diff options
| author | Christoph Wurm <wurm@elastic.co> | 2017-07-19 14:24:47 +0000 |
|---|---|---|
| committer | Michael Mann <mmann78@netscape.net> | 2017-10-15 00:58:42 +0000 |
| commit | af09db8bd3f0defb319df00fa69cd82044ac1007 (patch) | |
| tree | 2e7cd0dcea7891755cf88e202fa30327fbdfed5c /doc/tshark.pod | |
| parent | ddf65262562052ae132b2a4c9cf89b69ed9f1d5f (diff) | |
Tshark: Optional packet summary for Elasticsearch
Currently, the Elasticsearch output exports the packet details and,
if -x is specified, the raw hex data.
This change adds the option of exporting the packet summary as well.
The default stays the same (packet details only), but now the existing
-P switch turns on printing of the packet summary. It also turns off
printing packet details, which can be turned back on with -V to print
both, and combined with -x to print all three: summary, details and
raw hex.
The packet summary is especially useful when exploring and visualizing
the data in Kibana, e.g. by displaying the summary "Info" field/column
in a table, as in the Wireshark GUI.
Change-Id: I2030490cfdd905572397bc3d5457ba49d805a5c4
Reviewed-on: https://code.wireshark.org/review/22716
Petri-Dish: Michael Mann <mmann78@netscape.net>
Tested-by: Petri Dish Buildbot <buildbot-no-reply@wireshark.org>
Reviewed-by: Michael Mann <mmann78@netscape.net>
Diffstat (limited to 'doc/tshark.pod')
| -rw-r--r-- | doc/tshark.pod | 9 |
1 files changed, 6 insertions, 3 deletions
diff --git a/doc/tshark.pod b/doc/tshark.pod index 904b15b0a4..1288fac658 100644 --- a/doc/tshark.pod +++ b/doc/tshark.pod @@ -771,11 +771,14 @@ options are one of: B<ek> Newline delimited JSON format for bulk import into Elasticsearch. It can be used with B<-j> or B<-J> including the JSON filter or with -B<-x> flag to include raw hex-encoded packet data. +B<-x> to include raw hex-encoded packet data. +If B<-P> is specified it will print the packet summary only, with both +B<-P> and B<-V> it will print the packet summary and packet details. +If neither B<-P> or B<-V> are used it will print the packet details only. Example of usage to import data into Elasticsearch: - tshark -T ek -j "http tcp ip" -x -r file.pcap > file.json - curl -XPUT http://elasticsearch:9200/_bulk --data-binary @file.json + tshark -T ek -j "http tcp ip" -P -V -x -r file.pcap > file.json + curl -H "Content-Type: application/x-ndjson" -XPOST http://elasticsearch:9200/_bulk --data-binary "@file.json" B<fields> The values of fields specified with the B<-e> option, in a form specified by the B<-E> option. For example, |