def packet_from_json_packet(json_pkt, deduplicate_fields=True):
"""Creates a Pyshark Packet from a tshark json single packet.
Before tshark 2.6, there could be duplicate keys in a packet json, which creates the need for
deduplication and slows it down significantly.
"""
if deduplicate_fields:
# NOTE: We can use ujson here for ~25% speed-up, however since we can't use hooks in ujson
# we lose the ability to view duplicates. This might still be a good option later on.
pkt_dict = json.loads(json_pkt.decode('utf-8'),
object_pairs_hook=duplicate_object_hook)
else:
if USE_UJSON:
pkt_dict = ujson.loads(json_pkt)
else:
pkt_dict = json.loads(json_pkt.decode('utf-8'))
# We use the frame dict here and not the object access because it's faster.
frame_dict = pkt_dict['_source']['layers'].pop('frame')
layers = []
for layer in frame_dict['frame.protocols'].split(':'):
layer_dict = pkt_dict['_source']['layers'].pop(layer, None)
if layer_dict is not None:
layers.append(JsonLayer(layer, layer_dict))
# Add all leftovers
for name, layer in pkt_dict['_source']['layers'].items():
layers.append(JsonLayer(name, layer))
return Packet(layers=layers,
frame_info=JsonLayer('frame', frame_dict),
number=int(frame_dict.get('frame.number', 0)),
length=int(frame_dict['frame.len']),
sniff_time=frame_dict['frame.time'],
interface_captured=frame_dict.get('frame.interface_id'))
def _packet_from_pdml_packet(pdml_packet):
layers = [Layer(proto) for proto in pdml_packet.proto]
geninfo, frame, layers = layers[0], layers[1], layers[2:]
return Packet(layers=layers, frame_info=frame, number=geninfo.get_field_value('num'),
length=geninfo.get_field_value('len'), sniff_time=geninfo.get_field_value('timestamp', raw=True),
captured_length=geninfo.get_field_value('caplen'),
interface_captured=frame.get_field_value('interface_id', raw=True))
def packet_from_xml_packet(xml_pkt):
"""
Gets a TShark XML packet object or string, and returns a pyshark Packet objec.t
:param xml_pkt: str or xml object.
:return: Packet object.
"""
if not isinstance(xml_pkt, lxml.objectify.ObjectifiedElement):
xml_pkt = lxml.objectify.fromstring(xml_pkt)
layers = [Layer(proto) for proto in xml_pkt.proto]
geninfo, frame, layers = layers[0], layers[1], layers[2:]
frame.raw_mode = True
return Packet(layers=layers,
length=geninfo.get_field_value('len'),
sniff_time=geninfo.get_field_value('timestamp', raw=True),
captured_length=geninfo.get_field_value('caplen'),
interface_captured=frame.get_field_value('interface_id'))
def packet_from_json_packet(json_pkt):
# NOTE: We can use ujson here for ~25% speed-up, however since we can't use hooks in ujson
# we lose the ability to view duplicates. This might still be a good option later on.
pkt_dict = json.loads(json_pkt.decode('utf-8'), object_pairs_hook=duplicate_object_hook)
# We use the frame dict here and not the object access because it's faster.
frame_dict = pkt_dict['_source']['layers'].pop('frame')
layers = []
for layer in frame_dict['frame.protocols'].split(':'):
layer_dict = pkt_dict['_source']['layers'].pop(layer, None)
if layer_dict is not None:
layers.append(JsonLayer(layer, layer_dict))
# Add all leftovers
for name, layer in pkt_dict['_source']['layers'].items():
layers.append(JsonLayer(name, layer))
return Packet(layers=layers, frame_info=JsonLayer('frame', frame_dict),
number=int(frame_dict.get('frame.number', 0)),
length=int(frame_dict['frame.len']),
sniff_time=frame_dict['frame.time'],
interface_captured=frame_dict.get('frame.interface_id'))
