Skip to content

Instantly share code, notes, and snippets.

Created February 6, 2019 07:56
Show Gist options
  • Save tecoholic/9ff607ceac3317613c0babed26d51f25 to your computer and use it in GitHub Desktop.
Save tecoholic/9ff607ceac3317613c0babed26d51f25 to your computer and use it in GitHub Desktop.
Extract the flow of requests and responses from a Wireshark dump JSON exported file
import sys
import json
from urllib.parse import urlparse, parse_qs
def parse_multimap(ordered_pairs):
"""JSON loads object_pairs_hook, which creates a list of values when
duplicate keys are found in the JSON file being parsed
:param ordered_pairs: pairs
:return: dict of pairs with the duplicate keys' values as list
multimap = dict()
for k, v in ordered_pairs:
if k in multimap:
multimap[k] = [multimap[k]]
multimap[k] = v
return multimap
def main(filename):
"""Main driver function of the script
:param filename: CSV file
:return: None
with open(filename, "r") as f:
contents =
packets = json.loads(contents, object_pairs_hook=parse_multimap)
for packet in packets:
if "http" not in packet["_source"]["layers"]:
# Skip TCP packets
source = packet['_source']['layers']['ip']['ip.src']
dest = packet['_source']['layers']['ip']['ip.dst']
print(f"{source} -> {dest}")
# identify the request/response key
http = packet["_source"]["layers"]["http"]
rkey = None
for key in http.keys():
if "HTTP" in key:
rkey = key
if rkey:
if "http.request.uri" in http[rkey]:
print(http[rkey]["http.request.method"] + " " + http[rkey]["http.request.uri"])
if http[rkey]["http.request.method"] == "GET":
parts = urlparse(http[rkey]["http.request.uri"])
qs = parts[4]
print(json.dumps({k:v[0] for k,v in parse_qs(qs).items()}, indent=2))
elif "http.response.code" in http[rkey]:
print(http[rkey]["http.response.code"] + " " + http[rkey]["http.response.phrase"])
if "http.www_authenticate" in http:
print("WWW-Authenticate: "+http["http.www_authenticate"])
if "http.authorization" in http:
print("Authorization: "+http["http.authorization"])
if "http.request.full_uri" in http:
if "http.content_type" in http:
print("Content-Type: "+http["http.content_type"])
if "http.file_data" in http:
file_data = http["http.file_data"]
if "http.content_type" in http and "json" in http["http.content_type"]:
print(json.dumps(json.loads(file_data), indent=2))
except json.decoder.JSONDecodeError:
elif "http.content_type" in http and "urlencoded" in http["http.content_type"]:
print(json.dumps({k:v[0] for k,v in parse_qs(file_data).items()}, indent=2))
if "http.location" in http:
if __name__ == '__main__':
if len(sys.argv) == 2:
print("Usage: python wireshark_export.json > output.txt")
Copy link

If you get a Wireshark's pcap file to analyze and figure out the request and response cycle of happening, then load the file in Wireshark. Go to File -> Export and export it as JSON file. Then use this script to extract all the important information like URL, Content-Type, HTTP Method, Response Code, Parameters in the Query String, Authentication headers, content payload, and JSON.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment