I am using tshark to capture network traffic on an ubuntu system.
I would like to know if there is a way to modify network traffic using iptables or some other method to add additional fields or metadata based on the ssh user generating the data (for example socks proxy).
I am later parsing that network traffic into json using tshark, so i would like to see the field there.
Use the LOG target of iptables and --uuid at SYN time (it seems you're talking about SSH). You would then have enough information in the log to tag the rest of the packets you captured without that additional information (same pair of addresses and ports).
You could also mangle the packets in iptables if you are going to be doing the capturing somewhere else. Say, change the TOS or TTL slightly based on '-m owner'. It might work for a small set of known users.
