First time here? Check out the FAQ!
THIS IS A TEST INSTANCE. Feel free to ask and answer questions, but take care to avoid triggering too many notifications.
Ask Your Question
0

duplicated headers in json conversion

I am doing some capturing using tshark for troubleshooting and got a strange behavior:

I produced a capture file (pcap) with dumpcap and converted it to json with tshark. I then noticed that the headers of some requests (http.request.line) got duplicates of various values (like a long list of headers and values).

For example, I got in the same http.request.line 24 unique User-Agent values, 5 unique Accept values etc...

I did the conversion on an Ubnutu 18.04.4 LTS and tshark version 2.6.10.

I then tries this conversion on a different Ubuntu distribution (Ubuntu 20.04.4 LTS and tshark version 3.2.3) with the same pcap file and got no duplication.

Did you encounter anything like this between those versions?

nasa203's avatar
1
nasa203
asked 2022-11-15 08:38:34 +0000
edit flag offensive 0 remove flag close merge delete

Comments

add a comment see more comments

1 Answer

0

Note that the support of version 2.6 ended on October 18, 2020.

Add the tshark option --no-duplicate-keys as described on the man-page of tshark https://www.wireshark.org/docs/man-pa... :

If a key appears multiple times in an object, only write it a single time with as value a json array containing all the separate values. (Only works with -T json)

André's avatar
176
André
answered 2022-11-16 18:11:12 +0000
edit flag offensive 0 remove flag delete link
more

Comments

Thanks for the help.

I tried to add this flag (--no-duplicate-keys) but got the same result.

The strangest behavior is in the http.request line: "http.request": ["1","1","1","1","1","1","1","1","1","1","1","1","1","1","1","1","1","1","1","1","1","1","1","1","1","1","1","1","1","1","1","1",...

Should that be happening even when using the suggested flag?

nasa203's avatar nasa203 (2022-11-17 06:33:09 +0000) edit
more
  • delete

I cannot reproduce that, but I don't have these old versions of Wireshark. Also without your pcap I just have to guess what happened.

http.request == 1 means 'this packet contains a http request'. So in itself this is not strange.
http.request.line should be an array now.

André's avatar André (2022-11-17 16:52:29 +0000) edit
more
  • delete

Is this behavior rare? What is the usual cause for it?

nasa203's avatar nasa203 (2022-11-20 09:37:19 +0000) edit
more
  • delete

Does this also happen when you use version 3.6 or higher (not EoS)?

André's avatar André (2022-11-22 23:02:29 +0000) edit
more
  • delete

I have tested it on Ubuntu 22.04.1 LTS with tshark v3.6.2 and it doesn't happen (no duplications) (works the same as the windows/ubuntu 20 with tshark 4.0.0 and 3.2.3 respectively).

nasa203's avatar nasa203 (2022-11-23 15:10:36 +0000) edit
more
  • delete
add a comment see more comments

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account. This space is reserved only for answers. If you would like to engage in a discussion, please instead post a comment under the question or an answer that you would like to discuss.

Add Answer