is there any option to use it on Windows GUI?

I'm using 3.6.1 (v3.6.1-0-ga0a473c7c1ba). Capture and JSON export is available at https://mega.nz/file/AnRxmQ5R#xpGvVue...

Thank you.

nmontesino.c's avatar
1
nmontesino.c
asked 2022-02-07 16:43:44 +0000, updated 2022-02-07 16:51:46 +0000
edit flag offensive 0 remove flag close merge delete

Comments

You can post captures on a public share and then edit your question with a link to the capture.

grahamb's avatar grahamb (2022-02-07 16:48:29 +0000) edit
more
  • delete

@grahamb done, thanks!

nmontesino.c's avatar nmontesino.c (2022-02-07 16:52:03 +0000) edit
more
  • delete

Does tshark --no-duplicate-keys give the output you're looking for? If that style output was available from the Wireshark gui (set as a preference or export checkbox) sufficient?

Chuckc's avatar Chuckc (2022-02-07 18:22:35 +0000) edit
more
  • delete

@Chuckc Yes, it is was exactly what I was looking for.

Whatever, I already solved it by my own (changing my Python code) this way:

def my_obj_pairs_hook(lst):
    result={}
    count={}
    for key,val in lst:
        if key in count:count[key]=1+count[key]
        else:count[key]=1
        if key in result:
            if count[key] > 2:
                result[key].append(val)
            else:
                result[key]=[result[key], val]
        else:
            result[key]=val
    return result
capture = json.load(open('wireshark.json'), object_pairs_hook=my_obj_pairs_hook)

However I think it could be an useful function to be added. Thanks!

nmontesino.c's avatar nmontesino.c (2022-02-07 21:38:10 +0000) edit
more
  • delete
add a comment see more comments

1 Answer

0

Looks like it was added to tshark in Add --no-duplicate-keys tshark option. to fix 12958 - Wrong JSON format returned by new -T json feature.

"Export Packet Dissections -> As JSON" in the GUI is hardcoded to use
the duplicated keys format.
To have it added to the Wireshark gui, open a Enhancement Request (New issue) on the Wireshark Gitlab Issues page.

Chuckc's avatar
3k
Chuckc
answered 2022-02-07 22:46:11 +0000, updated 2022-02-07 22:48:19 +0000
edit flag offensive 0 remove flag delete link
more

Comments

add a comment see more comments

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account. This space is reserved only for answers. If you would like to engage in a discussion, please instead post a comment under the question or an answer that you would like to discuss.

Add Answer