Pyshark: If the same key name (field name) shows multiple entries with different values, only the first field value can be obtained
I’m using Pyshark to parse Wireshark sniffer logs, and when retrieving field values using the “get_field_value” function, I’m using an exported JSON format file (based on a pcapny file) to look up the field names.
For example, to get the BSSID value:
In a JSON format file, the information is displayed as
:
"wlan.bssid": "11:22:33:44:55:66"Then I can use:
value = packet['wlan'].get_field_value('bssid')Expected Results:
value == '11:22:33:44:55:66'- For this case, it works fine.
But when I move to the “wlan_mgt” section in the beacon packet, I have a problem with the following as follows:
– In a JSON format file, display:
"wlan_mgt.tagged.all": {
"wlan_mgt.tag": {
"wlan_mgt.tag.number": "0",
"wlan_mgt.tag.length": "5",
"wlan_mgt.ssid": "MWIFI"
},
"wlan_mgt.tag": {
"wlan_mgt.tag.number": "1",
"wlan_mgt.tag.length": "6",
"wlan_mgt.supported_rates": "24",
"wlan_mgt.supported_rates": "164",
"wlan_mgt.supported_rates": "48",
"wlan_mgt.supported_rates": "72",
"wlan_mgt.supported_rates": "96",
"wlan_mgt.supported_rates": "108"
},
"wlan_mgt.tag": {
"wlan_mgt.tag.number": "5",
"wlan_mgt.tag.length": "7",
"wlan_mgt.tim.dtim_count": "0",
"wlan_mgt.tim.dtim_period": "1",
"wlan_mgt.tim.bmapctl": "0x00000000",
"wlan_mgt.tim.bmapctl_tree": {
"wlan_mgt.tim.bmapctl.multicast": "0",
"wlan_mgt.tim.bmapctl.offset": "0x00000000"
},
"wlan_mgt.tim.partial_virtual_bitmap": "00:10:00:00",
"wlan.tim.aid": "0x0000000c"
},
As we can see, “wlan_mgt.supported_rates” has multiple entries with the same field name (key) and different values for each entry, and I need to get them all. But if I use:
– If I use:
value = packet['wlan_mgt'].get_field_value('supported_rates')
– Then it only gives me the value “24”, which is the value of the first entry. And I don’t know how to retrieve other entry values because the key names are the same.
Should it return a list of all values, such as [’24’, ‘164’,’48’,’72,’96’,’108′], instead of just the first entry value?
Since based on the sniffer log (JSON format), there are many other entries with the same field name, eg
‘wlan_mgt.tag.number’, but the field values are different, so this issue is a hindrance for me.
Please advise how to get all the data, thank you very much!
BR,
Alex
Solution
First, you don’t have to use item subsets and get_field_value to get field values.
So it’s not
value = packet['wlan_mgt'].get_field_value('supported_rates')
You can use:
value = packet.wlan_mgt.supported_rates
In order to get the label on the wifi packet in JSON mode, you can use packet.wlan_mgt.tagged.all.tag. This gives you a list of all tags that you can filter using Python to find only supported rate tags.
I’m planning to do an extension specifically for WiFi stuff like this because it’s a hassle, but I haven’t had a chance yet. If you look at the fields on wireshark, you can see that the category is tagged.all.
Also, when looking up fields, etc., I recommend using an interpreter with autocomplete (e.g. IPython) so you can see only which fields are available, or just packet_layer.field_names to see all available fields.