From cd7d159c2ee180be6654a7acbf7c83f902216462 Mon Sep 17 00:00:00 2001 From: Martin Kacer Date: Mon, 13 Feb 2017 09:36:02 +0100 Subject: json2pcap support added Modified tshark -T json -x output Added tshark -T jsonraw output json2pcap.py (can be used for basic packet editing by modifying json) The modification in tshark -T json -x and new tshark -T jsonraw output add into hex-data output in JSON also information on which position each field is dissected in the original frame, what is the field length, bitmask (for not byte aligned fields) and type. This information can be used for latter processing. One use-case is json2pcap script which assembles the protocol layers back together from upper to lowers layers, which allows the basic packet modification/editing/rewriting. Change-Id: Ibf948eb8fc7e3b0b51c12df6c3855f705a9c7925 Reviewed-on: https://code.wireshark.org/review/19990 Petri-Dish: Peter Wu Reviewed-by: Dario Lombardo Petri-Dish: Pascal Quantin Tested-by: Petri Dish Buildbot Reviewed-by: Peter Wu --- doc/tshark.pod | 28 +++++++++++++++++++++------- 1 file changed, 21 insertions(+), 7 deletions(-) (limited to 'doc/tshark.pod') diff --git a/doc/tshark.pod b/doc/tshark.pod index 4138d9b1f5..8f1b77d158 100644 --- a/doc/tshark.pod +++ b/doc/tshark.pod @@ -545,11 +545,18 @@ this option. =item -j Eprotocol match filterE -Protocol match filter used for ek|json|pdml output file types. +Protocol match filter used for ek|json|jsonraw|pdml output file types. Parent node containing multiple child nodes is only included, if the name is found in the filter. -Example: B<-j "http tcp ip"> +Example: B<-j "ip ip.flags text"> + +=item -J Eprotocol match filterE + +Protocol top level filter used for ek|json|jsonraw|pdml output file types. +Parent node containing multiple child nodes is included with all children. + +Example: B<-J "http tcp"> =item -K EkeytabE @@ -741,14 +748,14 @@ was captured The default format is relative. -=item -T ek|fields|json|pdml|ps|psml|text +=item -T ek|fields|json|jsonraw|pdml|ps|psml|text Set the format of the output when viewing decoded packet data. The options are one of: B Newline delimited JSON format for bulk import into Elasticsearch. -It can be used with B<-j> including the JSON filter or with B<-x> flag -to include raw packet data. +It can be used with B<-j> or B<-J> including the JSON filter or with +B<-x> flag to include raw hex-encoded packet data. Example of usage to import data into Elasticsearch: tshark -T ek -j "http tcp ip" -x -r file.pcap > file.json @@ -762,13 +769,20 @@ form specified by the B<-E> option. For example, would generate comma-separated values (CSV) output suitable for importing into your favorite spreadsheet program. -B JSON file format. It can be used with B<-j> including -the JSON filter or with B<-x> flag to influde raw packet data. +B JSON file format. It can be used with B<-j> or B<-J> including +the JSON filter or with B<-x> flag to include raw hex-encoded packet data. Example of usage: tshark -T json -r file.pcap tshark -T json -j "http tcp ip" -x -r file.pcap +B JSON file format including only raw hex-encoded packet data. +It can be used with B<-j> including or B<-J >the JSON filter flag. +Example of usage: + + tshark -T jsonraw -r file.pcap + tshark -T jsonraw -j "http tcp ip" -x -r file.pcap + B Packet Details Markup Language, an XML-based format for the details of a decoded packet. This information is equivalent to the packet details printed with the B<-V> flag. -- cgit v1.2.3