https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=12958
Alexis La Goutte changed:
What|Removed |Added
CC||sam.augus...@gmail.com
--
https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=12958
Alexis La Goutte changed:
What|Removed |Added
CC||eneko.go...@tecnalia.com
--
https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=12958
Pascal Quantin changed:
What|Removed |Added
See Also|
https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=12958
--- Comment #57 from Gerrit Code Review ---
Change 24273 merged by Dario Lombardo:
Fix Elasticsearch hex dump
https://code.wireshark.org/review/24273
--
You are receiving this mail because:
You are
https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=12958
Martin Kacer changed:
What|Removed |Added
Resolution|--- |FIXED
https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=12958
--- Comment #55 from Christoph Wurm ---
(In reply to Martin Kacer from comment #53)
> After the patch I get the following when I try to use it with -T ek output:
>
> tshark -T ek -x --no-duplicate-keys -r trace.pcap
>
https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=12958
--- Comment #54 from Dario Lombardo ---
I works for me on master v2.5.0rc0-1585-g156a0b6 with the provided pcap.
But there is an open issue in the ek code, as shown here
https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=12958
Martin Kacer changed:
What|Removed |Added
Status|RESOLVED|INCOMPLETE
https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=12958
--- Comment #52 from Martin Kacer ---
Created attachment 15940
--> https://bugs.wireshark.org/bugzilla/attachment.cgi?id=15940=edit
segfault with this pcap
tshark -T ek -x -r dns_short.pcap
--
You are
https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=12958
--- Comment #51 from Gerrit Code Review ---
Change 24236 merged by Anders Broman:
Tools: json2pcap script update
https://code.wireshark.org/review/24236
--
You are receiving this mail because:
You are
https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=12958
--- Comment #50 from Gerrit Code Review ---
Change 24236 had a related patch set uploaded by Martin Kacer:
Tools: json2pcap script update
https://code.wireshark.org/review/24236
--
You are receiving
https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=12958
Michael Mann changed:
What|Removed |Added
Status|CONFIRMED |RESOLVED
https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=12958
--- Comment #49 from Gerrit Code Review ---
Change 24171 merged by Anders Broman:
Deduplicate Elasticsearch output
https://code.wireshark.org/review/24171
--
You are receiving this mail because:
You
https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=12958
--- Comment #48 from Gerrit Code Review ---
Change 24171 had a related patch set uploaded by Christoph Wurm:
Deduplicate Elasticsearch output
https://code.wireshark.org/review/24171
--
You are
https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=12958
Michael Mann changed:
What|Removed |Added
Status|RESOLVED|CONFIRMED
https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=12958
Michael Mann changed:
What|Removed |Added
Resolution|--- |FIXED
https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=12958
--- Comment #46 from Gerrit Code Review ---
Change 23042 merged by Anders Broman:
Tshark: Prepare Elasticsearch output deduplication
https://code.wireshark.org/review/23042
--
You are receiving this
https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=12958
--- Comment #45 from Gerrit Code Review ---
Change 23368 had a related patch set uploaded by Christoph Wurm:
Tshark: Prepare Elasticsearch output deduplication
https://code.wireshark.org/review/23368
https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=12958
--- Comment #44 from whootandah...@gmail.com ---
You can add USB as a protocol that also has multiple of the same field types.
"HID Descriptor" and "ENDPOINT Descriptor" both duplicate, and indeed require
to have that data available.
What
https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=12958
Guy Harris changed:
What|Removed |Added
CC|
https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=12958
--- Comment #42 from Gerrit Code Review ---
Change 23042 had a related patch set uploaded by Christoph Wurm:
Tshark: Prepare Elasticsearch output deduplication
https://code.wireshark.org/review/23042
https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=12958
Alexis La Goutte changed:
What|Removed |Added
CC|
https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=12958
--- Comment #40 from Gerrit Code Review ---
Change 22494 had a related patch set uploaded by Daan De Meyer:
Refactor JSON output functions
https://code.wireshark.org/review/22494
--
You are receiving
https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=12958
--- Comment #39 from Christoph Wurm ---
Currently it looks like this:
"timestamp": "133190100",
"layers": {
"frame": {
"frame_frame_encap_type": "1",
"frame_frame_time": "Mar 16, 2012
https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=12958
--- Comment #38 from Martin Kacer ---
Ek format should be:
- newline-delimited JSON (so no formatting / indent)
- no newlines
- index line before data json
- timestamp in json structure
It should be tested then
https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=12958
--- Comment #37 from Daan De Meyer ---
Am I correct in assuming the following differences would be the only
differences remaining between json and ek output if nested objects would be
used in ek output as well?
https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=12958
--- Comment #36 from Martin Kacer ---
Hi Daan,
thank you for the follow up on this. See the explanation from Christoph from
Elastic in this thread. Elasticsearch supports nested objects, just Kibana will
flatten
https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=12958
--- Comment #35 from Daan De Meyer ---
The bug has been fixed for the normal json output by adding the
"--no-duplicate-keys" option to tshark. However, right now this only works for
"-T json" and "-T jsonraw"
https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=12958
--- Comment #34 from Gerrit Code Review ---
Change 22479 had a related patch set uploaded by Daan De Meyer:
Backport --no-duplicate-keys option to 2.4.
https://code.wireshark.org/review/22479
--
You
https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=12958
--- Comment #29 from Daan De Meyer ---
I've not yet done refactoring of the ek output code. I wanted to get feedback
on the json refactor first before refactoring ek as well.
If a command line parameter is added
https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=12958
--- Comment #28 from Martin Kacer ---
I have quickly seen the patch. It looks good. So this is the described solution
with the arrays (Option1). The same implementation would be needed also for -T
ek output for
https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=12958
--- Comment #27 from Daan De Meyer ---
I've already submitted a patch which refactors the json output code to easily
switch between duplicated keys and json arrays. With this patch the output is
still hardcoded
https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=12958
--- Comment #26 from Martin Kacer ---
Yes, this could be the quick solution. Option2 if some switch to do not include
json duplicates is present.
--
You are receiving this mail because:
You are watching all bug
https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=12958
--- Comment #25 from Daan De Meyer ---
Why not provide a command line parameter that allows users to specify whether
they want duplicated keys gathered in json arrays? This way existing programs
that depend on
https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=12958
--- Comment #24 from Martin Kacer ---
I must admit I do not see here simple solution to remove duplicate keys from
json. And the workaround solutions have some pros/cons.
The issue is also related with
https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=12958
--- Comment #23 from Christoph Wurm ---
> > Regarding nested fields I think Elasticsearch accept it, but Kibana does not
> > fully support it or there was some similar problem. Therefor I decided
> > better to have flat
https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=12958
--- Comment #22 from Christoph Wurm ---
(In reply to Martin Kacer from comment #21)
> Thank you for this information, I was not aware of this change in Elastic in
> 6.X.
> So the solution could be that all duplicated json
https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=12958
--- Comment #21 from Martin Kacer ---
Thank you for this information, I was not aware of this change in Elastic in
6.X.
So the solution could be that all duplicated json fields (all tshark outputs,
also ek) to put
https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=12958
--- Comment #20 from Christoph Wurm ---
(In reply to Martin Kacer from comment #19)
> If I remember correctly, the Elasticsearch accepts the duplicated fields in
> JSON generated by -T ek. So for Elasticsearch there is no
https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=12958
--- Comment #19 from Martin Kacer ---
If I remember correctly, the Elasticsearch accepts the duplicated fields in
JSON generated by -T ek. So for Elasticsearch there is no issue. But the
Elasticsearch does not
https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=12958
Christoph Wurm changed:
What|Removed |Added
CC||w...@elastic.co
https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=12958
conall.prenderg...@anam.com changed:
What|Removed |Added
CC|
https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=12958
Daan De Meyer changed:
What|Removed |Added
CC|
https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=12958
--- Comment #16 from Guy Harris ---
(In reply to Graham Bloice from comment #14)
> In the case of telemetry protocols such as enumerated by the OP, by design
> these protocols will contain lots of replicated fields. I
https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=12958
Pascal Quantin changed:
What|Removed |Added
CC|
https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=12958
Graham Bloice changed:
What|Removed |Added
CC|
https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=12958
Guy Harris changed:
What|Removed |Added
Status|INCOMPLETE |CONFIRMED
--
https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=12958
--- Comment #13 from Fayçal NOUSHI ---
Created attachment 15076
--> https://bugs.wireshark.org/bugzilla/attachment.cgi?id=15076=edit
sigtran_piggybacking_with_no_map_in_middle
Attached a SIGTRAN trace
https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=12958
--- Comment #12 from Fayçal NOUSHI ---
Harris, to answer your question about the need for key uniqueness.
Here's an answer by "user454322" on stackoverflow.com
The JSON Data Interchange Format (ECMA-404)
https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=12958
Guy Harris changed:
What|Removed |Added
Status|CONFIRMED |INCOMPLETE
---
https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=12958
--- Comment #10 from Philippe Rosenfeld ---
I also think that creating a JSON pre-processing layer may be a good idea since
the number of protocols that need changed is not small:
I found the problem in:
-
https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=12958
--- Comment #9 from Fayçal NOUSHI ---
Thanks for the sctpDechunk suggestion, Kacer. It does not seem to work with
pcapng. Also, it would add a new layer for de-chunking before transforming into
JSON. That adds
https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=12958
--- Comment #8 from Martin Kacer ---
For Sigtran try to use sctpDechunk before processing.
--
You are receiving this mail because:
You are watching all bug changes.
https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=12958
--- Comment #7 from Pascal Quantin ---
IMHO any solution selected will need to be in the JSON export specific code: we
should not pollute the dissectors code with whatever constraint coming from
JSON format.
--
https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=12958
--- Comment #6 from Fayçal NOUSHI ---
Hi !
I found the same issue for SIGTRAN traces where we have piggybacking. In our
case, multiple gsm_map and tcap parts.
I don't think that using an array would be feasible
https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=12958
Dario Lombardo changed:
What|Removed |Added
CC|
https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=12958
Pascal Quantin changed:
What|Removed |Added
Status|UNCONFIRMED
https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=12958
Jaap Keuter changed:
What|Removed |Added
CC|
https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=12958
--- Comment #4 from Philippe Rosenfeld ---
(In reply to Martin Kacer from comment #3)
> If I understood it correctly all the cases are related to duplicated key in
> json output. RFC specification seems not
https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=12958
--- Comment #3 from Martin Kacer ---
If I understood it correctly all the cases are related to duplicated key in
json output. RFC specification seems not be very clear about the duplicated
keys. So it depends on
https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=12958
Alexis La Goutte changed:
What|Removed |Added
CC|
https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=12958
--- Comment #1 from Philippe Rosenfeld ---
Created attachment 14955
--> https://bugs.wireshark.org/bugzilla/attachment.cgi?id=14955=edit
the JSON output
--
You are receiving this mail because:
You are
62 matches
Mail list logo