Skip to content Skip to sidebar Skip to footer
Home / Pyshark / Python / Python 3.x / Wireshark / Wireshark Dissector

Pyshark: Can Only Get First Field Value If Same Key Name (field Name) Show Multiple Entries With Different Value

Post a Comment
I am using Pyshark to parse Wireshark sniffer log, and I used exported Json format file (based on pcapny file) to find field names when use 'get_field_value' function to retrieve f

Solution 1:

First off, you don't have to use item subset and get_field_value to get the field values. So instead of 

value = packet['wlan_mgt'].get_field_value('supported_rates')

You can use:

value = packet.wlan_mgt.supported_rates

In order to get the tags on a wifi packet in JSON mode, you can use packet.wlan_mgt.tagged.all.tag. That gives you a list of all tags, you can filter that using python to find only the supported rates tag. I was planning on making an extension specifically for WiFi stuff like this since it's cumbersome but I haven't had the chance to yet. If you look at the field on wireshark you can see the category is tagged.all.

Also, when looking for fields and the like, I recommend using an interpreter with autocomplete (such as IPython) so you can just see which fields are available, or just use packet_layer.field_names to see all available fields.

Solution 2:

I faced a similar problem, I was checking the field option_len and only got one value instead of an array and could not find an easy answer directly; The solution I finally used was to access to the alternative fields available inside the field like in the following code:

ol_arr = []
for x in cap[3].tcp._all_fields.values():
    if x.name == 'tcp.option_len':
        print(x.all_fields)
        for k in x.all_fields:
            print(k.get_default_value())
            ol_arr.append(k.get_default_value())
        breakprint(ol_arr)

I hope that this helps

Solution 3:

This is a serious problem, and it exists in more places in "wireshark tools".

For example, when using tshark for read pcap file.

tshark -r some_file.pcap -T json

its also return json that contain some multiple keys.

This also publish in Wireshark-dev and someone repair this, But the code has not yet been inserted.

You can fix that by using this code:

import json

def parse_object_pairs(pairs):
    """
    This function get list of tuple's
    and check if have duplicate keys.
    if have then return the pairs list itself.
    but if haven't return dict that contain pairs.

    >>> parse_object_pairs([("color": "red"), ("size": 3)])
    {"color": "red", "size": 3}

    >>> parse_object_pairs([("color": "red"), ("size": 3), ("color": "blue")])
    [("color": "red"), ("size": 3), ("color": "blue")]

    :param pairs: list of tuples.
    :return dict or list that contain pairs.
    """
    dict_without_duplicate = dict()
    for k, v in pairs:
        if k in dict_without_duplicate:
            return pairs
        else:
            dict_without_duplicate[k] = v

    return dict_without_duplicate

decoder = json.JSONDecoder(object_pairs_hook=parse_object_pairs)

str_json_can_be_with_duplicate_keys = '{"color": "red", "size": 3, "color": "red"}'

data_after_decode = decoder.decode(str_json_can_be_with_duplicate_keys)

You may like these posts

Post a Comment for "Pyshark: Can Only Get First Field Value If Same Key Name (field Name) Show Multiple Entries With Different Value"