tshark JSON and Elasticsearch output

Added ouput -T for json|ek Added -j switch fo filter EK json|ek fields. Added -x switch to work with json|ek to insert raw fields. Bug: 11754 Change-Id: Iad5a9092b843c074b0b774d1745fa14fca09f6b7 Reviewed-on: https://code.wireshark.org/review/15869 Reviewed-by: Jaap Keuter <jaap.keuter@xs4all.nl> Petri-Dish: Jaap Keuter <jaap.keuter@xs4all.nl> Tested-by: Petri Dish Buildbot <buildbot-no-reply@wireshark.org> Reviewed-by: Anders Broman <a.broman58@gmail.com>
author: Martin Kacer <kacer.martin@gmail.com> 2016-06-13 15:47:44 +0200
committer: Anders Broman <a.broman58@gmail.com> 2016-06-17 06:09:29 +0000
commit: 42b060905e6a84c1413803e59766802089f6349d (patch)
tree: 2eec8bc60f00414ab720776ab226f87ced48ade1 /tshark.c
parent: 0aa5f6c6c70959c24caee61a88889b1b86d610f1 (diff)
download: wireshark-42b060905e6a84c1413803e59766802089f6349d.tar.gz
1 files changed, 55 insertions, 6 deletions
diff --git a/tshark.c b/tshark.c
index 96f1555678..af38ab0702 100644
--- a/tshark.c
+++ b/tshark.c
@@ -158,7 +158,9 @@ static gboolean perform_two_pass_analysis;
 typedef enum {
   WRITE_TEXT,   /* summary or detail text */
   WRITE_XML,    /* PDML or PSML */
-  WRITE_FIELDS  /* User defined list of fields */
+  WRITE_FIELDS, /* User defined list of fields */
+  WRITE_JSON,    /* JSON */
+  WRITE_EK      /* JSON bulk insert to Elasticsearch */
   /* Add CSV and the like here */
 } output_action_e;
 
@@ -175,6 +177,7 @@ static print_format_e print_format = PR_FMT_TEXT;
 static print_stream_t *print_stream;
 
 static output_fields_t* output_fields  = NULL;
+static gchar *jsonfilter = NULL;
 
 /* The line separator used between packets, changeable via the -S option */
 static const char *separator = "";
@@ -372,8 +375,10 @@ print_usage(FILE *output)
   fprintf(output, "  -P                       print packet summary even when writing to a file\n");
   fprintf(output, "  -S <separator>           the line separator to print between packets\n");
   fprintf(output, "  -x                       add output of hex and ASCII dump (Packet Bytes)\n");
-  fprintf(output, "  -T pdml|ps|psml|text|fields\n");
+  fprintf(output, "  -T pdml|ps|psml|json|ek|text|fields\n");
   fprintf(output, "                           format of text output (def: text)\n");
+  fprintf(output, "  -j <jsonfilter>          only protocols layers to include if -Tjson, -Tek selected,\n");
+  fprintf(output, "                           (e.g. \"http tcp ip\",\n");
   fprintf(output, "  -e <field>               field to print if -Tfields selected (e.g. tcp.port,\n");
   fprintf(output, "                           _ws.col.Info)\n");
   fprintf(output, "                           this option can be repeated to print multiple fields\n");
@@ -1020,7 +1025,7 @@ main(int argc, char *argv[])
  * We do *not* use a leading - because the behavior of a leading - is
  * platform-dependent.
  */
-#define OPTSTRING "+2" OPTSTRING_CAPTURE_COMMON "C:d:e:E:F:gG:hH:" "K:lnN:o:O:PqQr:R:S:t:T:u:U:vVw:W:xX:Y:z:"
+#define OPTSTRING "+2" OPTSTRING_CAPTURE_COMMON "C:d:e:E:F:gG:hH:j:" "K:lnN:o:O:PqQr:R:S:t:T:u:U:vVw:W:xX:Y:z:"
 
   static const char    optstring[] = OPTSTRING;
 
@@ -1479,6 +1484,9 @@ main(int argc, char *argv[])
         return 1;
       }
       break;
+    case 'j':
+      jsonfilter = optarg;
+      break;
     case 'W':        /* Select extra information to save in our capture file */
       /* This is patterned after the -N flag which may not be the best idea. */
       if (strchr(optarg, 'n')) {
@@ -1639,7 +1647,16 @@ main(int argc, char *argv[])
         output_action = WRITE_FIELDS;
         print_details = TRUE;   /* Need full tree info */
         print_summary = FALSE;  /* Don't allow summary */
-      } else {
+      } else if (strcmp(optarg, "json") == 0) {
+        output_action = WRITE_JSON;
+        print_details = TRUE;   /* Need details */
+        print_summary = FALSE;  /* Don't allow summary */
+      } else if (strcmp(optarg, "ek") == 0) {
+        output_action = WRITE_EK;
+        print_details = TRUE;   /* Need details */
+        print_summary = FALSE;  /* Don't allow summary */
+      }
+      else {
         cmdarg_err("Invalid -T parameter \"%s\"; it must be one of:", optarg);                   /* x */
         cmdarg_err_cont("\t\"fields\" The values of fields specified with the -e option, in a form\n"
                         "\t         specified by the -E option.\n"
@@ -1653,6 +1670,12 @@ main(int argc, char *argv[])
                         "\t         summary information of a decoded packet. This information is\n"
                         "\t         equivalent to the information shown in the one-line summary\n"
                         "\t         printed by default.\n"
+                        "\t\"json\"   Packet Summary, an JSON-based format for the details\n"
+                        "\t         summary information of a decoded packet. This information is \n"
+                        "\t         equivalent to the packet details printed with the -V flag.\n"
+                        "\t\"ek\"   Packet Summary, an EK JSON-based format for the bulk insert \n"
+                        "\t         into elastic search cluster. This information is \n"
+                        "\t         equivalent to the packet details printed with the -V flag.\n"
                         "\t\"text\"   Text of a human-readable one-line summary of each of the\n"
                         "\t         packets, or a multi-line view of the details of each of the\n"
                         "\t         packets, depending on whether the -V flag was specified.\n"
@@ -1844,8 +1867,8 @@ main(int argc, char *argv[])
   }
 
   if (print_hex) {
-    if (output_action != WRITE_TEXT) {
-      cmdarg_err("Raw packet hex data can only be printed as text or PostScript");
+    if (output_action != WRITE_TEXT && output_action != WRITE_JSON && output_action != WRITE_EK) {
+      cmdarg_err("Raw packet hex data can only be printed as text, PostScript, JSON or EK JSON");
       return 1;
     }
   }
@@ -3883,6 +3906,13 @@ write_preamble(capture_file *cf)
     write_fields_preamble(output_fields, stdout);
     return !ferror(stdout);
 
+  case WRITE_JSON:
+    write_json_preamble(stdout);
+    return !ferror(stdout);
+
+  case WRITE_EK:
+    return !ferror(stdout);
+
   default:
     g_assert_not_reached();
     return FALSE;
@@ -4186,6 +4216,8 @@ print_packet(capture_file *cf, epan_dissect_t *edt)
         write_psml_columns(edt, stdout);
         return !ferror(stdout);
       case WRITE_FIELDS: /*No non-verbose "fields" format */
+      case WRITE_JSON:
+      case WRITE_EK:
         g_assert_not_reached();
         break;
       }
@@ -4224,6 +4256,16 @@ print_packet(capture_file *cf, epan_dissect_t *edt)
       write_fields_proto_tree(output_fields, edt, &cf->cinfo, stdout);
       printf("\n");
       return !ferror(stdout);
+    case WRITE_JSON:
+      print_args.print_hex = print_hex;
+      write_json_proto_tree(&print_args, jsonfilter, edt, stdout);
+      printf("\n");
+      return !ferror(stdout);
+    case WRITE_EK:
+      print_args.print_hex = print_hex;
+      write_ek_proto_tree(&print_args, jsonfilter, edt, stdout);
+      printf("\n");
+      return !ferror(stdout);
     }
   }
   if (print_hex) {
@@ -4258,6 +4300,13 @@ write_finale(void)
     write_fields_finale(output_fields, stdout);
     return !ferror(stdout);
 
+  case WRITE_JSON:
+    write_json_finale(stdout);
+    return !ferror(stdout);
+
+  case WRITE_EK:
+    return !ferror(stdout);
+
   default:
     g_assert_not_reached();
     return FALSE;
author	Martin Kacer <kacer.martin@gmail.com>	2016-06-13 15:47:44 +0200
committer	Anders Broman <a.broman58@gmail.com>	2016-06-17 06:09:29 +0000
commit	42b060905e6a84c1413803e59766802089f6349d (patch)
tree	2eec8bc60f00414ab720776ab226f87ced48ade1 /tshark.c
parent	0aa5f6c6c70959c24caee61a88889b1b86d610f1 (diff)
download	wireshark-42b060905e6a84c1413803e59766802089f6349d.tar.gz