Using Pyshark To Pair Key And Value From Json Packet

I am trying to parse a PCAP file using Pyshark. Some of the packets have JSON in them and I am trying to print them out with matching key:value. This is what I have at the moment f

Solution 1:

While trying to open the PCAP file through Filecapture method, set 'use_json=True'. This would capture the packets in a JSON like format.

import pyshark

packets = pyshark.FileCapture('cap.pcapng',use_json=True,include_raw=True)
pack = packets[1] #get the packet that has JSON

jsonStr=str(pack.json)
print(jsonStr)

This would print the JSON layer of the packet in the following manner:

Layer JSON:object_raw:7ba298object_raw:234object_raw:97object:member_raw:345admember_raw:4567member:key:manufacturerstring:LiveTVSectionViewedvalue.string:abcdvalue.string_raw:ab345key_raw:8abc6string_raw:67acmember:key:ipstring:71.120.154.30value.string:234value.string_raw:ab345key_raw:8abc6string_raw:67ac

So, each 'member' segment in this string (jsonStr) contains a 'key' field and a 'string' field which correspond to the key-value pair that you had in your original JSON, along with other raw data. You can omit the raw data by using 'include_raw=False' while capturing packets using FileCapture method. By using the key ('manufacturer', for example) and datatype of the value (string or a number), you can extract the value of whichever key you want.