What is the best way to extract only hex value for all fields to JSON with Wireshark/TShark

Question

I want to get information I have with Wireshark (the GUI), the information I want are for each packets its layers with all fields and their hexadecimal values. I want to get it to transform each packet into a JSON with this structure:

{
    "pcap_file": pcap_file,
    "number": paquet number (this first column in Wireshark GUI),
    "sniff_time" : sniff time
    "layers": { 
        layer_name: {
            field_name: field's raw value,
            .......
        },
        ......
    ]
}

I tried while few hours to do with the pyshark library in python. I almost done it but the thing is sometimes I don't have some information about the last layer.

For example for a LDAP packet with in the LDAP layer two fields "SASL Buffer Length" and "SASL Buffer" I had only the "SASL Buffer". So for this example I could build "SASL Buffer" using the layer's raw data on subtract "SASL BUffer Length"'s raw data. But with a lot of other examples with more missing fields, I couldn't because this library doesn't provide the order of fields.

So I'm wondering if there is a way to have all this information (all fields, with their order and their raw values, and for each layer) as we have in the GUI.

I saw there is maybe these ways:

-Write a C++ program and use tshark and use JSON option

-Write a Lua script to dissect packet

-Export data as JSON

But honestly I'm pretty lost, for all documentation/answers I did read, I don't see way to get raw values as I want and have with the GUI

What is the best way to extract only hex value for all fields to JSON with Wireshark/TShark

Answers (1)

Related Questions