lua/gelf: add very basic GELF dissector

GELF is a simple UDP protocol, every datagram is a gzipped JSON message. This dissector demonstrates how one could decompress it and parse it as JSON. Does not support chunked format.
author: Peter Wu <peter@lekensteyn.nl> 2016-07-06 01:26:30 +0200
committer: Peter Wu <peter@lekensteyn.nl> 2016-07-06 01:26:30 +0200
commit: 686f580258adf8fea381f855a84488e854859948 (patch)
tree: e0d836aaae962556cebe6b7ff39cb4d0ec0809c2 /lua
parent: 5e2cb57a11d8161986e8189ff34b6bb754ac7db9 (diff)
download: wireshark-notes-686f580258adf8fea381f855a84488e854859948.tar.gz
1 files changed, 27 insertions, 0 deletions
diff --git a/lua/gelf.lua b/lua/gelf.lua
new file mode 100644
index 0000000..fd9b44d
--- /dev/null
+++ b/lua/gelf.lua
@@ -0,0 +1,27 @@
+-- Dissector for Graylog Extended Log Format (GELF)
+-- Docs: http://docs.graylog.org/en/2.0/pages/gelf.html
+
+local gelf = Proto("GELF", "Graylog Extended Log Format")
+
+local json = Dissector.get("json")
+
+gelf.fields.data = ProtoField.string("gelf.data", "Message")
+
+function gelf.dissector(tvb, pinfo, tree)
+    if tvb:raw(0, 2) ~= "\x1f\x8b" then
+        -- not a gzip header, ignore
+        return 0
+    end
+
+    pinfo.cols.protocol = "GELF"
+
+    local tvb_uncompress = tvb():uncompress("GELF")
+
+    -- raw text
+    tree:add(gelf.fields.data, tvb_uncompress)
+
+    -- as JSON structure
+    json:call(tvb_uncompress:tvb(), pinfo, tree)
+end
+
+gelf:register_heuristic("udp", gelf.dissector)
author	Peter Wu <peter@lekensteyn.nl>	2016-07-06 01:26:30 +0200
committer	Peter Wu <peter@lekensteyn.nl>	2016-07-06 01:26:30 +0200
commit	686f580258adf8fea381f855a84488e854859948 (patch)
tree	e0d836aaae962556cebe6b7ff39cb4d0ec0809c2 /lua
parent	5e2cb57a11d8161986e8189ff34b6bb754ac7db9 (diff)
download	wireshark-notes-686f580258adf8fea381f855a84488e854859948.tar.gz