Easiest way to convert pcap to JSON

json wireshark pcap libpcap tcpdump
Erik picture Erik · Sep 8, 2012 · Viewed 18.8k times · Source

I have a bunch of pcap files, created with tcpdump. I would like to store these in a database, for easier querying, indexing etc. I thought mongodb might be a good choice, because storing a packet the way Wireshark/TShark presents them as JSON document seems to be natural.

It should be possible to create PDML files with tshark, parse these and insert them into mongodb, but I am curious if someone knows of an existing/other solution.

Answer

Cormac Long picture Cormac Long · Aug 9, 2017

On the command line (Linux, Windows or MacOS), you can use tshark.

e.g.

tshark -r input.pcap -T json >output.json

or with a filter:

tshark -2 -R "your filter" -r input.pcap -T json >output.json

Considering you mentioned a set of pcap files, you can also pre-merge the pcap files into a single pcap and then export that in one go if preferred..

mergecap -w output.pcap input1.pcap input2.pcap..

Related questions

Use Tshark to view json data

When I use tshark to decode capfile like this tshark -V -r test.cap -Y 'http>0' I got ... JavaScript Object Notation: application/json Object Member Key: "ret" Number value: 99 Member Key: "message" String value:test Question is how …

Read More
How do I POST JSON data with cURL?

I use Ubuntu and installed cURL on it. I want to test my Spring REST application with cURL. I wrote my POST code at the Java side. However, I want to test it with cURL. I am trying to post …

Read More
What is the correct JSON content type?

I've been messing around with JSON for some time, just pushing it out as text and it hasn't hurt anybody (that I know of), but I'd like to start doing things properly. I have seen so many purported "standards" for …

Read More