Deduplicate Elasticsearch output

Collects multiple values of the same field into an array. Empty protocols are now written as empty objects to not conflict with the same protocols in other packets. Remove _score since it has no effect. Bug: 12958 Change-Id: Ibe8ea9bc1e3e63dea1fe4eaf522fa38cad88a17f Reviewed-on: https://code.wireshark.org/review/24171 Reviewed-by: Michael Mann <mmann78@netscape.net> Petri-Dish: Michael Mann <mmann78@netscape.net> Tested-by: Petri Dish Buildbot Reviewed-by: Anders Broman <a.broman58@gmail.com>
author: Christoph Wurm <wurm@elastic.co> 2017-10-29 17:51:42 +0000
committer: Anders Broman <a.broman58@gmail.com> 2017-10-31 04:57:51 +0000
commit: ec43b0faa6d8106205073c7c8596ed7ae4c64abc (patch)
tree: 3582c25f95b0733d30d038c6ab445f46594f8e16
parent: e14f1ad37ded19188e864b82ed236b1eb11eebf3 (diff)
1 files changed, 56 insertions, 24 deletions
diff --git a/epan/print.c b/epan/print.c
index 941184b6ef..5ba17d6b47 100644
--- a/epan/print.c
+++ b/epan/print.c
@@ -373,7 +373,7 @@ write_ek_proto_tree(output_fields_t* fields,
     else
         g_strlcpy(ts, "XXXX-XX-XX", sizeof ts); /* XXX - better way of saying "Not representable"? */
 
-    fprintf(fh, "{\"index\" : {\"_index\": \"packets-%s\", \"_type\": \"pcap_file\", \"_score\": null}}\n", ts);
+    fprintf(fh, "{\"index\" : {\"_index\": \"packets-%s\", \"_type\": \"pcap_file\"}}\n", ts);
     /* Timestamp added for time indexing in Elasticsearch */
     fprintf(fh, "{\"timestamp\" : \"%" G_GUINT64_FORMAT "%03d\"", (guint64)edt->pi.abs_ts.secs, edt->pi.abs_ts.nsecs/1000000);
 
@@ -1336,33 +1336,67 @@ ek_write_field_value(field_info *fi, write_json_data *pdata)
 }
 
 static void
-ek_write_attr(GSList *attr_instances, write_json_data *pdata)
+ek_write_attr_hex(GSList *attr_instances, write_json_data *pdata)
 {
-    proto_node *pnode    = NULL;
-    field_info *fi       = NULL;
     GSList *current_node = attr_instances;
+    proto_node *pnode    = (proto_node *) current_node->data;
+    field_info *fi       = NULL;
+
+    // Raw name
+    fputs("\"", pdata->fh);
+    ek_write_name(pnode, pdata);
+    fputs("_raw\": ", pdata->fh);
+
+    if (g_slist_length(attr_instances) > 1) {
+        fputs("[", pdata->fh);
+    }
 
+    // Raw value(s)
     while (current_node != NULL) {
         pnode = (proto_node *) current_node->data;
         fi    = PNODE_FINFO(pnode);
 
-        // Hex dump -x
-        if (pdata->print_hex && fi->length > 0 && fi->hfinfo->id != hf_text_only) {
-            // Raw name
-            fputs("\"", pdata->fh);
-            ek_write_name(pnode, pdata);
-            fputs("_raw\": \"", pdata->fh);
-
-            // Raw value
-            ek_write_hex(fi, pdata);
+        fputs("\"", pdata->fh);
+        ek_write_hex(fi, pdata);
+        fputs("\"", pdata->fh);
 
-            fputs("\",", pdata->fh);
+        current_node = current_node->next;
+        if (current_node != NULL) {
+            fputs(",", pdata->fh);
         }
+    }
 
-        // Print attr name
-        fputs("\"", pdata->fh);
-        ek_write_name(pnode, pdata);
-        fputs("\": ", pdata->fh);
+    if (g_slist_length(attr_instances) > 1) {
+        fputs("]", pdata->fh);
+    }
+}
+
+static void
+ek_write_attr(GSList *attr_instances, write_json_data *pdata)
+{
+    GSList *current_node = attr_instances;
+    proto_node *pnode    = (proto_node *) current_node->data;
+    field_info *fi       = NULL;
+
+    // Hex dump -x
+    if (pdata->print_hex && fi->length > 0 && fi->hfinfo->id != hf_text_only) {
+        ek_write_attr_hex(attr_instances, pdata);
+
+        fputs("\",", pdata->fh);
+    }
+
+    // Print attr name
+    fputs("\"", pdata->fh);
+    ek_write_name(pnode, pdata);
+    fputs("\": ", pdata->fh);
+
+    if (g_slist_length(attr_instances) > 1) {
+        fputs("[", pdata->fh);
+    }
+
+    while (current_node != NULL) {
+        pnode = (proto_node *) current_node->data;
+        fi    = PNODE_FINFO(pnode);
 
         /* Field */
         if (fi->hfinfo->type != FT_PROTOCOL) {
@@ -1381,12 +1415,6 @@ ek_write_attr(GSList *attr_instances, write_json_data *pdata)
 
             fputs("\"", pdata->fh);
         }
-        /* Protocol without children, e.g. SSL */
-        else if (pnode->first_child == NULL) {
-            fputs("\"", pdata->fh);
-            ek_write_field_value(fi, pdata);
-            fputs("\"", pdata->fh);
-        }
         /* Object */
         else {
             fputs("{", pdata->fh);
@@ -1425,6 +1453,10 @@ ek_write_attr(GSList *attr_instances, write_json_data *pdata)
             fputs(",", pdata->fh);
         }
     }
+
+    if (g_slist_length(attr_instances) > 1) {
+        fputs("]", pdata->fh);
+    }
 }
 
 /* Write out a tree's data, and any child nodes, as JSON for EK */
author	Christoph Wurm <wurm@elastic.co>	2017-10-29 17:51:42 +0000
committer	Anders Broman <a.broman58@gmail.com>	2017-10-31 04:57:51 +0000
commit	ec43b0faa6d8106205073c7c8596ed7ae4c64abc (patch)
tree	3582c25f95b0733d30d038c6ab445f46594f8e16
parent	e14f1ad37ded19188e864b82ed236b1eb11eebf3 (diff)