When I use tshark to decode capfile like this
tshark -V -r test.cap -Y 'http>0'
I got
...
JavaScript Object Notation: application/json
Object
Member Key: "ret"
Number value: 99
Member Key: "message"
String value:test
Question is how I can get json data like that use tshark
...
{"ret":99,"message":"test"}
tshark -r test.cap -Y 'http>0' -T json
tshark -r test.cap -Y 'http>0' -T json -x # to also include the raw packet data
Had similar problem. Failed to solved it with wireshark/tshark options only. Below is my workaround for extracting raw json and xml from cap files.
# 1. convert to pdml with DISABLED json and xml dissectors
tshark -r "wireshark.cap" -2 -R "http" --disable-protocol json --disable-protocol xml -V -T pdml > "wireshark.cap.pdml.xml"
# 2. get hex encoded raw data from media.type pdml element
# 3. perform hex decode
I used groovy script for steps 2 and 3
import groovy.xml.*
...
def String hexDecode(String s) {
if ( null == s || 0 == s.length() ) {
return null
}
def res = ""
for (int i = 0; i < s?.length(); i += 2) {
res += (Character)((Character.digit(s.charAt(i), 16) << 4) + Character.digit(s.charAt(i+1), 16))
}
return res
}
...
def xmlFile = new File("wireshark.cap.pdml.xml")
def pdml = new XmlParser().parseText( xmlFile.text )
pdml.packet.each{ packet->
def media = packet.proto.find{ "media"==it.@name }
def hex = media?.field.find{"media.type"==it.@name }?.@value
def raw = hexDecode(hex)
}
I'm not quite sure what "how I can get json data like that use tshark" means. The JavaScript info you saw when you ran tshark looks like that because tshark parses application/json bodies as JSON and displays the JSON information in pretty output like you see. If you don't want it to do that, you'd need to disable the JSON protocol/dissector; unfortunately I don't believe there is a way to disable protocols in tshark, but there is in wireshark (go to menu Analyze->Enabled Protocols and uncheck the JSON one).
© 2022 - 2024 — McMap. All rights reserved.