Extract values JSON string from pcap

General
1

I cannot extract a given value from a JSON string

"{"link_type":"LINKTYPE_ETHERNET","pcap_header":{"tv_sec":1604652189,"tv_usec":589164,"caplen":141,"len":141},"payload":{"dhost":{"addr":[128,120,113,67,87,122]},"shost":{"addr":[8,0,39,206,160,222]},"ethertype":2048,"vlan":null,"payload":{"version":4,"headerLength":20,"diffserv":0,"length":127,"identification":35053,"flags":{"reserved":false,"doNotFragment":true,"moreFragments":false},"fragmentOffset":0,"ttl":64,"protocol":17,"headerChecksum":29454,"saddr":{"addr":[192,168,1,55]},"daddr":{"addr":[84,88,40,59]},"payload":{"sport":445,"dport":445,"length":107,"checksum":16111,"data":{"type":"Buffer","data":[255,255,255,255,255,255,8,0,39,206,160,222,137,71,17,0,26,1,32,80,0,128,0,45,1,0,0,0,8,0,39,206,160,222,167,132,17,153,25,84,8,250,206,69,32,241,1,240,7,204,0,0,0,0,7,209,0,0,2,2,0,0,0,224,163,28,0,89,202,89,122,205,146,170,205,0,0,0,0,0,48,212,30,0,225,31,192,250,126,191,233,237,7,55,254,235,255,246,0]}}}}}"

I would like to extract the data, inside data (all the numerical values), but I couldn't get it putting a code inside a function. Iv'e tried a simple approach, just getting "link_type" by:

p = msg.payload[0].link_type
return p;

I get the same string. The flow is this:

[{"id":"268be8ad.9ee5b","type":"tab","label":"Flow 1","disabled":false,"info":""},{"id":"f4fb43b8.f9d7d","type":"pcap","z":"268be8ad.9ee5b","name":"","ifname":"enp0s3","output":"object","filter":"ip dst host 84.88.40.59","path":"","x":300,"y":280,"wires":[["465699fe.6fe178"]]},{"id":"beedb5c9.d2ada","type":"debug","z":"268be8ad.9ee5b","name":"","active":true,"tosidebar":true,"console":false,"tostatus":false,"complete":"false","statusVal":"","statusType":"auto","x":910,"y":280,"wires":[]},{"id":"465699fe.6fe178","type":"json","z":"268be8ad.9ee5b","name":"","property":"payload","action":"str","pretty":false,"x":520,"y":280,"wires":[["beedb5c9.d2ada"]]},{"id":"231c6a54.534956","type":"function","z":"268be8ad.9ee5b","name":"","func":"//msg.payload = payload.payload.payload.data.data.value\n//msg = msg.payload.Value[0]\n//p = JSON.parse(msg.payload);\n//node.log(typeof p);\n//q = p.liny_type.Value[0]\n\np = msg.payload[0].link_type\n//msg.payload = p.link_type.Value[0];\n\nreturn p;\n\n\n//var newMsg = { payload: msg.payload.length };\n//return newMsg;\n\n//var myCount = flow.get(\"tv_sec\");\n//return myCount;","outputs":1,"noerr":0,"initialize":"","finalize":"","x":710,"y":280,"wires":[[]]}]

2

Have you tried passing the JSON through a JSON node to convert the JSON (string) into a JS object?

There’s a great page in the docs that will explain how to use the debug panel to find the right path to any data item.

I think in the first video around 1m36s whould give you a hint.

3

You are telling the json node to always convert to a json string. Which means any object that passes will be converted to a string. Either convert to json object, or maybe the result is already a json object. Put a debug node after the first node, to see what is returned.

4

@E1cid, after the JSON node (changing the Action Convert between JSON String & Object) it appears in debug as undefined.

5

what does the debug node say after the first node, set debug for complete msg object, and post here between backticks
i.e.
```
debug info
```

6

@E1cid

Find it here:

11/6/2020, 1:03:39 PMnode: enp0s3enp0s3 : msg.payload : PcapPacket
"LINKTYPE_ETHERNET 08:00:27:ce:a0:de -> 80:78:71:43:57:7a IPv4 192.168.1.55 -> 84.88.40.59 flags [d] UDP UDP 445->445 len 107"
11/6/2020, 1:03:39 PMnode: jsonenp0s3 : msg.payload : string[922]
"{"link_type":"LINKTYPE_ETHERNET","pcap_header":{"tv_sec":1604664219,"tv_usec":630216,"caplen":141,"len":141},"payload":{"dhost":{"addr":[128,120,113,67,87,122]},"shost":{"addr":[8,0,39,206,160,222]},"ethertype":2048,"vlan":null,"payload":{"version":4,"headerLength":20,"diffserv":0,"length":127,"identification":35899,"flags":{"reserved":false,"doNotFragment":true,"moreFragments":false},"fragmentOffset":0,"ttl":64,"protocol":17,"headerChecksum":28608,"saddr":{"addr":[192,168,1,55]},"daddr":{"addr":[84,88,40,59]},"payload":{"sport":445,"dport":445,"length":107,"checksum":16111,"data":{"type":"Buffer","data":[255,255,255,255,255,255,8,0,39,206,160,222,137,71,17,0,26,1,32,80,0,128,0,45,1,0,0,0,8,0,39,206,160,222,167,132,17,153,25,84,8,250,206,69,32,241,1,240,7,204,0,0,0,0,7,209,0,0,2,2,0,0,0,224,51,113,0,89,202,90,232,13,146,195,104,64,0,0,0,0,48,212,30,0,225,31,192,250,126,191,233,237,7,55,254,235,255,246,0]}}}}}"

here the flow:

[{"id":"268be8ad.9ee5b","type":"tab","label":"Flow 1","disabled":false,"info":""},{"id":"f4fb43b8.f9d7d","type":"pcap","z":"268be8ad.9ee5b","name":"","ifname":"enp0s3","output":"object","filter":"ip dst host 84.88.40.59","path":"","x":300,"y":280,"wires":[["465699fe.6fe178","3a951315.e66844"]]},{"id":"465699fe.6fe178","type":"json","z":"268be8ad.9ee5b","name":"","property":"payload","action":"","pretty":false,"x":520,"y":280,"wires":[["231c6a54.534956","e5efcbb7.23a7"]]},{"id":"231c6a54.534956","type":"function","z":"268be8ad.9ee5b","name":"","func":"//msg.payload = payload.payload.payload.data.data.value\n//msg = msg.payload.Value[0]\n//p = JSON.parse(msg.payload);\n//node.log(typeof p);\n//q = p.liny_type.Value[0]\n\np = msg.payload[0].link_type\n//msg.payload = p.link_type.Value[0];\n\nreturn p;\n\n\n//var newMsg = { payload: msg.payload.length };\n//return newMsg;\n\n//var myCount = flow.get(\"tv_sec\");\n//return myCount;","outputs":1,"noerr":0,"initialize":"","finalize":"","x":780,"y":280,"wires":[["2e182430.8c8e6c"]]},{"id":"2e182430.8c8e6c","type":"debug","z":"268be8ad.9ee5b","name":"","active":true,"tosidebar":true,"console":false,"tostatus":false,"complete":"false","statusVal":"","statusType":"auto","x":930,"y":400,"wires":[]},{"id":"3a951315.e66844","type":"debug","z":"268be8ad.9ee5b","name":"enp0s3","active":true,"tosidebar":true,"console":false,"tostatus":false,"complete":"payload","targetType":"msg","statusVal":"","statusType":"auto","x":410,"y":380,"wires":[]},{"id":"e5efcbb7.23a7","type":"debug","z":"268be8ad.9ee5b","name":"json","active":true,"tosidebar":true,"console":false,"tostatus":false,"complete":"payload","targetType":"msg","statusVal":"","statusType":"auto","x":610,"y":380,"wires":[]}]

7

I could get a more readable JSON structure with this code at the function node:

p = JSON.parse(msg.payload);
return p;

The result:


{
  "dhost": {
    "addr": [
      128,
      120,
      113,
      67,
      87,
      122
    ]
  },
  "shost": {
    "addr": [
      8,
      0,
      39,
      206,
      160,
      222
    ]
  },
  "ethertype": 2048,
  "vlan": null,
  "payload": {
    "version": 4,
    "headerLength": 20,
    "diffserv": 0,
    "length": 127,
    "identification": 49557,
    "flags": {
      "reserved": false,
      "doNotFragment": true,
      "moreFragments": false
    },
    "fragmentOffset": 0,
    "ttl": 64,
    "protocol": 17,
    "headerChecksum": 14950,
    "saddr": {
      "addr": [
        192,
        168,
        1,
        55
      ]
    },
    "daddr": {
      "addr": [
        84,
        88,
        40,
        59
      ]
    },
    "payload": {
      "sport": 445,
      "dport": 445,
      "length": 107,
      "checksum": 16111,
      "data": [
        255,
        255,
        255,
        255,
        255,
        255,
        8,
        0,
        39,
        206,
        160,
        222,
        137,
        71,
        17,
        0,
        26,
        1,
        32,
        80,
        0,
        128,
        0,
        45,
        1,
        0,
        0,
        0,
        8,
        0,
        39,
        206,
        160,
        222,
        167,
        132,
        17,
        153,
        25,
        84,
        8,
        250,
        206,
        69,
        32,
        241,
        1,
        240,
        7,
        204,
        0,
        0,
        0,
        0,
        7,
        209,
        0,
        0,
        2,
        2,
        0,
        0,
        0,
        224,
        218,
        32,
        0,
        89,
        202,
        78,
        216,
        13,
        146,
        178,
        223,
        64,
        0,
        0,
        0,
        0,
        48,
        212,
        30,
        0,
        225,
        31,
        192,
        250,
        126,
        191,
        233,
        237,
        7,
        55,
        254,
        235,
        255,
        246,
        0
      ]
    }
  }
}

However, when I'm trying to extract a given value, it doesn't find it, for instance the first value addr in dhost.

p = JSON.parse(msg.payload);
node.log(typeof p);
q = p.dhost[0].addr;  //NOTE: I've tried multiple possibilites like p[0].dhost.addr.
return q;
8

that would be p.dhost.addr[0].

I don't have pcap installed but this works

[{"id":"c27e7afd.cecf58","type":"inject","z":"8d22ae29.7df6d","name":"","props":[{"p":"payload"},{"p":"topic","vt":"str"}],"repeat":"","crontab":"","once":false,"onceDelay":0.1,"topic":"","payload":"{\"link_type\":\"LINKTYPE_ETHERNET\",\"pcap_header\":{\"tv_sec\":1604664219,\"tv_usec\":630216,\"caplen\":141,\"len\":141},\"payload\":{\"dhost\":{\"addr\":[128,120,113,67,87,122]},\"shost\":{\"addr\":[8,0,39,206,160,222]},\"ethertype\":2048,\"vlan\":null,\"payload\":{\"version\":4,\"headerLength\":20,\"diffserv\":0,\"length\":127,\"identification\":35899,\"flags\":{\"reserved\":false,\"doNotFragment\":true,\"moreFragments\":false},\"fragmentOffset\":0,\"ttl\":64,\"protocol\":17,\"headerChecksum\":28608,\"saddr\":{\"addr\":[192,168,1,55]},\"daddr\":{\"addr\":[84,88,40,59]},\"payload\":{\"sport\":445,\"dport\":445,\"length\":107,\"checksum\":16111,\"data\":{\"type\":\"Buffer\",\"data\":[255,255,255,255,255,255,8,0,39,206,160,222,137,71,17,0,26,1,32,80,0,128,0,45,1,0,0,0,8,0,39,206,160,222,167,132,17,153,25,84,8,250,206,69,32,241,1,240,7,204,0,0,0,0,7,209,0,0,2,2,0,0,0,224,51,113,0,89,202,90,232,13,146,195,104,64,0,0,0,0,48,212,30,0,225,31,192,250,126,191,233,237,7,55,254,235,255,246,0]}}}}}","payloadType":"str","x":270,"y":2920,"wires":[["c21c2836.2e747","bee752d.576903"]]},{"id":"bee752d.576903","type":"json","z":"8d22ae29.7df6d","name":"","property":"payload","action":"obj","pretty":false,"x":450,"y":2920,"wires":[["9c656cf4.cd127","c21c2836.2e747"]]},{"id":"c21c2836.2e747","type":"debug","z":"8d22ae29.7df6d","name":"json","active":false,"tosidebar":true,"console":false,"tostatus":false,"complete":"payload","targetType":"msg","statusVal":"","statusType":"auto","x":480,"y":3020,"wires":[]},{"id":"9c656cf4.cd127","type":"function","z":"8d22ae29.7df6d","name":"","func":"//msg.payload = JSON.parse(msg.payload);\nmsg.payload= msg.payload.payload\n\nreturn msg;\n\n\n//var newMsg = { payload: msg.payload.length };\n//return newMsg;\n\n//var myCount = flow.get(\"tv_sec\");\n//return myCount;","outputs":1,"noerr":0,"initialize":"","finalize":"","x":690,"y":2920,"wires":[["77dcc1a5.b2baa8"]]},{"id":"77dcc1a5.b2baa8","type":"debug","z":"8d22ae29.7df6d","name":"","active":true,"tosidebar":true,"console":false,"tostatus":false,"complete":"false","statusVal":"","statusType":"auto","x":810,"y":3060,"wires":[]}]
9

Also there is an output option, is there a option to output json object, rather than string

Screenshot_20201106-124529
Screenshot_20201106-1245291920×1080 175 KB

10

@E1cid

The pcap node only allows these outputs:

image

Your solution works when you use the inject node, however, when I insert the pcap node with the output "Decoded pcap Object" gives me this output:


"08:00:27:ce:a0:de -> 80:78:71:43:57:7a IPv4 192.168.1.55 -> 84.88.40.59 flags [d] UDP UDP 445->445 len 107"
11

try a decoded pcap object, i would think that will should return a json object.
edit/ never mind just read the result you posted

12

Then return a string and my solution should work.

13

If I configure the pcap as output string, it's output is

LINKTYPE_ETHERNET 08:00:27:ce:a0:de -> 80:78:71:43:57:7a IPv4 192.168.1.55 -> 84.88.40.59 flags [d] UDP UDP 445->445 len 107

14

Ok i am confused now, that seems to be same output.

Lets break this down to a simple flow, and see the output clearly.

create flow with pcap and debug. configure pcap to output decoded pcap object. In the debug show full message object and copy the value of the complete object and paste here.

15

LINKTYPE_ETHERNET 08:00:27:ce:a0:de -> 80:78:71:43:57:7a IPv4 192.168.1.55 -> 84.88.40.59 flags [d] UDP UDP 445->445 len 107

image

16

The complete message object, not just msg.payload

17 
{"payload":{"link_type":"LINKTYPE_ETHERNET","pcap_header":{"tv_sec":1604676133,"tv_usec":875785,"caplen":141,"len":141},"payload":{"dhost":{"addr":[128,120,113,67,87,122]},"shost":{"addr":[8,0,39,206,160,222]},"ethertype":2048,"vlan":null,"payload":{"version":4,"headerLength":20,"diffserv":0,"length":127,"identification":23478,"flags":{"reserved":false,"doNotFragment":true,"moreFragments":false},"fragmentOffset":0,"ttl":64,"protocol":17,"headerChecksum":41029,"saddr":{"addr":[192,168,1,55]},"daddr":{"addr":[84,88,40,59]},"payload":{"sport":445,"dport":445,"length":107,"checksum":16111,"data":[255,255,255,255,255,255,8,0,39,206,160,222,137,71,17,0,26,1,32,80,0,128,0,45,1,0,0,0,8,0,39,206,160,222,167,132,17,153,25,84,8,250,206,69,32,241,1,240,7,204,0,0,0,0,7,209,0,0,2,2,0,0,0,224,255,123,0,89,202,79,236,109,146,180,148,160,0,0,0,0,48,212,30,0,225,31,192,250,126,191,233,237,7,55,254,235,255,246,0]}}}},"topic":"enp0s3","_msgid":"4e1e8902.7898e8"}
18

Please place code between backticks it makes it easier for me to copy.

19

What you require is at
payload.payload.payload.dhost.addr[1]
in that debug output

20

So, I just need to code it in a function node or directly at the debug node?