Bug ID: 13956
           Summary: JSON export of frame with multiple layers generates
                    technically invalid JSON
           Product: Wireshark
           Version: 2.4.0
          Hardware: x86
                OS: Windows 7
            Status: UNCONFIRMED
          Severity: Minor
          Priority: Low
         Component: Common utilities (libwsutil)
  Target Milestone: ---

Build Information:
$ /cygdrive/c/Program\ Files/Wireshark/tshark.exe -v
TShark (Wireshark) 2.4.0 (v2.4.0-0-g9be0fa500d)

Copyright 1998-2017 Gerald Combs <> and contributors.
License GPLv2+: GNU GPL version 2 or later
This is free software; see the source for copying conditions. There is NO

Compiled (64-bit) with WinPcap (4_1_3), with GLib 2.42.0, with zlib 1.2.8, with
SMI 0.4.8, with c-ares 1.12.0, with Lua 5.2.4, with GnuTLS 3.4.11, with Gcrypt
1.7.6, with MIT Kerberos, with GeoIP, with nghttp2 1.14.0, with LZ4, with
Snappy, with libxml2 2.9.4.

Running on 64-bit Windows 7 Service Pack 1, build 7601, with Intel(R) Core(TM)
i7-4800MQ CPU @ 2.70GHz (with SSE4.2), with 7879 MB of physical memory, with
locale English_Ireland.1252, with WinPcap version 4.1.3 (packet.dll version, based on libpcap version 1.0 branch 1_0_rel0b (20091008), with
GnuTLS 3.4.11, with Gcrypt 1.7.6.

Built using Microsoft Visual C++ 14.0 build 24215

I was exporting PCAP files containing SMPP protocol trace where multiple SMPP
PDUs can be present in a single TCP frame.

So in a cut-down way, it would output something like the following (I've
heavily edited out the fields from the "smpp" layers.. 

        "_index": "packets-2017-08-09",
        "_type": "pcap_file",
        "_score": null,
        "_source": {
                "layers": {
                        "smpp": {
                                "smpp.command_length": "196",
                                "smpp.command_id": "0x00000005"
                        "smpp": {
                                "smpp.command_length": "28",
                                "smpp.command_id": "0x80000004"
                        "smpp": {
                                "smpp.command_length": "198",
                                "smpp.command_id": "0x00000005"
                        "smpp": {
                                "smpp.command_length": "196",
                                "smpp.command_id": "0x00000005"

But from a legit JSON perspective, this is not valid JSON as we've essentially
generated duplicate fields within the layers branch. 

If I parse that into Pythons JSON layer, it gives me the first SMPP pdu only
when I dereference into ['_source']['layers']['smpp']

The presence of multiple protocol PDUs within a single frame here should
probably be presented as a list
along the lines of "smpp": [ {...}, {...}, {...} ]

I suspect this would affect a bunch of other binary and length delimited
protocols that can be packed several times into a single packet/frame.

You are receiving this mail because:
You are watching all bug changes.
Sent via:    Wireshark-bugs mailing list <>

Reply via email to