[Wireshark-bugs] [Bug 12958] Wrong JSON format returned by new -T json feature

https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=12958 Alexis La Goutte changed: What|Removed |Added CC||sam.augus...@gmail.com --

[Wireshark-bugs] [Bug 12958] Wrong JSON format returned by new -T json feature

https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=12958 Alexis La Goutte changed: What|Removed |Added CC||eneko.go...@tecnalia.com --

[Wireshark-bugs] [Bug 12958] Wrong JSON format returned by new -T json feature

https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=12958 Pascal Quantin changed: What|Removed |Added See Also|

[Wireshark-bugs] [Bug 12958] Wrong JSON format returned by new -T json feature

https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=12958 --- Comment #57 from Gerrit Code Review --- Change 24273 merged by Dario Lombardo: Fix Elasticsearch hex dump https://code.wireshark.org/review/24273 -- You are receiving this mail because: You are

[Wireshark-bugs] [Bug 12958] Wrong JSON format returned by new -T json feature

https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=12958 Martin Kacer changed: What|Removed |Added Resolution|--- |FIXED

[Wireshark-bugs] [Bug 12958] Wrong JSON format returned by new -T json feature

https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=12958 --- Comment #55 from Christoph Wurm --- (In reply to Martin Kacer from comment #53) > After the patch I get the following when I try to use it with -T ek output: > > tshark -T ek -x --no-duplicate-keys -r trace.pcap >

[Wireshark-bugs] [Bug 12958] Wrong JSON format returned by new -T json feature

https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=12958 --- Comment #54 from Dario Lombardo --- I works for me on master v2.5.0rc0-1585-g156a0b6 with the provided pcap. But there is an open issue in the ek code, as shown here

[Wireshark-bugs] [Bug 12958] Wrong JSON format returned by new -T json feature

https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=12958 Martin Kacer changed: What|Removed |Added Status|RESOLVED|INCOMPLETE

[Wireshark-bugs] [Bug 12958] Wrong JSON format returned by new -T json feature

https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=12958 --- Comment #52 from Martin Kacer --- Created attachment 15940 --> https://bugs.wireshark.org/bugzilla/attachment.cgi?id=15940=edit segfault with this pcap tshark -T ek -x -r dns_short.pcap -- You are

[Wireshark-bugs] [Bug 12958] Wrong JSON format returned by new -T json feature

https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=12958 --- Comment #51 from Gerrit Code Review --- Change 24236 merged by Anders Broman: Tools: json2pcap script update https://code.wireshark.org/review/24236 -- You are receiving this mail because: You are

[Wireshark-bugs] [Bug 12958] Wrong JSON format returned by new -T json feature

https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=12958 --- Comment #50 from Gerrit Code Review --- Change 24236 had a related patch set uploaded by Martin Kacer: Tools: json2pcap script update https://code.wireshark.org/review/24236 -- You are receiving

[Wireshark-bugs] [Bug 12958] Wrong JSON format returned by new -T json feature

https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=12958 Michael Mann changed: What|Removed |Added Status|CONFIRMED |RESOLVED

[Wireshark-bugs] [Bug 12958] Wrong JSON format returned by new -T json feature

https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=12958 --- Comment #49 from Gerrit Code Review --- Change 24171 merged by Anders Broman: Deduplicate Elasticsearch output https://code.wireshark.org/review/24171 -- You are receiving this mail because: You

[Wireshark-bugs] [Bug 12958] Wrong JSON format returned by new -T json feature

https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=12958 --- Comment #48 from Gerrit Code Review --- Change 24171 had a related patch set uploaded by Christoph Wurm: Deduplicate Elasticsearch output https://code.wireshark.org/review/24171 -- You are

[Wireshark-bugs] [Bug 12958] Wrong JSON format returned by new -T json feature

https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=12958 Michael Mann changed: What|Removed |Added Status|RESOLVED|CONFIRMED

[Wireshark-bugs] [Bug 12958] Wrong JSON format returned by new -T json feature

https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=12958 Michael Mann changed: What|Removed |Added Resolution|--- |FIXED

[Wireshark-bugs] [Bug 12958] Wrong JSON format returned by new -T json feature

https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=12958 --- Comment #46 from Gerrit Code Review --- Change 23042 merged by Anders Broman: Tshark: Prepare Elasticsearch output deduplication https://code.wireshark.org/review/23042 -- You are receiving this

[Wireshark-bugs] [Bug 12958] Wrong JSON format returned by new -T json feature

https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=12958 --- Comment #45 from Gerrit Code Review --- Change 23368 had a related patch set uploaded by Christoph Wurm: Tshark: Prepare Elasticsearch output deduplication https://code.wireshark.org/review/23368

[Wireshark-bugs] [Bug 12958] Wrong JSON format returned by new -T json feature

https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=12958 --- Comment #44 from whootandah...@gmail.com --- You can add USB as a protocol that also has multiple of the same field types. "HID Descriptor" and "ENDPOINT Descriptor" both duplicate, and indeed require to have that data available. What

[Wireshark-bugs] [Bug 12958] Wrong JSON format returned by new -T json feature

https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=12958 Guy Harris changed: What|Removed |Added CC|

[Wireshark-bugs] [Bug 12958] Wrong JSON format returned by new -T json feature

https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=12958 --- Comment #42 from Gerrit Code Review --- Change 23042 had a related patch set uploaded by Christoph Wurm: Tshark: Prepare Elasticsearch output deduplication https://code.wireshark.org/review/23042

[Wireshark-bugs] [Bug 12958] Wrong JSON format returned by new -T json feature

https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=12958 Alexis La Goutte changed: What|Removed |Added CC|

[Wireshark-bugs] [Bug 12958] Wrong JSON format returned by new -T json feature

https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=12958 --- Comment #40 from Gerrit Code Review --- Change 22494 had a related patch set uploaded by Daan De Meyer: Refactor JSON output functions https://code.wireshark.org/review/22494 -- You are receiving

[Wireshark-bugs] [Bug 12958] Wrong JSON format returned by new -T json feature

https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=12958 --- Comment #39 from Christoph Wurm --- Currently it looks like this: "timestamp": "133190100", "layers": { "frame": { "frame_frame_encap_type": "1", "frame_frame_time": "Mar 16, 2012

[Wireshark-bugs] [Bug 12958] Wrong JSON format returned by new -T json feature

https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=12958 --- Comment #38 from Martin Kacer --- Ek format should be: - newline-delimited JSON (so no formatting / indent) - no newlines - index line before data json - timestamp in json structure It should be tested then

[Wireshark-bugs] [Bug 12958] Wrong JSON format returned by new -T json feature

https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=12958 --- Comment #37 from Daan De Meyer --- Am I correct in assuming the following differences would be the only differences remaining between json and ek output if nested objects would be used in ek output as well?

[Wireshark-bugs] [Bug 12958] Wrong JSON format returned by new -T json feature

https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=12958 --- Comment #36 from Martin Kacer --- Hi Daan, thank you for the follow up on this. See the explanation from Christoph from Elastic in this thread. Elasticsearch supports nested objects, just Kibana will flatten

[Wireshark-bugs] [Bug 12958] Wrong JSON format returned by new -T json feature

https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=12958 --- Comment #35 from Daan De Meyer --- The bug has been fixed for the normal json output by adding the "--no-duplicate-keys" option to tshark. However, right now this only works for "-T json" and "-T jsonraw"

[Wireshark-bugs] [Bug 12958] Wrong JSON format returned by new -T json feature

https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=12958 --- Comment #34 from Gerrit Code Review --- Change 22479 had a related patch set uploaded by Daan De Meyer: Backport --no-duplicate-keys option to 2.4. https://code.wireshark.org/review/22479 -- You

[Wireshark-bugs] [Bug 12958] Wrong JSON format returned by new -T json feature

https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=12958 --- Comment #29 from Daan De Meyer --- I've not yet done refactoring of the ek output code. I wanted to get feedback on the json refactor first before refactoring ek as well. If a command line parameter is added

[Wireshark-bugs] [Bug 12958] Wrong JSON format returned by new -T json feature

https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=12958 --- Comment #28 from Martin Kacer --- I have quickly seen the patch. It looks good. So this is the described solution with the arrays (Option1). The same implementation would be needed also for -T ek output for

[Wireshark-bugs] [Bug 12958] Wrong JSON format returned by new -T json feature

https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=12958 --- Comment #27 from Daan De Meyer --- I've already submitted a patch which refactors the json output code to easily switch between duplicated keys and json arrays. With this patch the output is still hardcoded

[Wireshark-bugs] [Bug 12958] Wrong JSON format returned by new -T json feature

https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=12958 --- Comment #26 from Martin Kacer --- Yes, this could be the quick solution. Option2 if some switch to do not include json duplicates is present. -- You are receiving this mail because: You are watching all bug

[Wireshark-bugs] [Bug 12958] Wrong JSON format returned by new -T json feature

https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=12958 --- Comment #25 from Daan De Meyer --- Why not provide a command line parameter that allows users to specify whether they want duplicated keys gathered in json arrays? This way existing programs that depend on

[Wireshark-bugs] [Bug 12958] Wrong JSON format returned by new -T json feature

https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=12958 --- Comment #24 from Martin Kacer --- I must admit I do not see here simple solution to remove duplicate keys from json. And the workaround solutions have some pros/cons. The issue is also related with

[Wireshark-bugs] [Bug 12958] Wrong JSON format returned by new -T json feature

https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=12958 --- Comment #23 from Christoph Wurm --- > > Regarding nested fields I think Elasticsearch accept it, but Kibana does not > > fully support it or there was some similar problem. Therefor I decided > > better to have flat

[Wireshark-bugs] [Bug 12958] Wrong JSON format returned by new -T json feature

https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=12958 --- Comment #22 from Christoph Wurm --- (In reply to Martin Kacer from comment #21) > Thank you for this information, I was not aware of this change in Elastic in > 6.X. > So the solution could be that all duplicated json

[Wireshark-bugs] [Bug 12958] Wrong JSON format returned by new -T json feature

https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=12958 --- Comment #21 from Martin Kacer --- Thank you for this information, I was not aware of this change in Elastic in 6.X. So the solution could be that all duplicated json fields (all tshark outputs, also ek) to put

[Wireshark-bugs] [Bug 12958] Wrong JSON format returned by new -T json feature

https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=12958 --- Comment #20 from Christoph Wurm --- (In reply to Martin Kacer from comment #19) > If I remember correctly, the Elasticsearch accepts the duplicated fields in > JSON generated by -T ek. So for Elasticsearch there is no

[Wireshark-bugs] [Bug 12958] Wrong JSON format returned by new -T json feature

https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=12958 --- Comment #19 from Martin Kacer --- If I remember correctly, the Elasticsearch accepts the duplicated fields in JSON generated by -T ek. So for Elasticsearch there is no issue. But the Elasticsearch does not

[Wireshark-bugs] [Bug 12958] Wrong JSON format returned by new -T json feature

https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=12958 Christoph Wurm changed: What|Removed |Added CC||w...@elastic.co

[Wireshark-bugs] [Bug 12958] Wrong JSON format returned by new -T json feature

https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=12958 conall.prenderg...@anam.com changed: What|Removed |Added CC|

[Wireshark-bugs] [Bug 12958] Wrong JSON format returned by new -T json feature

https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=12958 Daan De Meyer changed: What|Removed |Added CC|

[Wireshark-bugs] [Bug 12958] Wrong JSON format returned by new -T json feature

https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=12958 --- Comment #16 from Guy Harris --- (In reply to Graham Bloice from comment #14) > In the case of telemetry protocols such as enumerated by the OP, by design > these protocols will contain lots of replicated fields. I

[Wireshark-bugs] [Bug 12958] Wrong JSON format returned by new -T json feature

https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=12958 Pascal Quantin changed: What|Removed |Added CC|

[Wireshark-bugs] [Bug 12958] Wrong JSON format returned by new -T json feature

https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=12958 Graham Bloice changed: What|Removed |Added CC|

[Wireshark-bugs] [Bug 12958] Wrong JSON format returned by new -T json feature

https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=12958 Guy Harris changed: What|Removed |Added Status|INCOMPLETE |CONFIRMED --

[Wireshark-bugs] [Bug 12958] Wrong JSON format returned by new -T json feature

https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=12958 --- Comment #13 from Fayçal NOUSHI --- Created attachment 15076 --> https://bugs.wireshark.org/bugzilla/attachment.cgi?id=15076=edit sigtran_piggybacking_with_no_map_in_middle Attached a SIGTRAN trace

[Wireshark-bugs] [Bug 12958] Wrong JSON format returned by new -T json feature

https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=12958 --- Comment #12 from Fayçal NOUSHI --- Harris, to answer your question about the need for key uniqueness. Here's an answer by "user454322" on stackoverflow.com The JSON Data Interchange Format (ECMA-404)

[Wireshark-bugs] [Bug 12958] Wrong JSON format returned by new -T json feature

https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=12958 Guy Harris changed: What|Removed |Added Status|CONFIRMED |INCOMPLETE ---

[Wireshark-bugs] [Bug 12958] Wrong JSON format returned by new -T json feature

https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=12958 --- Comment #10 from Philippe Rosenfeld --- I also think that creating a JSON pre-processing layer may be a good idea since the number of protocols that need changed is not small: I found the problem in: -

[Wireshark-bugs] [Bug 12958] Wrong JSON format returned by new -T json feature

https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=12958 --- Comment #9 from Fayçal NOUSHI --- Thanks for the sctpDechunk suggestion, Kacer. It does not seem to work with pcapng. Also, it would add a new layer for de-chunking before transforming into JSON. That adds

[Wireshark-bugs] [Bug 12958] Wrong JSON format returned by new -T json feature

https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=12958 --- Comment #8 from Martin Kacer --- For Sigtran try to use sctpDechunk before processing. -- You are receiving this mail because: You are watching all bug changes.

[Wireshark-bugs] [Bug 12958] Wrong JSON format returned by new -T json feature

https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=12958 --- Comment #7 from Pascal Quantin --- IMHO any solution selected will need to be in the JSON export specific code: we should not pollute the dissectors code with whatever constraint coming from JSON format. --

[Wireshark-bugs] [Bug 12958] Wrong JSON format returned by new -T json feature

https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=12958 --- Comment #6 from Fayçal NOUSHI --- Hi ! I found the same issue for SIGTRAN traces where we have piggybacking. In our case, multiple gsm_map and tcap parts. I don't think that using an array would be feasible

[Wireshark-bugs] [Bug 12958] Wrong JSON format returned by new -T json feature

https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=12958 Dario Lombardo changed: What|Removed |Added CC|

[Wireshark-bugs] [Bug 12958] Wrong JSON format returned by new -T json feature

https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=12958 Pascal Quantin changed: What|Removed |Added Status|UNCONFIRMED

[Wireshark-bugs] [Bug 12958] Wrong JSON format returned by new -T json feature

https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=12958 Jaap Keuter changed: What|Removed |Added CC|

[Wireshark-bugs] [Bug 12958] Wrong JSON format returned by new -T json feature

https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=12958 --- Comment #4 from Philippe Rosenfeld --- (In reply to Martin Kacer from comment #3) > If I understood it correctly all the cases are related to duplicated key in > json output. RFC specification seems not

[Wireshark-bugs] [Bug 12958] Wrong JSON format returned by new -T json feature

https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=12958 --- Comment #3 from Martin Kacer --- If I understood it correctly all the cases are related to duplicated key in json output. RFC specification seems not be very clear about the duplicated keys. So it depends on

[Wireshark-bugs] [Bug 12958] Wrong JSON format returned by new -T json feature

https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=12958 Alexis La Goutte changed: What|Removed |Added CC|

[Wireshark-bugs] [Bug 12958] Wrong JSON format returned by new -T json feature

https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=12958 --- Comment #1 from Philippe Rosenfeld --- Created attachment 14955 --> https://bugs.wireshark.org/bugzilla/attachment.cgi?id=14955=edit the JSON output -- You are receiving this mail because: You are