Easiest way to convert pcap to JSON

Question

I have a bunch of pcap files, created with tcpdump. I would like to store these in a database, for easier querying, indexing etc. I thought mongodb might be a good choice, because storing a packet the way Wireshark/TShark presents them as JSON document seems to be natural.

It should be possible to create PDML files with tshark, parse these and insert them into mongodb, but I am curious if someone knows of an existing/other solution.

score 19 · Answer 1 · edited Aug 09 '17 at 20:53

On the command line (Linux, Windows or MacOS), you can use tshark.

e.g.

tshark -r input.pcap -T json >output.json

or with a filter:

tshark -2 -R "your filter" -r input.pcap -T json >output.json

Considering you mentioned a set of pcap files, you can also pre-merge the pcap files into a single pcap and then export that in one go if preferred..

mergecap -w output.pcap input1.pcap input2.pcap..

score 13 · Answer 2 · edited Aug 09 '17 at 20:48

13

Wireshark has a feature to export it's capture files to JSON.

File->Export Packet Dissections->As JSON

edited Aug 09 '17 at 20:48

jontro

10,241
6
46
71

answered Nov 11 '16 at 02:15

Ajay Thomas

173
2
12

What version is this supported in? – nealmcb Sep 09 '17 at 15:56

score 1 · Answer 3 · answered Mar 08 '13 at 02:37

1

You could use pcaphar. More info about HAR here.

answered Mar 08 '13 at 02:37

Yehia

518
2
17

2

This answer is pretty much just links which are vulnerable to rot. – bright-star Nov 16 '14 at 04:19

Easiest way to convert pcap to JSON

3 Answers3