From 511c2e166a6d3eeb37930a3dd7f40056498456ca Mon Sep 17 00:00:00 2001
From: Dario Lombardo <lomato@gmail.com>
Date: Mon, 9 Apr 2018 12:31:38 +0200
Subject: tshark: add -G elastic-mapping report.

This option generates an ElasticSearch mapping file as described here:
https://www.elastic.co/blog/analyzing-network-packets-with-wireshark-elasticsearch-and-kibana

It leverages the Glib-json library.

Change-Id: Iff25f991e87d3da07bf06654e353fb785799dde9
Reviewed-on: https://code.wireshark.org/review/26848
Petri-Dish: Dario Lombardo <lomato@gmail.com>
Tested-by: Petri Dish Buildbot
Reviewed-by: Peter Wu <peter@lekensteyn.nl>
Reviewed-by: Dario Lombardo <lomato@gmail.com>
---
 doc/tshark.pod | 6 ++++++
 1 file changed, 6 insertions(+)

(limited to 'doc')

diff --git a/doc/tshark.pod b/doc/tshark.pod
index 08fc22e920..9ccfdbca7b 100644
--- a/doc/tshark.pod
+++ b/doc/tshark.pod
@@ -448,6 +448,8 @@ is one record per line.  The fields are tab-delimited.
  * Field 5 = protocol name
  * Field 6 = "decode as" support
 
+B<elastic-mapping>  Dumps the ElasticSearch mapping file to stdout.
+
 B<fieldcount>  Dumps the number of header fields to stdout.
 
 B<fields>  Dumps the contents of the registration database to
@@ -835,6 +837,10 @@ Example of usage to import data into Elasticsearch:
   tshark -T ek -j "http tcp ip" -P -V -x -r file.pcap > file.json
   curl -H "Content-Type: application/x-ndjson" -XPOST http://elasticsearch:9200/_bulk --data-binary "@file.json"
 
+Elastic requires a mapping file to be loaded as template for packets-*
+index in order to convert wireshark types to elastic types. This file
+can be auto-generated with the command "tshark -G elastic-mapping".
+
 B<fields> The values of fields specified with the B<-e> option, in a
 form specified by the B<-E> option.  For example,
 
-- 
cgit v1.2.3