From 42b060905e6a84c1413803e59766802089f6349d Mon Sep 17 00:00:00 2001
From: Martin Kacer <kacer.martin@gmail.com>
Date: Mon, 13 Jun 2016 15:47:44 +0200
Subject: tshark JSON and Elasticsearch output

Added ouput -T for json|ek
Added -j switch fo filter EK json|ek fields.
Added -x switch to work with json|ek to insert raw fields.

Bug: 11754

Change-Id: Iad5a9092b843c074b0b774d1745fa14fca09f6b7
Reviewed-on: https://code.wireshark.org/review/15869
Reviewed-by: Jaap Keuter <jaap.keuter@xs4all.nl>
Petri-Dish: Jaap Keuter <jaap.keuter@xs4all.nl>
Tested-by: Petri Dish Buildbot <buildbot-no-reply@wireshark.org>
Reviewed-by: Anders Broman <a.broman58@gmail.com>
---
 doc/tshark.pod | 28 ++++++++++++++++++++++++++--
 1 file changed, 26 insertions(+), 2 deletions(-)

(limited to 'doc')

diff --git a/doc/tshark.pod b/doc/tshark.pod
index 120c74514a..2ee54edbc3 100644
--- a/doc/tshark.pod
+++ b/doc/tshark.pod
@@ -22,6 +22,7 @@ S<[ B<-g> ]>
 S<[ B<-h> ]>
 S<[ B<-H> E<lt>input hosts fileE<gt> ]>
 S<[ B<-i> E<lt>capture interfaceE<gt>|- ]>
+S<[ B<-j> E<lt>json match filterE<gt> ]>
 S<[ B<-I> ]>
 S<[ B<-K> E<lt>keytabE<gt> ]>
 S<[ B<-l> ]>
@@ -39,7 +40,7 @@ S<[ B<-R> E<lt>Read filterE<gt> ]>
 S<[ B<-s> E<lt>capture snaplenE<gt> ]>
 S<[ B<-S> E<lt>separatorE<gt> ]>
 S<[ B<-t> a|ad|adoy|d|dd|e|r|u|ud|udoy ]>
-S<[ B<-T> fields|pdml|ps|psml|text ]>
+S<[ B<-T> ek|fields|json|pdml|ps|psml|text ]>
 S<[ B<-u> E<lt>seconds typeE<gt>]>
 S<[ B<-U> E<lt>tap_nameE<gt>]>
 S<[ B<-v> ]>
@@ -534,6 +535,14 @@ If used after an B<-i> option, it enables the monitor mode for
 the interface specified by the last B<-i> option occurring before
 this option.
 
+=item -j  E<lt>json match filterE<gt>
+
+JSON match filter used for json|ek output file types.
+JSON parent node containing multiple child nodes is only included,
+if the name is found in the filter.
+
+Example: B<-j "http tcp ip">
+
 =item -K  E<lt>keytabE<gt>
 
 Load kerberos crypto keys from the specified keytab file.
@@ -724,11 +733,19 @@ was captured
 
 The default format is relative.
 
-=item -T  fields|pdml|ps|psml|text
+=item -T  ek|fields|json|pdml|ps|psml|text
 
 Set the format of the output when viewing decoded packet data.  The
 options are one of:
 
+B<ek> Newline delimited JSON format for bulk import into Elasticsearch.
+It can be used with B<-j> including the JSON filter or with B<-x> flag
+to include raw packet data.
+Example of usage to import data into Elasticsearch:
+
+  tshark -T ek -j "http tcp ip" -x -r file.pcap > file.json
+  curl -XPUT http://elasticsearch:9200/_bulk --data-binary @file.json
+
 B<fields> The values of fields specified with the B<-e> option, in a
 form specified by the B<-E> option.  For example,
 
@@ -737,6 +754,13 @@ form specified by the B<-E> option.  For example,
 would generate comma-separated values (CSV) output suitable for importing
 into your favorite spreadsheet program.
 
+B<json> JSON file format. It can be used with B<-j> including
+the JSON filter or with B<-x> flag to influde raw packet data.
+Example of usage:
+
+  tshark -T json -r file.pcap
+  tshark -T json -j "http tcp ip" -x -r file.pcap
+
 B<pdml> Packet Details Markup Language, an XML-based format for the details of
 a decoded packet.  This information is equivalent to the packet details
 printed with the B<-V> flag.
-- 
cgit v1.2.1