I have a bunch of pcap files, created with tcpdump. I would like to store these in a database, for easier querying, indexing etc. I thought mongodb might be a good choice, because storing a packet the way Wireshark/TShark presents them as JSON document seems to be natural.
It should be possible to create PDML files with tshark, parse these and insert them into mongodb, but I am curious if someone knows of an existing/other solution.
csv file? In Wireshark you need to go to File > Export Packet Disscetions > a "CSV" (Comma Separated Values packet summary) file.
To load a PCAP file in Wireshark, open Wireshark and in the menu bar, click 'File', then click 'Open' and navigate to the file's location, then click 'Open. ' In our analysis of the PCAP file, we will try three analysis techniques to find any indicators of malicious activity. These steps can be performed in any order.
On the command line (Linux, Windows or MacOS), you can use tshark.
e.g.
tshark -r input.pcap -T json >output.json
or with a filter:
tshark -2 -R "your filter" -r input.pcap -T json >output.json
Considering you mentioned a set of pcap files, you can also pre-merge the pcap files into a single pcap and then export that in one go if preferred..
mergecap -w output.pcap input1.pcap input2.pcap..
Wireshark has a feature to export it's capture files to JSON.
File->Export Packet Dissections->As JSON
You could use pcaphar. More info about HAR here.
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With