0

tcpdump is my go-to tool to analyze traffic (together with Wireshark when I want an easier review of the pcap file).

This fantastic tool fails however to deliver a predictable and easy to parse output format ("predictable" as in "same on all Linux environments and hopefully on Windows as well" and "easy to parse" as in "has an output format which can be easily analyzed in a script"). I want to parse a live traffic, not a pcapfile (for which solutions exist)

Is there a way to output a parsable output (ideally JSON)? Maybe though another tool which I did not spot but since this is a request for recommendation probably against the rules, I put it in small letters

The analysis will ultimately be done in Python but I did not find a suitable library to read the traffic. Specifically, scapy is not a good solution as its sniffing capacities are very limited (a lot of packets are missed), as opposed to its packet forging magic.

WoJ
  • 3,365
  • 8
  • 46
  • 75
  • Have you looked at Tshark? This could give you Wireshark style output on the command line. – Mark Riddell Mar 14 '17 at 20:47
  • @MarkoPolo: actually I discovered it yesterday. I think this will be the right tool, especially that one can easily provide the template for exactly the fields which are needed and the separator between them. This is not JSON but close enough in terms of ease of analysis. – WoJ Mar 14 '17 at 20:51

0 Answers0