diff options
| author | Christoph Wurm <wurm@elastic.co> | 2017-07-19 14:24:47 +0000 |
|---|---|---|
| committer | Michael Mann <mmann78@netscape.net> | 2017-10-15 00:58:42 +0000 |
| commit | af09db8bd3f0defb319df00fa69cd82044ac1007 (patch) | |
| tree | 2e7cd0dcea7891755cf88e202fa30327fbdfed5c /epan/print.c | |
| parent | ddf65262562052ae132b2a4c9cf89b69ed9f1d5f (diff) | |
Tshark: Optional packet summary for Elasticsearch
Currently, the Elasticsearch output exports the packet details and,
if -x is specified, the raw hex data.
This change adds the option of exporting the packet summary as well.
The default stays the same (packet details only), but now the existing
-P switch turns on printing of the packet summary. It also turns off
printing packet details, which can be turned back on with -V to print
both, and combined with -x to print all three: summary, details and
raw hex.
The packet summary is especially useful when exploring and visualizing
the data in Kibana, e.g. by displaying the summary "Info" field/column
in a table, as in the Wireshark GUI.
Change-Id: I2030490cfdd905572397bc3d5457ba49d805a5c4
Reviewed-on: https://code.wireshark.org/review/22716
Petri-Dish: Michael Mann <mmann78@netscape.net>
Tested-by: Petri Dish Buildbot <buildbot-no-reply@wireshark.org>
Reviewed-by: Michael Mann <mmann78@netscape.net>
Diffstat (limited to 'epan/print.c')
| -rw-r--r-- | epan/print.c | 26 |
1 files changed, 24 insertions, 2 deletions
diff --git a/epan/print.c b/epan/print.c index 03dbdf226e..8fa2ce8e76 100644 --- a/epan/print.c +++ b/epan/print.c @@ -128,6 +128,7 @@ static void write_json_proto_node_no_value(proto_node *node, write_json_data *da static const char *proto_node_to_json_key(proto_node *node); static void print_pdml_geninfo(epan_dissect_t *edt, FILE *fh); +static void write_ek_summary(column_info *cinfo, FILE *fh); static void proto_tree_get_node_field_values(proto_node *node, gpointer data); @@ -352,7 +353,8 @@ write_pdml_proto_tree(output_fields_t* fields, gchar **protocolfilter, pf_flags void write_ek_proto_tree(output_fields_t* fields, - gboolean print_hex, gchar **protocolfilter, + gboolean print_summary, gboolean print_hex, + gchar **protocolfilter, pf_flags protocolfilter_flags, epan_dissect_t *edt, FILE *fh) { @@ -373,7 +375,12 @@ write_ek_proto_tree(output_fields_t* fields, fprintf(fh, "{\"index\" : {\"_index\": \"packets-%s\", \"_type\": \"pcap_file\", \"_score\": null}}\n", ts); /* Timestamp added for time indexing in Elasticsearch */ - fprintf(fh, "{\"timestamp\" : \"%" G_GUINT64_FORMAT "%03d\", \"layers\" : {", (guint64)edt->pi.abs_ts.secs, edt->pi.abs_ts.nsecs/1000000); + fprintf(fh, "{\"timestamp\" : \"%" G_GUINT64_FORMAT "%03d\"", (guint64)edt->pi.abs_ts.secs, edt->pi.abs_ts.nsecs/1000000); + + if (print_summary) + write_ek_summary(edt->pi.cinfo, fh); + + fprintf(fh, ", \"layers\" : {"); if (fields == NULL || fields->fields == NULL) { /* Write out all fields */ @@ -1157,6 +1164,21 @@ ek_check_protocolfilter(gchar **protocolfilter, const char *str) * Finds a node's descendants to be printed as EK/JSON attributes. */ static void +write_ek_summary(column_info *cinfo, FILE *fh) +{ + gint i; + + for (i = 0; i < cinfo->num_cols; i++) { + fputs(", \"", fh); + print_escaped_ek(fh, g_ascii_strdown(cinfo->columns[i].col_title, -1)); + fputs("\": \"", fh); + print_escaped_json(fh, cinfo->columns[i].col_data); + fputs("\"", fh); + } +} + +/* Write out a tree's data, and any child nodes, as JSON for EK */ +static void ek_fill_attr(proto_node *node, GSList **attr_list, GHashTable *attr_table, write_json_data *pdata) { field_info *fi = NULL; |