tshark JSON and Elasticsearch output
Added ouput -T for json|ek Added -j switch fo filter EK json|ek fields. Added -x switch to work with json|ek to insert raw fields.
@@ -22,6 +22,7 @@ S<[ B<-g> ]>
S<[ B<-h> ]>
S<[ B<-H> E<lt>input hosts fileE<gt> ]>
S<[ B<-i> E<lt>capture interfaceE<gt>|- ]>
+S<[ B<-j> E<lt>json match filterE<gt> ]>
S<[ B<-I> ]>
S<[ B<-K> E<lt>keytabE<gt> ]>
S<[ B<-l> ]>
@@ -39,7 +40,7 @@ S<[ B<-R> E<lt>Read filterE<gt> ]>
S<[ B<-s> E<lt>capture snaplenE<gt> ]>
S<[ B<-S> E<lt>separatorE<gt> ]>
S<[ B<-t> a|ad|adoy|d|dd|e|r|u|ud|udoy ]>
-S<[ B<-T> fields|pdml|ps|psml|text ]>
+S<[ B<-T> ek|fields|json|pdml|ps|psml|text ]>
S<[ B<-u> E<lt>seconds typeE<gt>]>
S<[ B<-U> E<lt>tap_nameE<gt>]>
S<[ B<-v> ]>
@@ -534,6 +535,14 @@ If used after an B<-i> option, it enables the monitor mode for
the interface specified by the last B<-i> option occurring before
this option.
+=item -j E<lt>json match filterE<gt>
+JSON match filter used for json|ek output file types.
+JSON parent node containing multiple child nodes is only included,
+if the name is found in the filter.
+Example: B<-j "http tcp ip">
=item -K E<lt>keytabE<gt>
Load kerberos crypto keys from the specified keytab file.
@@ -724,11 +733,19 @@ was captured
The default format is relative.
-=item -T fields|pdml|ps|psml|text
+=item -T ek|fields|json|pdml|ps|psml|text
Set the format of the output when viewing decoded packet data. The
options are one of:
+B<ek> Newline delimited JSON format for bulk import into Elasticsearch.
+It can be used with B<-j> including the JSON filter or with B<-x> flag
+to include raw packet data.
+Example of usage to import data into Elasticsearch:
+ tshark -T ek -j "http tcp ip" -x -r file.pcap > file.json
+ curl -XPUT http://elasticsearch:9200/_bulk --data-binary @file.json
B<fields> The values of fields specified with the B<-e> option, in a
form specified by the B<-E> option. For example,
@@ -737,6 +754,13 @@ form specified by the B<-E> option. For example,
would generate comma-separated values (CSV) output suitable for importing
into your favorite spreadsheet program.
+B<json> JSON file format. It can be used with B<-j> including
+the JSON filter or with B<-x> flag to influde raw packet data.
+Example of usage:
+ tshark -T json -r file.pcap
+ tshark -T json -j "http tcp ip" -x -r file.pcap
B<pdml> Packet Details Markup Language, an XML-based format for the details of
a decoded packet. This information is equivalent to the packet details
printed with the B<-V> flag.