using either tcpdump or tshark to produce json file?

Question

I understand that with tshark and tcpdump, I can produce pcap file. But in order to run the program, I will need to format the pcap information to json format. I was thinking whether if I am able to to it with tcpdump or tshark command?

I am running in debian platform (linux).

Answer 1

If your wireshark or tshark version under 2.x.x you can't use -T you need to update wireshark.

Install a prebuilt .repo file:

wget https://www.1310nm.net/repository/CentOS/7/wireshark.repo

Now move it to the yum repositories directory:

sudo mv wireshark.repo /etc/yum.repos.d/

Update yum:

sudo yum update

Install Wireshark, accept the GPG key:

yum install wireshark-qt

emphasized textRun Wireshark emphasized text

Link: https://www.1310nm.net/coherentlight/2017/07/25/wireshark-centos7-tldr-version/

Answer 2

You can generate JSON via:

tshark -r your.pcap -l -n -T json

Optionally, the -x command will include the raw packet data in the JSON, which can be useful.

If you have custom formats, you'll have to write wireshark dissectors (in Lua or C).

The JSON support in tshark is still minimal, so you may be better served with -T pdml to get XML output. YMMV.

Answer 3

No, but you could probably combine the text output of tcpdump (by running without -w) or TShark with a tool (which could be a compiled program or a script) to turn the output into JSON. You might have to write the tool yourself, however.