Created attachment 14954 [details]
The protocol 104 pcap example
Build Information:
Both windows and Debian problem
On Windows:
===========
Version 2.2.0 (v2.2.0-0-g5368c50 from master-2.2)
Copyright 1998-2016 Gerald Combs <[email protected]> and contributors.
License GPLv2+: GNU GPL version 2 or later
<http://www.gnu.org/licenses/old-licenses/gpl-2.0.html>
This is free software; see the source for copying conditions. There is NO
warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.
Compiled (64-bit) with Qt 5.3.2, with WinPcap (4_1_3), with GLib 2.42.0, with
zlib 1.2.8, with SMI 0.4.8, with c-ares 1.11.0, with Lua 5.2.4, with GnuTLS
3.2.15, with Gcrypt 1.6.2, with MIT Kerberos, with GeoIP, with QtMultimedia,
with AirPcap.
Running on 64-bit Windows 7 Service Pack 1, build 7601, with locale
English_United States.1252, with WinPcap version 4.1.3 (packet.dll version
4.1.0.2980), based on libpcap version 1.0 branch 1_0_rel0b (20091008), with
GnuTLS 3.2.15, with Gcrypt 1.6.2, without AirPcap.
Intel(R) Core(TM) i5-5200U CPU @ 2.20GHz (with SSE4.2), with 16259MB of
physical
memory.
Built using Microsoft Visual C++ 12.0 build 40629
Wireshark is Open Source Software released under the GNU General Public
License.
Check the man page and http://www.wireshark.org for more information.
On Debian:
==========
TShark (Wireshark) 2.2.0 (v2.2.0-1160-gae596fa from unknown)
Copyright 1998-2016 Gerald Combs <[email protected]> and contributors.
License GPLv2+: GNU GPL version 2 or later
<http://www.gnu.org/licenses/old-licenses/gpl-2.0.html>
This is free software; see the source for copying conditions. There is NO
warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.
Compiled (64-bit) with libpcap, with POSIX capabilities (Linux), with libnl 3,
with GLib 2.42.1, with zlib 1.2.8, with SMI 0.4.8, with c-ares 1.10.0, with Lua
5.2.3, with GnuTLS 3.3.8, with Gcrypt 1.6.3, with MIT Kerberos, with GeoIP.
Running on Linux 3.16.0-4-amd64, with locale en_US.utf8, with libpcap version
1.6.2, with GnuTLS 3.3.8, with Gcrypt 1.6.3, with zlib 1.2.8.
Intel(R) Xeon(R) CPU E5-2670 0 @ 2.60GHz (with SSE4.2)
Built using gcc 4.9.2.
--
JSON format does not support same key name at the same level.
So we cannot use the same PDML epan/print.c code and convert it to JSON
epam/print.c code without big changes.
For example the attached file iec104.pcap file gives the attached iec104.json
file that is not passing JSON validation ( for example at site:
http://jsonlint.com/)
The first family error is:
SyntaxError: Duplicate key 'ip.addr' on line 66
This is due that in the ip dissector, not like in the ethernet dissector,
ip.src and ip.dst or not separated sub nodes of ip but at the same level, so we
have twice the ip.addr entries: one for ip.dst and one for ip.src.
Same problem in the tcp layer
SyntaxError: Duplicate key 'tcp.port' on line 74
Maybe there is the same problem in the udp layer, I did not checked.
The third family problem that is for all other protocols:
SyntaxError: Duplicate key '104apci' on line 236
This IP frame contains multi same layers information:
we have twice 104apci and twice 104asdu.
Import note: The same bug occurs for MMS, and other protocols
JSON is expected an array containing several object with the same name:
>From site: http://www.w3schools.com/js/js_json_intro.asp
The following JSON
{"employees":[
{"firstName":"John", "lastName":"Doe"},
{"firstName":"Anna", "lastName":"Smith"},
{"firstName":"Peter", "lastName":"Jones"}
]}
is equal to the following XML:
<employees>
<employee>
<firstName>John</firstName> <lastName>Doe</lastName>
</employee>
<employee>
<firstName>Anna</firstName> <lastName>Smith</lastName>
</employee>
<employee>
<firstName>Peter</firstName> <lastName>Jones</lastName>
</employee>
</employees>
