Command-line application to convert network packets into JSON.
$ apt-get install -y libpcap-dev
...
$ go install github.com/picatz/pj@latest
...
$ pj -help
-interface string
network interface to listen on (default "<FIRST_NON_LOOPBACK>")
-file string
pcap file to read packets from
-filter string
apply bpf filter to capture or pcap file
-list-devs
list network interfaces
-promiscuous
capture in promiscuous mode
Start capturing packets on the default interface.
$ pj
Start capturing packets on the en0
interface.
$ pj -interface en0
...
{"eth":{"dst":"ff:ff:ff:ff:ff:ff","src":"00:0b:82:01:fc:42","type":2048},"ipv4":{"checksum":6026,"dst_ip":"255.255.255.255","flags":"","frag_offset":0,"id":43063,"ihl":5,"length":300,"options":[],"padding":null,"protocol":17,"src_ip":"0.0.0.0","tos":0,"ttl":250,"version":4},"metadata":{"device_addresses":"","device_description":"","device_name":"en0","length":314,"packet_number":3,"time":"1969-12-31T19:00:00-05:00","truncated":false},"udp":{"checksum":40893,"dst_port":67,"src_port":68}}
...
Read packets from test.pcapng
file.
$ pj -file test.pcapng
{"eth":{"dst":"ff:ff:ff:ff:ff:ff","src":"00:0b:82:01:fc:42","type":2048},"ipv4":{"checksum":6027,"dst_ip":"255.255.255.255","flags":"","frag_offset":0,"id":43062,"ihl":5,"length":300,"options":[],"padding":null,"protocol":17,"src_ip":"0.0.0.0","tos":0,"ttl":250,"version":4},"metadata":{"device_addresses":"","device_description":"","device_name":"","length":314,"packet_number":1,"time":"1969-12-31T19:00:00-05:00","truncated":false},"udp":{"checksum":22815,"dst_port":67,"src_port":68}}
...
Capture packets on the default interface, filtered using jq
to select packets that have a TCP layer.
$ pj | jq 'select(.tcp)'
...
Capture packets on the default interface, filtered using jq
to select packets that do NOT have a TCP layer (like DNS using UDP).
$ pj | jq 'select(.tcp == null)'
...
Capture packets on the default interface, filtered using jq
to select TCP packets with a destination port of 443 (HTTPS).
$ pj | jq 'select(.tcp.dst_port == 443)'
Capture packets on the default interface, filtered using jq
to select TCP packets with a destination port or source port of 22 (SSH).
$ pj | jq 'select(.tcp.dst_port == 22 or .tcp.src_port == 22)'
Capture packets on the default interface, filtered using jq
to select TCP RST packets.
$ pj | jq 'select(.tcp.rst)'
Capture packets on the default interface, filtered using jq
to select TCP FIN packets.
$ pj | jq 'select(.tcp.fin)'
Capture packets on the default interface, filtered using jq
to select TCP packet that contain an HTTP response.
$ pj | jq 'select(.tcp.payload | startswith("HTTP/1.1"))'