0

I am trying to parse a PCAP file using Pyshark. Some of the packets have JSON in them and I am trying to print them out with matching key:value.

This is what I have at the moment for testing:

import pyshark

packets = pyshark.FileCapture('cap.pcapng')
pack = packets[1] #get the packet that has JSON

print(pack.json.get_field_value('app')

When doing this, I get None printed.

If I print the entire JSON layer I get data like this:

    Object
    Member Key: anonymousId
    String value: f268204c-5719-43ce-9a5e-094d8f3df6b8
    Key: anonymousId
    True value
    Object
    Object
    Object
    Object
    Object
    Object
    Member Key: context
    Member Key: app
    Member Key: app_name
    Member Key: app_platform
    Member Key: app_version
    Member Key: device
    Member Key: adTrackingEnabled
    Member Key: advertisingId
    Member Key: id
    Member Key: manufacturer
    Member Key: model
    Member Key: resolution
    Member Key: type
    Member Key: version
    Member Key: ip
    Member Key: library
    Member Key: name
    Member Key: version
    Member Key: locale
    Member Key: os
    Member Key: name
    Member Key: version
    Member Key: primary_business_unit
    Member Key: secondary_business_unit
    Member Key: traits
    Member Key: entitlements
    Member Key: mvpd
    Member Key: userAgent
    Member Key: event
    Member Key: properties
    Member Key: type
    Member Key: userId
    String value: Fox Now
    String value: foxnow
    String value: roku
    String value: 3.18.0
    String value: 622ac229-c26e-5318-89bd-b281da9bed32
    String value: 1de01830-d4bb-5d12-9d86-f81da8d12698
    String value: Roku
    String value: 3600X
    String value: 1080p
    String value: roku
    String value: 249.10E04111A
    String value: 71.120.154.30
    String value: SegmentAnalyticsService.brs
    String value: 3.18.0 (11624)
    String value: en-US
    String value: Roku
    String value: 9.10 build 4111
    String value: fng
    String value: fox
    String value: btn-btn2go,fbc-fox,FoxBusiness,foxdep,FoxNews,fs1,fs2,fx,fxm,fxx,ngc,ngw
    String value: verizon
    String value: Roku/DVP-9.10 (249.10E04111A)
    String value: Live TV Section Viewed
    String value: track
    String value: MTM0OTA5MDktNWE1MC00YTg4LWJhNWItYzdmMDA1N2UyYjQz
    Key: app
    Key: app_name
    Key: app_platform
    Key: app_version
    Key: adTrackingEnabled
    Key: advertisingId
    Key: id
    Key: manufacturer
    Key: model
    Key: resolution
    Key: type
    Key: version
    Key: device
    Key: ip
    Key: name
    Key: version
    Key: library
    Key: locale
    Key: name
    Key: version
    Key: os
    Key: primary_business_unit
    Key: secondary_business_unit
    Key: entitlements
    Key: mvpd
    Key: traits
    Key: userAgent
    Key: context
    Key: event
    Key: properties
    Key: type
    Key: userId

This is what the JSON looks like..

enter image description here

I want to be able to go through each of the values in the JSON and print the value and key that it holds.

So I want to print basically how the JSON output looks like with it matching.

I have tried Googling and was not able to find any examples that did this that worked for me.

Doritos
  • 403
  • 3
  • 16

1 Answers1

1

While trying to open the PCAP file through Filecapture method, set 'use_json=True'. This would capture the packets in a JSON like format.

import pyshark

packets = pyshark.FileCapture('cap.pcapng',use_json=True,include_raw=True)
pack = packets[1] #get the packet that has JSON

jsonStr=str(pack.json)
print(jsonStr)

This would print the JSON layer of the packet in the following manner:

Layer JSON:
   object_raw: 7ba298
   object_raw: 234
   object_raw: 97
   object:
      member_raw: 345ad
      member_raw: 4567
      
      member:
         key: manufacturer
         string: Live TV Section Viewed
         value.string: abcd
         value.string_raw: ab345
         key_raw: 8abc6
         string_raw: 67ac
      member:
         key: ip
         string: 71.120.154.30
         value.string: 234
         value.string_raw: ab345
         key_raw: 8abc6
         string_raw: 67ac

So, each 'member' segment in this string (jsonStr) contains a 'key' field and a 'string' field which correspond to the key-value pair that you had in your original JSON, along with other raw data. You can omit the raw data by using 'include_raw=False' while capturing packets using FileCapture method. By using the key ('manufacturer', for example) and datatype of the value (string or a number), you can extract the value of whichever key you want.

goldenBeard
  • 11
  • 3