pyshark icon indicating copy to clipboard operation
pyshark copied to clipboard

Published 20 hours ago verified publisher icon KimiNewt

When parsing EK JSON message that contains multiple layers of the same type, add the list as separate layers

Open Victor-Mo opened this issue 2 years ago • 1 comments

When parsing EK JSON message that contains multiple layers of the same type, for example an RTCP packet with multiple RTCP sections. The 'rtcp' section will contain a list of rtcp sections. This has to be added as separate layers.

The JSON decoder in 'tshark_ek.py' decodes the multiple RTCP sections as a list. The EkLayer classs expects a Dict. This change will take the list and add the separate sections as separate layers. Below I have include the RAW JSON that caused the issue

{
	"timestamp": "1690967888547",
	"layers": {
		"frame": {
			"frame_frame_encap_type": "1",
			"frame_frame_time": "2023-08-02T09:18:08.547653000Z",
			"frame_frame_offset_shift": "0.000000000",
			"frame_frame_time_epoch": "1690967888.547653000",
			"frame_frame_time_delta": "0.004062000",
			"frame_frame_time_delta_displayed": "0.004062000",
			"frame_frame_time_relative": "2208.601376000",
			"frame_frame_number": "4923",
			"frame_frame_len": "126",
			"frame_frame_cap_len": "126",
			"frame_frame_marked": false,
			"frame_frame_ignored": false,
			"frame_frame_protocols": "eth:ethertype:ip:udp:rtp:rtcp"
		},
		"eth": {
			"eth_eth_dst": "6c:7e:67:00:00:00",
			"eth_eth_dst_resolved": "6c:7e:67:00:00:00",
			"eth_eth_dst_oui": "7110247",
			"eth_eth_addr": "6c:7e:67:00:00:00",
			"eth_eth_addr_resolved": "6c:7e:67:00:00:00",
			"eth_eth_addr_oui": "7110000",
			"eth_eth_dst_lg": false,
			"eth_eth_lg": false,
			"eth_eth_dst_ig": false,
			"eth_eth_ig": false,
			"eth_eth_src": "00:11:24:00:00:00",
			"eth_eth_src_resolved": "00:11:24:00:00:00",
			"eth_eth_src_oui": "4388",
			"eth_eth_src_oui_resolved": "Apple, Inc.",
			"eth_eth_addr": "00:11:24:00:00:00",
			"eth_eth_addr_resolved": "00:11:24:00:00:00",
			"eth_eth_addr_oui": "4388",
			"eth_eth_addr_oui_resolved": "Apple, Inc.",
			"eth_eth_src_lg": false,
			"eth_eth_lg": false,
			"eth_eth_src_ig": false,
			"eth_eth_ig": false,
			"eth_eth_type": "0x00000800"
		},
		"ip": {
			"ip_ip_version": "4",
			"ip_ip_hdr_len": "20",
			"ip_ip_dsfield": "0x00000088",
			"ip_ip_dsfield_dscp": "34",
			"ip_ip_dsfield_ecn": "0",
			"ip_ip_len": "112",
			"ip_ip_id": "0x00002a74",
			"ip_ip_flags": "0x00004000",
			"ip_ip_flags_rb": false,
			"ip_ip_flags_df": true,
			"ip_ip_flags_mf": false,
			"ip_ip_frag_offset": "0",
			"ip_ip_ttl": "64",
			"ip_ip_proto": "17",
			"ip_ip_checksum": "0x00004ce9",
			"ip_ip_checksum_status": "2",
			"ip_ip_src": "192.168.160.159",
			"ip_ip_addr": ["192.168.160.159", "192.168.160.167"],
			"ip_ip_src_host": "192.168.160.159",
			"ip_ip_host": ["192.168.160.159", "192.168.160.167"],
			"ip_ip_dst": "192.168.160.167",
			"ip_ip_dst_host": "192.168.160.167"
		},
		"udp": {
			"udp_udp_srcport": "5018",
			"udp_udp_dstport": "57284",
			"udp_udp_port": ["5018", "57284"],
			"udp_udp_length": "92",
			"udp_udp_checksum": "0x0000e68c",
			"udp_udp_checksum_status": "2",
			"udp_udp_stream": "1",
			"text": "Timestamps",
			"udp_udp_time_relative": "26.003036000",
			"udp_udp_time_delta": "0.004062000"
		},
		"rtcp": [{
			"rtcp_rtcp_version": "2",
			"rtcp_rtcp_padding": false,
			"rtcp_rtcp_rc": "0",
			"rtcp_rtcp_pt": "200",
			"rtcp_rtcp_length": "6",
			"rtcp_rtcp_senderssrc": "0xd77d577a",
			"rtcp_rtcp_timestamp_ntp_msw": "3899956688",
			"rtcp_rtcp_timestamp_ntp_lsw": "2577844052",
			"rtcp_rtcp_timestamp_ntp": "2023-08-02T09:18:08.600201089Z",
			"rtcp_rtcp_timestamp_rtp": "3309605720",
			"rtcp_rtcp_sender_packetcount": "2124",
			"rtcp_rtcp_sender_octetcount": "2561589"
		}, {
			"rtcp_rtcp_version": "2",
			"rtcp_rtcp_padding": false,
			"rtcp_rtcp_sc": "1",
			"rtcp_rtcp_pt": "202",
			"rtcp_rtcp_length": "8",
			"text": "Chunk 1, SSRC/CSRC 0xD77D577A",
			"rtcp_rtcp_ssrc_identifier": "0xd77d577a",
			"text": "SDES items",
			"rtcp_rtcp_sdes_type": ["1", "0"],
			"rtcp_rtcp_sdes_length": "24",
			"rtcp_rtcp_sdes_text": "[email protected]"
		}, {
			"rtcp_rtcp_version": "2",
			"rtcp_rtcp_padding": false,
			"rtcp_rtcp_rtpfb_fmt": "4",
			"rtcp_rtcp_pt": "205",
			"rtcp_rtcp_length": "4",
			"rtcp_rtcp_senderssrc": "0xd77d577a",
			"rtcp_rtcp_mediassrc": "0x00000000",
			"text": "TMMBN 1",
			"rtcp_rtcp_rtpfb_tmmbr_fci_ssrc": "0x8fa10952",
			"rtcp_rtcp_rtpfb_tmmbr_fci_exp": "3",
			"rtcp_rtcp_rtpfb_tmmbr_fci_mantissa": "116250",
			"rtcp_rtcp_rtpfb_tmmbr_fci_bitrate": "",
			"rtcp_rtcp_rtpfb_tmmbr_fci_measuredoverhead": "40",
			"rtcp_rtcp_length_check": true
		}]
	}
}

Victor-Mo avatar Aug 04 '23 08:08 Victor-Mo

I have a fix here that handles this a little better and orders the layers the way it shows up in wireshark so its better when printing.

Your fix also doesn't handle lists in the raw layers, so the program will crash if you try to print that same packet.

Here's my pull request: https://github.com/KimiNewt/pyshark/pull/677

chrisawad avatar Dec 20 '23 15:12 chrisawad