Ask Your Question
0

tshark - Flag to remove index entry from ek output format

asked 2020-06-27 03:48:13 +0000

sciciliani gravatar image

The ek format (jsonnl) from tshark is great for capturing into some Big Data environment. Unfortunately as the format is designed for ElasticSearch the index information is added before each row:

{"index":{"_index":"packets-2020-06-27","_type":"doc"}} {"timestamp":"1593228122133","layers":{"frame_raw":"fa163e0aed1d4c9614901ff0080... } {"index":{"_index":"packets-2020-06-27","_type":"doc"}} {"timestamp":"1593228122133","layers":{"frame_raw":"4c9614901ff0fa163e0aed1d080... }

I was wondering if it is possible to add a flag to remove this additional row from the output.

From the code it looks like the code printing that output is at line 364 on epan/print.c

https://github.com/wireshark/wireshar...

Is there a procedure to request for this change?

edit retag flag offensive close merge delete

Comments

Why not pipe it through sed to delete the line or reformat as needed?

Chuckc gravatar imageChuckc ( 2020-06-27 05:44:04 +0000 )edit
add a comment

1 Answer

Sort by ยป oldest newest most voted
0

answered 2020-06-27 03:51:31 +0000

Guy Harris gravatar image

The ek format (jsonnl) from tshark is great for capturing into some Big Data environment. Unfortunately as the format is designed for ElasticSearch the index information is added before each row

Well, yes, the ek format was, in fact, designed for ElasticSearch; that's why the index is there.

If -T json won't work for what you're doing, perhaps there should be another format, designed for whatever big data format you're using, rather than adding Yet Another Flag to say "yeah, I know, I asked for ek, but I didn't mean ElasticSearch".

In any case, the way to request an enhancement is to post a request on the Wireshark Bugzilla.

edit flag offensive delete link more

Comments

Well as you may know the regular json output returns an array of json objects.

Therefore in order to parse that array it has to be completed (with the trailing ]) which is added once the capture is completed (pressing ctrl-c for example)

For continuos captures such as real time streaming I can't parse the array because it is never completed (unless I do some hack), therefore one json row for each packet is the more portable way to retrieve this data.

I've filed https://bugs.wireshark.org/bugzilla/s... to discuss if a flag or a new format is the way to go.

Thanks for the prompt response. I guess we can close this question

sciciliani gravatar imagesciciliani ( 2020-06-27 04:26:10 +0000 )edit
add a comment

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account.

Add Answer

Question Tools

subscribe to rss feed

Stats

Asked: 2020-06-27 03:48:13 +0000

Seen: 757 times

Last updated: Jun 27 '20

Related questions

Deduplication in tshark -T ek [closed]

tshark export to ek json too slow?

filtering out protocol, sequence number, and ack using tshark

Using tshark filters to extract only interesting traffic from 12GB trace

Any way to use cmd tshark for a gns3 wire?

authority RRs tshark

can I install only tshark?

How do I change the interface on Tshark?

Tshark TCP stream assembly

Tshark output file problem, saving to csv or txt