Pyshark:仅当相同的键名称(字段名称)显示多个具有不同值的条目时，才可以获取第一个字段值 [英] Pyshark: can only get first field value if same key name (field name) show multiple entries with different value

问题描述

我正在使用Pyshark解析Wireshark嗅探器日志，当使用'get_field_value'函数检索字段值时，我使用了导出的Json格式文件(基于pcapny文件)来查找字段名称.

I am using Pyshark to parse Wireshark sniffer log, and I used exported Json format file (based on pcapny file) to find field names when use 'get_field_value' function to retrieve field value.

例如，为了获取BSSID值:

For example, in order to get BSSID value:

• 在Json格式文件中，此信息显示为

• In Json format file, this info is displayed as

"wlan.bssid": "11:22:33:44:55:66"

然后我可以使用:

Then I could use:

value = packet['wlan'].get_field_value('bssid')

预期结果:

Result is expected:

value == '11:22:33:44:55:66'

在这种情况下，它工作正常.

但是当我移动到信标数据包中的"wlan_mgt"部分时，遇到以下情况的问题，如下所示: -在Json格式的文件中，它显示:

But I encounter an issue with below condition when I move to 'wlan_mgt' section in a beacon packet as example showing below: - In Json format file, it shows:

      "wlan_mgt.tagged.all": {
        "wlan_mgt.tag": {
          "wlan_mgt.tag.number": "0",
          "wlan_mgt.tag.length": "5",
          "wlan_mgt.ssid": "MWIFI"
        },
        "wlan_mgt.tag": {
          "wlan_mgt.tag.number": "1",
          "wlan_mgt.tag.length": "6",
          "wlan_mgt.supported_rates": "24",
          "wlan_mgt.supported_rates": "164",
          "wlan_mgt.supported_rates": "48",
          "wlan_mgt.supported_rates": "72",
          "wlan_mgt.supported_rates": "96",
          "wlan_mgt.supported_rates": "108"
        },
        "wlan_mgt.tag": {
          "wlan_mgt.tag.number": "5",
          "wlan_mgt.tag.length": "7",
          "wlan_mgt.tim.dtim_count": "0",
          "wlan_mgt.tim.dtim_period": "1",
          "wlan_mgt.tim.bmapctl": "0x00000000",
          "wlan_mgt.tim.bmapctl_tree": {
            "wlan_mgt.tim.bmapctl.multicast": "0",
            "wlan_mgt.tim.bmapctl.offset": "0x00000000"
          },
          "wlan_mgt.tim.partial_virtual_bitmap": "00:10:00:00",
          "wlan.tim.aid": "0x0000000c"
        },

我们可以看到，"wlan_mgt.supported_rates"有多个条目，字段名称(键)相同，并且每个条目的值都不同，我需要将它们全部获取.但是，如果我使用: -如果我使用:

As we can see, there are multiple entries for "wlan_mgt.supported_rates", the field name (key) are the same, and the value for each entry is different which I will need to get them all. But if I use: - If I use:

    value = packet['wlan_mgt'].get_field_value('supported_rates')

-然后它只给我值'24'，它是第一个条目的值.而且我不知道如何检索其他条目值，因为键名是相同的.

- Then it only gives me value '24' which is the value of 1st entry. And I have no idea how to retrieve other entry values since the key name is the same.

是否应该返回所有值的列表，例如['24'，'164'，'48'，'72'，'96'，'108']，而不是仅第一个输入值? 由于基于嗅探器日志(Json格式)，因此存在许多其他具有相同字段名称的条目，例如 "wlan_mgt.tag.number"，但字段值不同，因此此问题对我来说是一个障碍.

Should it return a list of all values like ['24', '164','48','72','96','108'], rather than only the 1st entry value? Since based on sniffer log (Json format), there are many other entries with same field name, for example 'wlan_mgt.tag.number', but different field value, so this issue is a blocker for me.

请咨询如何获取所有数据，并在此先感谢！

Pls advice how to get all data, and Thanks a lot in advance!

BR，
亚历克斯

BR,
Alex

推荐答案

这是一个严重的问题，在"wireshark工具"中的更多地方都存在.

This is a serious problem, and it exists in more places in "wireshark tools".

例如，使用tshark读取pcap文件时.

For example, when using tshark for read pcap file.

tshark -r some_file.pcap -T json

它还返回包含一些多个键的json.

its also return json that contain some multiple keys.

这也发布在Wireshark-dev 有人对此进行修复，但是代码尚未插入.

This also publish in Wireshark-dev and someone repair this, But the code has not yet been inserted.

您可以使用以下代码解决此问题:

You can fix that by using this code:

import json

def parse_object_pairs(pairs):
    """
    This function get list of tuple's
    and check if have duplicate keys.
    if have then return the pairs list itself.
    but if haven't return dict that contain pairs.

    >>> parse_object_pairs([("color": "red"), ("size": 3)])
    {"color": "red", "size": 3}

    >>> parse_object_pairs([("color": "red"), ("size": 3), ("color": "blue")])
    [("color": "red"), ("size": 3), ("color": "blue")]

    :param pairs: list of tuples.
    :return dict or list that contain pairs.
    """
    dict_without_duplicate = dict()
    for k, v in pairs:
        if k in dict_without_duplicate:
            return pairs
        else:
            dict_without_duplicate[k] = v

    return dict_without_duplicate

decoder = json.JSONDecoder(object_pairs_hook=parse_object_pairs)

str_json_can_be_with_duplicate_keys = '{"color": "red", "size": 3, "color": "red"}'

data_after_decode = decoder.decode(str_json_can_be_with_duplicate_keys)

这篇关于Pyshark:仅当相同的键名称(字段名称)显示多个具有不同值的条目时，才可以获取第一个字段值的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！