diff options
| author | Martin Kacer <kacer.martin@gmail.com> | 2017-02-13 09:36:02 +0100 |
|---|---|---|
| committer | Peter Wu <peter@lekensteyn.nl> | 2017-02-25 19:11:01 +0000 |
| commit | cd7d159c2ee180be6654a7acbf7c83f902216462 (patch) | |
| tree | 87d5364749f160aacf42b44397ba19e60152c141 /doc/tshark.pod | |
| parent | d00dae7af9c590a8100e54dba0685271bd8b1165 (diff) | |
| download | wireshark-cd7d159c2ee180be6654a7acbf7c83f902216462.tar.gz | |
json2pcap support added
Modified tshark -T json -x output
Added tshark -T jsonraw output
json2pcap.py (can be used for basic packet editing by modifying json)
The modification in tshark -T json -x and new tshark -T jsonraw output
add into hex-data output in JSON also information on which position
each field is dissected in the original frame, what is the field length,
bitmask (for not byte aligned fields) and type. This information can be
used for latter processing. One use-case is json2pcap script which
assembles the protocol layers back together from upper to lowers layers,
which allows the basic packet modification/editing/rewriting.
Change-Id: Ibf948eb8fc7e3b0b51c12df6c3855f705a9c7925
Reviewed-on: https://code.wireshark.org/review/19990
Petri-Dish: Peter Wu <peter@lekensteyn.nl>
Reviewed-by: Dario Lombardo <lomato@gmail.com>
Petri-Dish: Pascal Quantin <pascal.quantin@gmail.com>
Tested-by: Petri Dish Buildbot <buildbot-no-reply@wireshark.org>
Reviewed-by: Peter Wu <peter@lekensteyn.nl>
Diffstat (limited to 'doc/tshark.pod')
| -rw-r--r-- | doc/tshark.pod | 28 |
1 files changed, 21 insertions, 7 deletions
diff --git a/doc/tshark.pod b/doc/tshark.pod index 4138d9b1f5..8f1b77d158 100644 --- a/doc/tshark.pod +++ b/doc/tshark.pod @@ -545,11 +545,18 @@ this option. =item -j E<lt>protocol match filterE<gt> -Protocol match filter used for ek|json|pdml output file types. +Protocol match filter used for ek|json|jsonraw|pdml output file types. Parent node containing multiple child nodes is only included, if the name is found in the filter. -Example: B<-j "http tcp ip"> +Example: B<-j "ip ip.flags text"> + +=item -J E<lt>protocol match filterE<gt> + +Protocol top level filter used for ek|json|jsonraw|pdml output file types. +Parent node containing multiple child nodes is included with all children. + +Example: B<-J "http tcp"> =item -K E<lt>keytabE<gt> @@ -741,14 +748,14 @@ was captured The default format is relative. -=item -T ek|fields|json|pdml|ps|psml|text +=item -T ek|fields|json|jsonraw|pdml|ps|psml|text Set the format of the output when viewing decoded packet data. The options are one of: B<ek> Newline delimited JSON format for bulk import into Elasticsearch. -It can be used with B<-j> including the JSON filter or with B<-x> flag -to include raw packet data. +It can be used with B<-j> or B<-J> including the JSON filter or with +B<-x> flag to include raw hex-encoded packet data. Example of usage to import data into Elasticsearch: tshark -T ek -j "http tcp ip" -x -r file.pcap > file.json @@ -762,13 +769,20 @@ form specified by the B<-E> option. For example, would generate comma-separated values (CSV) output suitable for importing into your favorite spreadsheet program. -B<json> JSON file format. It can be used with B<-j> including -the JSON filter or with B<-x> flag to influde raw packet data. +B<json> JSON file format. It can be used with B<-j> or B<-J> including +the JSON filter or with B<-x> flag to include raw hex-encoded packet data. Example of usage: tshark -T json -r file.pcap tshark -T json -j "http tcp ip" -x -r file.pcap +B<jsonraw> JSON file format including only raw hex-encoded packet data. +It can be used with B<-j> including or B<-J >the JSON filter flag. +Example of usage: + + tshark -T jsonraw -r file.pcap + tshark -T jsonraw -j "http tcp ip" -x -r file.pcap + B<pdml> Packet Details Markup Language, an XML-based format for the details of a decoded packet. This information is equivalent to the packet details printed with the B<-V> flag. |