aboutsummaryrefslogtreecommitdiffstats
path: root/doc/tshark.pod
diff options
context:
space:
mode:
authorMartin Kacer <kacer.martin@gmail.com>2017-02-13 09:36:02 +0100
committerPeter Wu <peter@lekensteyn.nl>2017-02-25 19:11:01 +0000
commitcd7d159c2ee180be6654a7acbf7c83f902216462 (patch)
tree87d5364749f160aacf42b44397ba19e60152c141 /doc/tshark.pod
parentd00dae7af9c590a8100e54dba0685271bd8b1165 (diff)
json2pcap support added
Modified tshark -T json -x output Added tshark -T jsonraw output json2pcap.py (can be used for basic packet editing by modifying json) The modification in tshark -T json -x and new tshark -T jsonraw output add into hex-data output in JSON also information on which position each field is dissected in the original frame, what is the field length, bitmask (for not byte aligned fields) and type. This information can be used for latter processing. One use-case is json2pcap script which assembles the protocol layers back together from upper to lowers layers, which allows the basic packet modification/editing/rewriting. Change-Id: Ibf948eb8fc7e3b0b51c12df6c3855f705a9c7925 Reviewed-on: https://code.wireshark.org/review/19990 Petri-Dish: Peter Wu <peter@lekensteyn.nl> Reviewed-by: Dario Lombardo <lomato@gmail.com> Petri-Dish: Pascal Quantin <pascal.quantin@gmail.com> Tested-by: Petri Dish Buildbot <buildbot-no-reply@wireshark.org> Reviewed-by: Peter Wu <peter@lekensteyn.nl>
Diffstat (limited to 'doc/tshark.pod')
-rw-r--r--doc/tshark.pod28
1 files changed, 21 insertions, 7 deletions
diff --git a/doc/tshark.pod b/doc/tshark.pod
index 4138d9b1f5..8f1b77d158 100644
--- a/doc/tshark.pod
+++ b/doc/tshark.pod
@@ -545,11 +545,18 @@ this option.
=item -j E<lt>protocol match filterE<gt>
-Protocol match filter used for ek|json|pdml output file types.
+Protocol match filter used for ek|json|jsonraw|pdml output file types.
Parent node containing multiple child nodes is only included,
if the name is found in the filter.
-Example: B<-j "http tcp ip">
+Example: B<-j "ip ip.flags text">
+
+=item -J E<lt>protocol match filterE<gt>
+
+Protocol top level filter used for ek|json|jsonraw|pdml output file types.
+Parent node containing multiple child nodes is included with all children.
+
+Example: B<-J "http tcp">
=item -K E<lt>keytabE<gt>
@@ -741,14 +748,14 @@ was captured
The default format is relative.
-=item -T ek|fields|json|pdml|ps|psml|text
+=item -T ek|fields|json|jsonraw|pdml|ps|psml|text
Set the format of the output when viewing decoded packet data. The
options are one of:
B<ek> Newline delimited JSON format for bulk import into Elasticsearch.
-It can be used with B<-j> including the JSON filter or with B<-x> flag
-to include raw packet data.
+It can be used with B<-j> or B<-J> including the JSON filter or with
+B<-x> flag to include raw hex-encoded packet data.
Example of usage to import data into Elasticsearch:
tshark -T ek -j "http tcp ip" -x -r file.pcap > file.json
@@ -762,13 +769,20 @@ form specified by the B<-E> option. For example,
would generate comma-separated values (CSV) output suitable for importing
into your favorite spreadsheet program.
-B<json> JSON file format. It can be used with B<-j> including
-the JSON filter or with B<-x> flag to influde raw packet data.
+B<json> JSON file format. It can be used with B<-j> or B<-J> including
+the JSON filter or with B<-x> flag to include raw hex-encoded packet data.
Example of usage:
tshark -T json -r file.pcap
tshark -T json -j "http tcp ip" -x -r file.pcap
+B<jsonraw> JSON file format including only raw hex-encoded packet data.
+It can be used with B<-j> including or B<-J >the JSON filter flag.
+Example of usage:
+
+ tshark -T jsonraw -r file.pcap
+ tshark -T jsonraw -j "http tcp ip" -x -r file.pcap
+
B<pdml> Packet Details Markup Language, an XML-based format for the details of
a decoded packet. This information is equivalent to the packet details
printed with the B<-V> flag.