diff options
| author | Dario Lombardo <lomato@gmail.com> | 2018-04-19 13:58:43 +0200 |
|---|---|---|
| committer | Dario Lombardo <lomato@gmail.com> | 2018-04-19 15:54:47 +0000 |
| commit | fc6b8ab698dc7af158620b52848fac9fae564199 (patch) | |
| tree | 68daa0080b4143ef72e9db29e2b023a9db3c5829 /doc | |
| parent | ca45f88e3b6f79fa95a62d748fe155e3ea6db271 (diff) | |
tshark: improve -G elastic-mapping command by adding filters.
The generated elastic mapping file is huge and it can hassle softwares
like Kibana. This change adds the ability to append desired filters
that will appear in the mapping file.
This change adds the option --elastic-mapping-filter <protocols> to tshark.
Example: tshark -G elastic-mapping --elastic-mapping-filter ip,udp,dns
make only those 3 protocols to appear in the mapping file.
Change-Id: Ie2dcd6e44be2d084e8e50cd6554bd90178da4e38
Reviewed-on: https://code.wireshark.org/review/27001
Reviewed-by: Peter Wu <peter@lekensteyn.nl>
Petri-Dish: Peter Wu <peter@lekensteyn.nl>
Tested-by: Petri Dish Buildbot
Reviewed-by: Dario Lombardo <lomato@gmail.com>
Diffstat (limited to 'doc')
| -rw-r--r-- | doc/tshark.pod | 17 |
1 files changed, 15 insertions, 2 deletions
diff --git a/doc/tshark.pod b/doc/tshark.pod index 9ccfdbca7b..e44fa7dfa6 100644 --- a/doc/tshark.pod +++ b/doc/tshark.pod @@ -66,7 +66,7 @@ S<[ B<--disable-heuristic> E<lt>short_nameE<gt> ]> S<[ E<lt>capture filterE<gt> ]> B<tshark> -B<-G> [ E<lt>report typeE<gt> ] +B<-G> [ E<lt>report typeE<gt> ] [ --elastic-mapping-filter E<lt>protocolsE<gt> ] =head1 DESCRIPTION @@ -839,7 +839,12 @@ Example of usage to import data into Elasticsearch: Elastic requires a mapping file to be loaded as template for packets-* index in order to convert wireshark types to elastic types. This file -can be auto-generated with the command "tshark -G elastic-mapping". +can be auto-generated with the command "tshark -G elastic-mapping". Since +the mapping file can be huge, protocols can be selected by using the option +--elastic-mapping-filter: + + tshark -G elastic-mapping --elastic-mapping-filter ip,udp,dns + B<fields> The values of fields specified with the B<-e> option, in a form specified by the B<-E> option. For example, @@ -1743,6 +1748,14 @@ If a key appears multiple times in an object, only write it a single time with as value a json array containing all the separate values. (Only works with -T json) +=item --elastic-mapping-filter E<lt>protocolE<gt>,E<lt>protocolE<gt>,... + +When generating the ElasticSearch mapping file, only put the specified protocols +in it, to avoid a huge mapping file that can choke some software (such as Kibana). +The option takes a list of wanted protocol abbreviations, separated by comma. + +Example: ip,udp,dns puts only those three protocols in the mapping file. + =item --export-objects E<lt>protocolE<gt>,E<lt>destdirE<gt> Export all objects within a protocol into directory B<destdir>. The available |