using either tcpdump or tshark to produce json file?

json pcap tcpdump tshark
James Yeo picture James Yeo · Jul 10, 2015 · Viewed 7.3k times · Source

I understand that with tshark and tcpdump, I can produce pcap file. But in order to run the program, I will need to format the pcap information to json format. I was thinking whether if I am able to to it with tcpdump or tshark command?

I am running in debian platform (linux).

Answer

JHiant picture JHiant · Nov 23, 2016

You can generate JSON via:

tshark -r your.pcap -l -n -T json

Optionally, the -x command will include the raw packet data in the JSON, which can be useful.

If you have custom formats, you'll have to write wireshark dissectors (in Lua or C).

The JSON support in tshark is still minimal, so you may be better served with -T pdml to get XML output. YMMV.

Related questions

Easiest way to convert pcap to JSON

I have a bunch of pcap files, created with tcpdump. I would like to store these in a database, for easier querying, indexing etc. I thought mongodb might be a good choice, because storing a packet the way Wireshark/TShark …

Read More
How do I POST JSON data with cURL?

I use Ubuntu and installed cURL on it. I want to test my Spring REST application with cURL. I wrote my POST code at the Java side. However, I want to test it with cURL. I am trying to post …

Read More
What is the correct JSON content type?

I've been messing around with JSON for some time, just pushing it out as text and it hasn't hurt anybody (that I know of), but I'd like to start doing things properly. I have seen so many purported "standards" for …

Read More