[Oisf-users] eve2pcap.py issue
erik clark
philosnef at gmail.com
Tue Feb 21 14:47:43 UTC 2017
Its the stats entry in the eve.json. If I ignore the stats entry (grep -v),
it processes the file, but I get a 24 byte pcap file with no content.
To confirm this, I did a grep -i packet eve.json |grep -v stats and
processed that. Worked flawlessly.
On Tue, Feb 21, 2017 at 9:37 AM, Jason Ish <lists at unx.ca> wrote:
> Hi Erik,
>
> This is a very ugly error message saying your input JSON could not be
> decoded. Any chance you can share (privately if needed) a portion of your
> eve.json that causes this to happen?
>
> Thanks,
> Jason
>
> On Tue, Feb 21, 2017 at 8:20 AM, erik clark <philosnef at gmail.com> wrote:
>
>> Ok, so on Victors suggestion, I decided to go with eve2pcap.py (see here:
>> https://blog.jasonish.org/2015/10/01/eve2pcap-eve-pack
>> et-and-payload-conversion-to-pcap/)
>>
>> I am getting this error though:
>>
>> python eve2pcap.py -o /tmp/output.pcap /tmp/eve.json
>> Traceback (most recent call last):
>> File "eve2pcap.py", line 244, in <module>
>> sys.exit(main())
>> File "eve2pcap.py", line 230, in main
>> event = json.loads(line)
>> File "/usr/lib64/python2.7/json/__init__.py", line 338, in loads
>> return _default_decoder.decode(s)
>> File "/usr/lib64/python2.7/json/decoder.py", line 365, in decode
>> obj, end = self.raw_decode(s, idx=_w(s, 0).end())
>> File "/usr/lib64/python2.7/json/decoder.py", line 381, in raw_decode
>> obj, end = self.scan_once(s, idx)
>> ValueError: Expecting : delimiter: line 1 column 326 (char 325)
>>
>>
>> Any ideas? I am just running a regular eve.json file with nothing special
>> configured except a 1kb payload. Thank you!
>>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openinfosecfoundation.org/pipermail/oisf-users/attachments/20170221/ba8b1c10/attachment-0002.html>
More information about the Oisf-users
mailing list