Parse error on Tshark generated JSON


I have a JSON generated using Tshark -T ek command converting Wireshark PCAP file to JSON to be inserted to ElasticSearch.

The thing is I am having parse error exception on production side.

:exception=>#<LogStash::Json::ParserError: Unexpected character (':' (code 58)): expected a valid value (number, String, array, object, 'true', 'false' or 'null')

The weird thing is, I copied the same JSON file to be tested locally, with the Logstash config file, and it turns out fine without any exception. Any thoughts on what I might be gone wrong?

I have no clue on what is wrong because the JSON is generated using Tshark -T ek command

Anyone here encounter any problems with Tshark generated JSON?

OS: centos 7
Logstash: 6.2.3

Have you used an online validator like jsonlint to check the JSON?

There have been problems with how Tshark generates JSON.

What version of Tshark are you using?

1 Like

Yes. Checked few times with jsonlint. Apparently, got problems with duplicated keys, but the weird things is that it process without any problems/exception on my side.

Wireshark version: wireshark-qt-2.4.6-1.x86_64

Its worth upgrading wireshark to 2.6.0.

Many thousands of users are ingesting JSON with Logstash 24/7 we rarely find bugs in the JSON parser these days. The LS JSON parser is really a wrapper around the Jackson JSON processor.

Jackson is very widely used. For example, Elasticsearch uses it to parse the JSON in the REST API.

I try to talk to my team about it. Thanks for pointing out.

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.