diff options
author | Christoph Wurm <wurm@elastic.co> | 2017-10-29 17:51:42 +0000 |
---|---|---|
committer | Anders Broman <a.broman58@gmail.com> | 2017-10-31 04:57:51 +0000 |
commit | ec43b0faa6d8106205073c7c8596ed7ae4c64abc (patch) | |
tree | 3582c25f95b0733d30d038c6ab445f46594f8e16 /epan | |
parent | e14f1ad37ded19188e864b82ed236b1eb11eebf3 (diff) |
Deduplicate Elasticsearch output
Collects multiple values of the same field into an array.
Empty protocols are now written as empty objects to not conflict
with the same protocols in other packets.
Remove _score since it has no effect.
Bug: 12958
Change-Id: Ibe8ea9bc1e3e63dea1fe4eaf522fa38cad88a17f
Reviewed-on: https://code.wireshark.org/review/24171
Reviewed-by: Michael Mann <mmann78@netscape.net>
Petri-Dish: Michael Mann <mmann78@netscape.net>
Tested-by: Petri Dish Buildbot
Reviewed-by: Anders Broman <a.broman58@gmail.com>
Diffstat (limited to 'epan')
-rw-r--r-- | epan/print.c | 80 |
1 files changed, 56 insertions, 24 deletions
diff --git a/epan/print.c b/epan/print.c index 941184b6ef..5ba17d6b47 100644 --- a/epan/print.c +++ b/epan/print.c @@ -373,7 +373,7 @@ write_ek_proto_tree(output_fields_t* fields, else g_strlcpy(ts, "XXXX-XX-XX", sizeof ts); /* XXX - better way of saying "Not representable"? */ - fprintf(fh, "{\"index\" : {\"_index\": \"packets-%s\", \"_type\": \"pcap_file\", \"_score\": null}}\n", ts); + fprintf(fh, "{\"index\" : {\"_index\": \"packets-%s\", \"_type\": \"pcap_file\"}}\n", ts); /* Timestamp added for time indexing in Elasticsearch */ fprintf(fh, "{\"timestamp\" : \"%" G_GUINT64_FORMAT "%03d\"", (guint64)edt->pi.abs_ts.secs, edt->pi.abs_ts.nsecs/1000000); @@ -1336,33 +1336,67 @@ ek_write_field_value(field_info *fi, write_json_data *pdata) } static void -ek_write_attr(GSList *attr_instances, write_json_data *pdata) +ek_write_attr_hex(GSList *attr_instances, write_json_data *pdata) { - proto_node *pnode = NULL; - field_info *fi = NULL; GSList *current_node = attr_instances; + proto_node *pnode = (proto_node *) current_node->data; + field_info *fi = NULL; + + // Raw name + fputs("\"", pdata->fh); + ek_write_name(pnode, pdata); + fputs("_raw\": ", pdata->fh); + + if (g_slist_length(attr_instances) > 1) { + fputs("[", pdata->fh); + } + // Raw value(s) while (current_node != NULL) { pnode = (proto_node *) current_node->data; fi = PNODE_FINFO(pnode); - // Hex dump -x - if (pdata->print_hex && fi->length > 0 && fi->hfinfo->id != hf_text_only) { - // Raw name - fputs("\"", pdata->fh); - ek_write_name(pnode, pdata); - fputs("_raw\": \"", pdata->fh); - - // Raw value - ek_write_hex(fi, pdata); + fputs("\"", pdata->fh); + ek_write_hex(fi, pdata); + fputs("\"", pdata->fh); - fputs("\",", pdata->fh); + current_node = current_node->next; + if (current_node != NULL) { + fputs(",", pdata->fh); } + } - // Print attr name - fputs("\"", pdata->fh); - ek_write_name(pnode, pdata); - fputs("\": ", pdata->fh); + if (g_slist_length(attr_instances) > 1) { + fputs("]", pdata->fh); + } +} + +static void +ek_write_attr(GSList *attr_instances, write_json_data *pdata) +{ + GSList *current_node = attr_instances; + proto_node *pnode = (proto_node *) current_node->data; + field_info *fi = NULL; + + // Hex dump -x + if (pdata->print_hex && fi->length > 0 && fi->hfinfo->id != hf_text_only) { + ek_write_attr_hex(attr_instances, pdata); + + fputs("\",", pdata->fh); + } + + // Print attr name + fputs("\"", pdata->fh); + ek_write_name(pnode, pdata); + fputs("\": ", pdata->fh); + + if (g_slist_length(attr_instances) > 1) { + fputs("[", pdata->fh); + } + + while (current_node != NULL) { + pnode = (proto_node *) current_node->data; + fi = PNODE_FINFO(pnode); /* Field */ if (fi->hfinfo->type != FT_PROTOCOL) { @@ -1381,12 +1415,6 @@ ek_write_attr(GSList *attr_instances, write_json_data *pdata) fputs("\"", pdata->fh); } - /* Protocol without children, e.g. SSL */ - else if (pnode->first_child == NULL) { - fputs("\"", pdata->fh); - ek_write_field_value(fi, pdata); - fputs("\"", pdata->fh); - } /* Object */ else { fputs("{", pdata->fh); @@ -1425,6 +1453,10 @@ ek_write_attr(GSList *attr_instances, write_json_data *pdata) fputs(",", pdata->fh); } } + + if (g_slist_length(attr_instances) > 1) { + fputs("]", pdata->fh); + } } /* Write out a tree's data, and any child nodes, as JSON for EK */ |