Convert pcap to json

rparada · 5 November 2020 18:16

Hi,

I've installed the node "node-red-contrib-pcap" succesfully. I could filter the incoming packets, however, I need to convert it to JSON. Find the flow below:

[{"id":"268be8ad.9ee5b","type":"tab","label":"Flow 1","disabled":false,"info":""},{"id":"f4fb43b8.f9d7d","type":"pcap","z":"268be8ad.9ee5b","name":"","ifname":"enp0s3","output":"string","filter":"ip dst host 84.88.40.59","path":"","x":300,"y":280,"wires":[["a6262dcc.3d2638"]]},{"id":"beedb5c9.d2ada","type":"debug","z":"268be8ad.9ee5b","name":"","active":true,"tosidebar":true,"console":false,"tostatus":false,"complete":"false","statusVal":"","statusType":"auto","x":770,"y":260,"wires":[]},{"id":"a6262dcc.3d2638","type":"json","z":"268be8ad.9ee5b","name":"","property":"payload","action":"","pretty":false,"x":500,"y":340,"wires":[["beedb5c9.d2ada"]]}]

The output without the JSON node is:

"LINKTYPE_ETHERNET 08:00:27:ce:a0:de -> 80:78:71:43:57:7a IPv4 192.168.1.55 -> 84.88.40.59 flags [d] UDP UDP 445->445 len 107"

I get the following error with that flow:

"Unexpected token L in JSON at position 0"

This is what I expect:

  "_index": "packets-2020-11-05",
    "_type": "pcap_file",
    "_score": null,
    "_source": {
      "layers": {
        "frame": {
          "frame.encap_type": "1",
          "frame.time": "Nov  5, 2020 13:39:21.359169000 CET",
          "frame.offset_shift": "0.000000000",
          "frame.time_epoch": "1604579961.359169000",
          "frame.time_delta": "0.320612000",
          "frame.time_delta_displayed": "0.320612000",
          "frame.time_relative": "4735.199410000",
          "frame.number": "25766",
          "frame.len": "141",
          "frame.cap_len": "141",
          "frame.marked": "0",
          "frame.ignored": "0",
          "frame.protocols": "eth:ethertype:ip:udp:data"
        },
        "eth": {
          "eth.dst": "80:78:71:43:57:7a",
          "eth.dst_tree": {
            "eth.dst_resolved": "AskeyCom_43:57:7a",
            "eth.addr": "80:78:71:43:57:7a",
            "eth.addr_resolved": "AskeyCom_43:57:7a",
            "eth.lg": "0",
            "eth.ig": "0"
          },
          "eth.src": "08:00:27:ce:a0:de",
          "eth.src_tree": {
            "eth.src_resolved": "PcsCompu_ce:a0:de",
            "eth.addr": "08:00:27:ce:a0:de",
            "eth.addr_resolved": "PcsCompu_ce:a0:de",
            "eth.lg": "0",
            "eth.ig": "0"
          },
          "eth.type": "0x00000800"
        },
        "ip": {
          "ip.version": "4",
          "ip.hdr_len": "20",
          "ip.dsfield": "0x00000000",
          "ip.dsfield_tree": {
            "ip.dsfield.dscp": "0",
            "ip.dsfield.ecn": "0"
          },
          "ip.len": "127",
          "ip.id": "0x00008809",
          "ip.flags": "0x00004000",
          "ip.flags_tree": {
            "ip.flags.rb": "0",
            "ip.flags.df": "1",
            "ip.flags.mf": "0",
            "ip.frag_offset": "0"
          },
          "ip.ttl": "64",
          "ip.proto": "17",
          "ip.checksum": "0x000073f2",
          "ip.checksum.status": "2",
          "ip.src": "192.168.1.55",
          "ip.addr": "192.168.1.55",
          "ip.src_host": "192.168.1.55",
          "ip.host": "192.168.1.55",
          "ip.dst": "84.88.40.59",
          "ip.addr": "84.88.40.59",
          "ip.dst_host": "84.88.40.59",
          "ip.host": "84.88.40.59"
        },
        "udp": {
          "udp.srcport": "445",
          "udp.dstport": "445",
          "udp.port": "445",
          "udp.port": "445",
          "udp.length": "107",
          "udp.checksum": "0x00003eef",
          "udp.checksum.status": "2",
          "udp.stream": "26"
        },
        "data": {
          "data.data": "ff:ff:ff:ff:ff:ff:08:00:27:ce:a0:de:89:47:11:00:1a:01:20:50:00:80:00:2d:01:00:00:00:08:00:27:ce:a0:de:a7:84:11:99:19:54:08:fa:ce:45:20:f1:01:f0:07:cc:00:00:00:00:07:d1:00:00:02:02:00:00:00:e0:85:96:00:59:ca:5f:a7:4d:92:b3:9b:00:00:00:00:00:30:d4:1e:00:e1:1f:c0:fa:7e:bf:e9:ed:07:37:fe:eb:ff:f6:00",
          "data.len": "99"
        }
      }
    }
  }

How can I convert that packet to a JSON format?

Colin · 5 November 2020 21:47

I don't see where in that string you posted is all the information that you say you want out.
By the way, I don't think that it is JSON that you want out, but a javascript object. A JSON is always a string.
Also please see this post for how to share flows, logs, code etc here.

Steve-Mcl · 5 November 2020 21:53

You get a string because you have the output option set to string.

Try setting the output option to "Decoded pcap Object"

system · 19 November 2020 21:53

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Get JSON response from TCP input General	2	570	27 December 2020
ChatGPT does Node-RED General	32	2011	14 April 2023
Change JSON output (to line protocol or other JSON) General	4	286	2 May 2022
Convert data string to json General function-node	2	143	2 June 2023
Broken Jsonata --> Broken Node-RED General	9	137	12 August 2023

Convert pcap to json

Related Topics