実現したいこと
- pacpファイルをJSONに変換した。しかしながら、標準パッケージだとJSON出力が不可能なため、最新のtshark(Wireshark)をインストールし、JSON出力を実施する。
$ tshark -r testcap_2020-12-14_05-34-54.pcap -T json
tshark: Invalid -T parameter.
It must be "ps", "text", "pdml", "psml" or "fields".
$ tshark -v
TShark 1.10.14 (Git Rev Unknown from unknown)
~~ 省略 ~~
実行コマンド
- 現時点での新しいバージョンのtsharkをビルドしてインストールする
必要なrpmパッケージをインストール
sudo yum install libgcrypt-devel glib2-devel qt-devel qt5-qtbase-devel \
qt5-linguist qt5-qtmultimedia-devel qt5-qtsvg-devel \
libcap-devel libcap-ng-devel gnutls-devel krb5-devel \
libxml2-devel lua-devel lz4-devel snappy-devel spandsp-devel \
libssh2-devel bcg729-devel libmaxminddb-devel sbc-devel \
libsmi-devel libnl3-devel libnghttp2-devel libssh-devel \
libpcap-devel c-ares-devel redhat-rpm-config rpm-build \
gtk+-devel gtk3-devel desktop-file-utils portaudio-devel \
rubygem-asciidoctor docbook5-style-xsl docbook-style-xsl \
systemd-devel python3 cmake3 git gcc gcc-c++ flex bison \
doxygen gettext-devel libxslt cmake wget -y
cmake3をビルドしインストールする
wget https://github.com/Kitware/CMake/releases/download/v3.19.1/cmake-3.19.1.tar.gz
tar zxvf cmake-3.19.1.tar.gz
cd cmake-3.19.1
mkdir -p /opt/cmake3/3.19.1
sudo mkdir /opt/cmake3/3.19.1/
./configure --prefix=/opt/cmake3/3.19.1
sudo make install
/opt/cmake3/3.19.1/bin/cmake --version
sudo ln -s /opt/cmake3/3.19.1/bin/cmake /usr/bin/cmake3
ls -lasF /usr/bin/cmake3
$ cmake3 --version
cmake version 3.19.1
CMake suite maintained and supported by Kitware (kitware.com/cmake).
tsharkをビルドしインストールする
sudo su -
cd /root
git clone https://github.com/wireshark/wireshark.git
cd wireshark
git checkout tags/wireshark-3.4.0
mkdir -p ~/temp/wireshark-3.4.0
mkdir -p /opt/wireshark/3.4.0
cd ~/temp/wireshark-3.4.0
cmake3 -DCMAKE_INSTALL_PREFIX=/opt/wireshark/3.4.0 -LH /root/wireshark
make
make install
# ls -lasF /opt/wireshark/3.4.0/bin/
total 123432
0 drwxr-xr-x 2 root root 228 Dec 14 05:17 ./
0 drwxr-xr-x 6 root root 58 Dec 14 05:17 ../
128 -rwxr-xr-x 1 root root 129248 Dec 14 05:16 capinfos*
52 -rwxr-xr-x 1 root root 52576 Dec 14 05:16 captype*
392 -rwxr-xr-x 1 root root 401088 Dec 14 05:16 dumpcap*
168 -rwxr-xr-x 1 root root 168088 Dec 14 05:16 editcap*
144 -rwxr-xr-x 1 root root 145272 Dec 14 04:50 idl2wrs*
84 -rwxr-xr-x 1 root root 83296 Dec 14 05:16 mergecap*
24 -rwxr-xr-x 1 root root 24448 Dec 14 04:50 mmdbresolve*
88 -rwxr-xr-x 1 root root 89216 Dec 14 05:16 randpkt*
400 -rwxr-xr-x 1 root root 409056 Dec 14 05:16 rawshark*
72 -rwxr-xr-x 1 root root 73248 Dec 14 05:16 reordercap*
708 -rwxr-xr-x 1 root root 723984 Dec 14 05:16 sharkd*
132 -rwxr-xr-x 1 root root 134120 Dec 14 04:50 text2pcap*
1396 -rwxr-xr-x 1 root root 1428032 Dec 14 05:04 tshark*
119644 -rwxr-xr-x 1 root root 122511856 Dec 14 05:16 wireshark*
# /opt/wireshark/3.4.0/bin/tshark --version
Running as user "root" and group "root". This could be dangerous.
TShark (Wireshark) 3.4.0 (v3.4.0-0-g9733f173ea5e)
~~ 省略 ~~
$ /opt/wireshark/3.4.0/bin/tshark -r testcap_2020-12-14_05-34-54.pcap -T ABC
tshark: Invalid -T parameter "ABC"; it must be one of:
"fields" The values of fields specified with the -e option, in a form
specified by the -E option.
"pdml" Packet Details Markup Language, an XML-based format for the
details of a decoded packet. This information is equivalent to
the packet details printed with the -V flag.
"ps" PostScript for a human-readable one-line summary of each of
the packets, or a multi-line view of the details of each of
the packets, depending on whether the -V flag was specified.
"psml" Packet Summary Markup Language, an XML-based format for the
summary information of a decoded packet. This information is
equivalent to the information shown in the one-line summary
printed by default.
"json" Packet Summary, an JSON-based format for the details
summary information of a decoded packet. This information is
equivalent to the packet details printed with the -V flag.
"jsonraw" Packet Details, a JSON-based format for machine parsing
including only raw hex decoded fields (same as -T json -x but
without text decoding, only raw fields included).
"ek" Packet Details, an EK JSON-based format for the bulk insert
into elastic search cluster. This information is
equivalent to the packet details printed with the -V flag.
"text" Text of a human-readable one-line summary of each of the
packets, or a multi-line view of the details of each of the
packets, depending on whether the -V flag was specified.
This is the default.
"tabs" Similar to the text report except that each column of the
human-readable one-line summary is delimited with an ASCII
horizontal tab character.