From 686f580258adf8fea381f855a84488e854859948 Mon Sep 17 00:00:00 2001
From: Peter Wu <peter@lekensteyn.nl>
Date: Wed, 6 Jul 2016 01:26:30 +0200
Subject: lua/gelf: add very basic GELF dissector

GELF is a simple UDP protocol, every datagram is a gzipped JSON message.
This dissector demonstrates how one could decompress it and parse it as
JSON.

Does not support chunked format.
---
 lua/gelf.lua | 27 +++++++++++++++++++++++++++
 1 file changed, 27 insertions(+)
 create mode 100644 lua/gelf.lua

(limited to 'lua')

diff --git a/lua/gelf.lua b/lua/gelf.lua
new file mode 100644
index 0000000..fd9b44d
--- /dev/null
+++ b/lua/gelf.lua
@@ -0,0 +1,27 @@
+-- Dissector for Graylog Extended Log Format (GELF)
+-- Docs: http://docs.graylog.org/en/2.0/pages/gelf.html
+
+local gelf = Proto("GELF", "Graylog Extended Log Format")
+
+local json = Dissector.get("json")
+
+gelf.fields.data = ProtoField.string("gelf.data", "Message")
+
+function gelf.dissector(tvb, pinfo, tree)
+    if tvb:raw(0, 2) ~= "\x1f\x8b" then
+        -- not a gzip header, ignore
+        return 0
+    end
+
+    pinfo.cols.protocol = "GELF"
+
+    local tvb_uncompress = tvb():uncompress("GELF")
+
+    -- raw text
+    tree:add(gelf.fields.data, tvb_uncompress)
+
+    -- as JSON structure
+    json:call(tvb_uncompress:tvb(), pinfo, tree)
+end
+
+gelf:register_heuristic("udp", gelf.dissector)
-- 
cgit v1.2.1