[Wireshark-bugs] [Bug 16656] Add NDJSON output format

bugzilla-daemon Sat, 27 Jun 2020 18:52:39 -0700

https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=16656


--- Comment #7 from Santiago Ciciliani <santiago.cicili...@gmail.com> ---
(In reply to Guy Harris from comment #4)
> Currently, we have:
> 
> "json", which looks like
> 
> [
>   {
>     "_index": "packets-1999-05-19",
>     "_type": "doc",
>     "_score": null,
>     "_source": {
>       "layers": {
>         "frame": {
>           "frame.encap_type": "1",
>           "frame.time": "May 19, 1999 17:48:39.708517000 PDT",
>           "frame.offset_shift": "0.000000000",
>           "frame.time_epoch": "927161319.708517000",
>           "frame.time_delta": "0.000000000",
>           "frame.time_delta_displayed": "0.000000000",
>           "frame.time_relative": "0.000000000",
>           "frame.number": "1",
>           "frame.len": "60",
>           "frame.cap_len": "60",
>           "frame.marked": "0",
>           "frame.ignored": "0",
>           "frame.file_off": "24",
>           "frame.protocols": "eth:ethertype:arp"
>         },
>         "eth": {
>           "eth.dst": "ff:ff:ff:ff:ff:ff",
>           "eth.dst_tree": {
>             "eth.dst_resolved": "Broadcast",
>             "eth.dst.oui": "16777215",
>             "eth.addr": "ff:ff:ff:ff:ff:ff",
>             "eth.addr_resolved": "Broadcast",
>             "eth.addr.oui": "16777215",
>             "eth.dst.lg": "1",
>             "eth.lg": "1",
>             "eth.dst.ig": "1",
>             "eth.ig": "1"
>           },
>           "eth.src": "00:ab:cd:ef:01:23",
>           "eth.src_tree": {
>             "eth.src_resolved": "Example_ef:01:23",
>             "eth.src.oui": "57426",
>             "eth.src.oui_resolved": "Example Networks",
>             "eth.addr": "00:ab:cd:ef:01:23",
>             "eth.addr_resolved": "Example_ef:01:23",
>             "eth.addr.oui": "57426",
>             "eth.addr.oui_resolved": "Example Networks",
>             "eth.src.lg": "0",
>             "eth.lg": "0",
>             "eth.src.ig": "0",
>             "eth.ig": "0"
>           },
>           "eth.type": "0x00000806",
>           "eth.padding":
> "00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00"
>         },
>         "arp": {
>           "arp.hw.type": "1",
>           "arp.proto.type": "0x00000800",
>           "arp.hw.size": "6",
>           "arp.proto.size": "4",
>           "arp.opcode": "1",
>           "arp.src.hw_mac": "00:ab:cd:ef:01:23",
>           "arp.src.proto_ipv4": "192.168.4.1",
>           "arp.dst.hw_mac": "00:00:00:00:00:00",
>           "arp.dst.proto_ipv4": "192.168.4.255"
>         }
>       }
>     }
>   },
> 
>       ...
> 
>   {
>     "_index": "packets-1999-05-19",
>     "_type": "doc",
>     "_score": null,
>     "_source": {
>       "layers": {
>         "frame": {
>           "frame.encap_type": "1",
>           "frame.time": "May 19, 1999 17:49:40.951473000 PDT",
>           "frame.offset_shift": "0.000000000",
>           "frame.time_epoch": "927161380.951473000",
>           "frame.time_delta": "0.000092000",
>           "frame.time_delta_displayed": "0.000092000",
>           "frame.time_relative": "61.242956000",
>           "frame.number": "131",
>           "frame.len": "60",
>           "frame.cap_len": "60",
>           "frame.marked": "0",
>           "frame.ignored": "0",
>           "frame.file_off": "12088",
>           "frame.protocols": "eth:ethertype:arp"
>         },
>         "eth": {
>           "eth.dst": "ff:ff:ff:ff:ff:ff",
>           "eth.dst_tree": {
>             "eth.dst_resolved": "Broadcast",
>             "eth.dst.oui": "16777215",
>             "eth.addr": "ff:ff:ff:ff:ff:ff",
>             "eth.addr_resolved": "Broadcast",
>             "eth.addr.oui": "16777215",
>             "eth.dst.lg": "1",
>             "eth.lg": "1",
>             "eth.dst.ig": "1",
>             "eth.ig": "1"
>           },
>           "eth.src": "00:ab:cd:ef:01:23",
>           "eth.src_tree": {
>             "eth.src_resolved": "Example_ef:01:23",
>             "eth.src.oui": "57426",
>             "eth.src.oui_resolved": "Example Networks",
>             "eth.addr": "00:ab:cd:ef:01:23",
>             "eth.addr_resolved": "Example_ef:01:23",
>             "eth.addr.oui": "57426",
>             "eth.addr.oui_resolved": "Example Networks",
>             "eth.src.lg": "0",
>             "eth.lg": "0",
>             "eth.src.ig": "0",
>             "eth.ig": "0"
>           },
>           "eth.type": "0x00000806",
>           "eth.trailer":
> "52:ee:29:10:00:01:00:00:00:00:00:00:00:00:00:00:00:00",
>           "eth.trailer_tree": {
>             "_ws.expert": {
>               "eth.padding_bad": "",
>               "_ws.expert.message": "Didn't find padding of zeros, and an
> undecoded trailer exists. There may be padding of non-zeros.",
>               "_ws.expert.severity": "4194304",
>               "_ws.expert.group": "150994944"
>             }
>           }
>         },
>         "arp": {
>           "arp.hw.type": "1",
>           "arp.proto.type": "0x00000800",
>           "arp.hw.size": "6",
>           "arp.proto.size": "4",
>           "arp.opcode": "1",
>           "arp.src.hw_mac": "00:ab:cd:ef:01:23",
>           "arp.src.proto_ipv4": "192.168.4.1",
>           "arp.dst.hw_mac": "00:00:00:00:00:00",
>           "arp.dst.proto_ipv4": "192.168.4.255"
>         }
>       }
>     }
>   }
> ]
> 
> and "ek", which looks like:
> 
> {"index":{"_index":"packets-1999-05-19","_type":"doc"}}
> {"timestamp":"927161319708","layers":{"frame":{"frame_frame_encap_type":"1",
> "frame_frame_time":"1999-05-20T00:48:39.708517000Z",
> "frame_frame_offset_shift":"0.000000000","frame_frame_time_epoch":"927161319.
> 708517000","frame_frame_time_delta":"0.000000000",
> "frame_frame_time_delta_displayed":"0.000000000","frame_frame_time_relative":
> "0.000000000","frame_frame_number":"1","frame_frame_len":"60",
> "frame_frame_cap_len":"60","frame_frame_marked":false,"frame_frame_ignored":
> false,"frame_frame_file_off":"24","frame_frame_protocols":"eth:ethertype:
> arp"},"eth":{"eth_eth_dst":"ff:ff:ff:ff:ff:ff","eth_eth_dst_resolved":
> "Broadcast","eth_eth_dst_oui":"16777215","eth_eth_addr":"ff:ff:ff:ff:ff:ff",
> "eth_eth_addr_resolved":"Broadcast","eth_eth_addr_oui":"16777215",
> "eth_eth_dst_lg":true,"eth_eth_lg":true,"eth_eth_dst_ig":true,"eth_eth_ig":
> true,"eth_eth_src":"00:ab:cd:ef:01:23","eth_eth_src_resolved":"Example_ef:01:
> 23","eth_eth_src_oui":"57426","eth_eth_src_oui_resolved":"Example
> Networks","eth_eth_addr":"00:ab:cd:ef:01:23","eth_eth_addr_resolved":
> "Example_ef:01:23","eth_eth_addr_oui":"57426","eth_eth_addr_oui_resolved":
> "Example
> Networks","eth_eth_src_lg":false,"eth_eth_lg":false,"eth_eth_src_ig":false,
> "eth_eth_ig":false,"eth_eth_type":"0x00000806","eth_eth_padding":"00:00:00:
> 00:00:00:00:00:00:00:00:00:00:00:00:00:00:00"},"arp":{"arp_arp_hw_type":"1",
> "arp_arp_proto_type":"0x00000800","arp_arp_hw_size":"6","arp_arp_proto_size":
> "4","arp_arp_opcode":"1","arp_arp_src_hw_mac":"00:ab:cd:ef:01:23",
> "arp_arp_src_proto_ipv4":"192.168.4.1","arp_arp_dst_hw_mac":"00:00:00:00:00:
> 00","arp_arp_dst_proto_ipv4":"192.168.4.255"}}}
>     ...
> 
> {"index":{"_index":"packets-1999-05-19","_type":"doc"}}
> {"timestamp":"927161380951","layers":{"frame":{"frame_frame_encap_type":"1",
> "frame_frame_time":"1999-05-20T00:49:40.951473000Z",
> "frame_frame_offset_shift":"0.000000000","frame_frame_time_epoch":"927161380.
> 951473000","frame_frame_time_delta":"0.000092000",
> "frame_frame_time_delta_displayed":"0.000092000","frame_frame_time_relative":
> "61.242956000","frame_frame_number":"131","frame_frame_len":"60",
> "frame_frame_cap_len":"60","frame_frame_marked":false,"frame_frame_ignored":
> false,"frame_frame_file_off":"12088","frame_frame_protocols":"eth:ethertype:
> arp"},"eth":{"eth_eth_dst":"ff:ff:ff:ff:ff:ff","eth_eth_dst_resolved":
> "Broadcast","eth_eth_dst_oui":"16777215","eth_eth_addr":"ff:ff:ff:ff:ff:ff",
> "eth_eth_addr_resolved":"Broadcast","eth_eth_addr_oui":"16777215",
> "eth_eth_dst_lg":true,"eth_eth_lg":true,"eth_eth_dst_ig":true,"eth_eth_ig":
> true,"eth_eth_src":"00:ab:cd:ef:01:23","eth_eth_src_resolved":"Example_ef:01:
> 23","eth_eth_src_oui":"57426","eth_eth_src_oui_resolved":"Example
> Networks","eth_eth_addr":"00:ab:cd:ef:01:23","eth_eth_addr_resolved":
> "Example_ef:01:23","eth_eth_addr_oui":"57426","eth_eth_addr_oui_resolved":
> "Example
> Networks","eth_eth_src_lg":false,"eth_eth_lg":false,"eth_eth_src_ig":false,
> "eth_eth_ig":false,"eth_eth_type":"0x00000806","eth_eth_trailer":"52:ee:29:
> 10:00:01:00:00:00:00:00:00:00:00:00:00:00:00","_ws_expert":
> {"eth_eth_padding_bad":null,"_ws_expert__ws_expert_message":"Didn't find
> padding of zeros, and an undecoded trailer exists. There may be padding of
> non-zeros.","_ws_expert__ws_expert_severity":"4194304",
> "_ws_expert__ws_expert_group":"150994944"}},"arp":{"arp_arp_hw_type":"1",
> "arp_arp_proto_type":"0x00000800","arp_arp_hw_size":"6","arp_arp_proto_size":
> "4","arp_arp_opcode":"1","arp_arp_src_hw_mac":"00:ab:cd:ef:01:23",
> "arp_arp_src_proto_ipv4":"192.168.4.1","arp_arp_dst_hw_mac":"00:00:00:00:00:
> 00","arp_arp_dst_proto_ipv4":"192.168.4.255"}}}
> 
> Both of them have the index.
> 
> For each packet, ek puts the index on one line and all the packet fields,
> combined, on the next line.  It does not treat the entire capture as a JSON
> array (no square brackets wrapping the output).
> 
> For each packet, json puts each member with a non-object and, I presume,
> non-array value on a line by itself, with the opening and closing square
> brackets of arrays on lines separate from any of the lines of the array
> elements, and with the opening and closing curly brackets of objects on
> lines separate from the lines of the object members (but, if the array or
> object is an element in a member, the opening bracket is, apparently, on the
> same line as the key).
> 
> The NDJSON spec is, err, umm, a bit vague; "Each Line is a Valid JSON Value"
> doesn't say much, given that they then say "The most common values will be
> objects or arrays", which would seem to indicate that a format that puts a
> composite value (object or array) on a single line, and a format that puts
> each element with a "primitive" or "scalar" value (non-object, non-array,
> i.e. string, number, "true", "false", or "null") on a line by itself.
> 
> So both
> 
> [
>   {
>     "_index": "packets-1999-05-19",
>     "_type": "doc",
>     "_score": null,
>     "_source": {
>       "layers": {
>         "frame": {
>           "frame.encap_type": "1",
>           "frame.time": "May 19, 1999 17:48:39.708517000 PDT",
>           "frame.offset_shift": "0.000000000",
>           "frame.time_epoch": "927161319.708517000",
>           "frame.time_delta": "0.000000000",
>           "frame.time_delta_displayed": "0.000000000",
>           "frame.time_relative": "0.000000000",
>           "frame.number": "1",
>           "frame.len": "60",
>           "frame.cap_len": "60",
>           "frame.marked": "0",
>           "frame.ignored": "0",
>           "frame.file_off": "24",
>           "frame.protocols": "eth:ethertype:arp"
>         },
>         "eth": {
>           "eth.dst": "ff:ff:ff:ff:ff:ff",
>           "eth.dst_tree": {
>             "eth.dst_resolved": "Broadcast",
>             "eth.dst.oui": "16777215",
>             "eth.addr": "ff:ff:ff:ff:ff:ff",
>             "eth.addr_resolved": "Broadcast",
>             "eth.addr.oui": "16777215",
>             "eth.dst.lg": "1",
>             "eth.lg": "1",
>             "eth.dst.ig": "1",
>             "eth.ig": "1"
>           },
>           "eth.src": "00:ab:cd:ef:01:23",
>           "eth.src_tree": {
>             "eth.src_resolved": "Example_ef:01:23",
>             "eth.src.oui": "57426",
>             "eth.src.oui_resolved": "Example Networks",
>             "eth.addr": "00:ab:cd:ef:01:23",
>             "eth.addr_resolved": "Example_ef:01:23",
>             "eth.addr.oui": "57426",
>             "eth.addr.oui_resolved": "Example Networks",
>             "eth.src.lg": "0",
>             "eth.lg": "0",
>             "eth.src.ig": "0",
>             "eth.ig": "0"
>           },
>           "eth.type": "0x00000806",
>           "eth.padding":
> "00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00"
>         },
>         "arp": {
>           "arp.hw.type": "1",
>           "arp.proto.type": "0x00000800",
>           "arp.hw.size": "6",
>           "arp.proto.size": "4",
>           "arp.opcode": "1",
>           "arp.src.hw_mac": "00:ab:cd:ef:01:23",
>           "arp.src.proto_ipv4": "192.168.4.1",
>           "arp.dst.hw_mac": "00:00:00:00:00:00",
>           "arp.dst.proto_ipv4": "192.168.4.255"
>         }
>       }
>     }
>   },
> 
>       ...
> 
>   {
>     "_index": "packets-1999-05-19",
>     "_type": "doc",
>     "_score": null,
>     "_source": {
>       "layers": {
>         "frame": {
>           "frame.encap_type": "1",
>           "frame.time": "May 19, 1999 17:49:40.951473000 PDT",
>           "frame.offset_shift": "0.000000000",
>           "frame.time_epoch": "927161380.951473000",
>           "frame.time_delta": "0.000092000",
>           "frame.time_delta_displayed": "0.000092000",
>           "frame.time_relative": "61.242956000",
>           "frame.number": "131",
>           "frame.len": "60",
>           "frame.cap_len": "60",
>           "frame.marked": "0",
>           "frame.ignored": "0",
>           "frame.file_off": "12088",
>           "frame.protocols": "eth:ethertype:arp"
>         },
>         "eth": {
>           "eth.dst": "ff:ff:ff:ff:ff:ff",
>           "eth.dst_tree": {
>             "eth.dst_resolved": "Broadcast",
>             "eth.dst.oui": "16777215",
>             "eth.addr": "ff:ff:ff:ff:ff:ff",
>             "eth.addr_resolved": "Broadcast",
>             "eth.addr.oui": "16777215",
>             "eth.dst.lg": "1",
>             "eth.lg": "1",
>             "eth.dst.ig": "1",
>             "eth.ig": "1"
>           },
>           "eth.src": "00:ab:cd:ef:01:23",
>           "eth.src_tree": {
>             "eth.src_resolved": "Example_ef:01:23",
>             "eth.src.oui": "57426",
>             "eth.src.oui_resolved": "Example Networks",
>             "eth.addr": "00:ab:cd:ef:01:23",
>             "eth.addr_resolved": "Example_ef:01:23",
>             "eth.addr.oui": "57426",
>             "eth.addr.oui_resolved": "Example Networks",
>             "eth.src.lg": "0",
>             "eth.lg": "0",
>             "eth.src.ig": "0",
>             "eth.ig": "0"
>           },
>           "eth.type": "0x00000806",
>           "eth.trailer":
> "52:ee:29:10:00:01:00:00:00:00:00:00:00:00:00:00:00:00",
>           "eth.trailer_tree": {
>             "_ws.expert": {
>               "eth.padding_bad": "",
>               "_ws.expert.message": "Didn't find padding of zeros, and an
> undecoded trailer exists. There may be padding of non-zeros.",
>               "_ws.expert.severity": "4194304",
>               "_ws.expert.group": "150994944"
>             }
>           }
>         },
>         "arp": {
>           "arp.hw.type": "1",
>           "arp.proto.type": "0x00000800",
>           "arp.hw.size": "6",
>           "arp.proto.size": "4",
>           "arp.opcode": "1",
>           "arp.src.hw_mac": "00:ab:cd:ef:01:23",
>           "arp.src.proto_ipv4": "192.168.4.1",
>           "arp.dst.hw_mac": "00:00:00:00:00:00",
>           "arp.dst.proto_ipv4": "192.168.4.255"
>         }
>       }
>     }
>   }
> ]
> 
> and
> 
> [
>   {
>     "_index": "packets-1999-05-19",
>     "_type": "doc",
>     "_score": null,
>     "_source": {
>       "layers": {
>         "frame": {
>           "frame.encap_type": "1",
>           "frame.time": "May 19, 1999 17:48:39.708517000 PDT",
>           "frame.offset_shift": "0.000000000",
>           "frame.time_epoch": "927161319.708517000",
>           "frame.time_delta": "0.000000000",
>           "frame.time_delta_displayed": "0.000000000",
>           "frame.time_relative": "0.000000000",
>           "frame.number": "1",
>           "frame.len": "60",
>           "frame.cap_len": "60",
>           "frame.marked": "0",
>           "frame.ignored": "0",
>           "frame.file_off": "24",
>           "frame.protocols": "eth:ethertype:arp"
>         },
>         "eth": {
>           "eth.dst": "ff:ff:ff:ff:ff:ff",
>           "eth.dst_tree": {
>             "eth.dst_resolved": "Broadcast",
>             "eth.dst.oui": "16777215",
>             "eth.addr": "ff:ff:ff:ff:ff:ff",
>             "eth.addr_resolved": "Broadcast",
>             "eth.addr.oui": "16777215",
>             "eth.dst.lg": "1",
>             "eth.lg": "1",
>             "eth.dst.ig": "1",
>             "eth.ig": "1"
>           },
>           "eth.src": "00:ab:cd:ef:01:23",
>           "eth.src_tree": {
>             "eth.src_resolved": "Example_ef:01:23",
>             "eth.src.oui": "57426",
>             "eth.src.oui_resolved": "Example Networks",
>             "eth.addr": "00:ab:cd:ef:01:23",
>             "eth.addr_resolved": "Example_ef:01:23",
>             "eth.addr.oui": "57426",
>             "eth.addr.oui_resolved": "Example Networks",
>             "eth.src.lg": "0",
>             "eth.lg": "0",
>             "eth.src.ig": "0",
>             "eth.ig": "0"
>           },
>           "eth.type": "0x00000806",
>           "eth.padding":
> "00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00"
>         },
>         "arp": {
>           "arp.hw.type": "1",
>           "arp.proto.type": "0x00000800",
>           "arp.hw.size": "6",
>           "arp.proto.size": "4",
>           "arp.opcode": "1",
>           "arp.src.hw_mac": "00:ab:cd:ef:01:23",
>           "arp.src.proto_ipv4": "192.168.4.1",
>           "arp.dst.hw_mac": "00:00:00:00:00:00",
>           "arp.dst.proto_ipv4": "192.168.4.255"
>         }
>       }
>     }
>   },
> 
>       ...
> 
>   {
>     "_index": "packets-1999-05-19",
>     "_type": "doc",
>     "_score": null,
>     "_source": {
>       "layers": {
>         "frame": {
>           "frame.encap_type": "1",
>           "frame.time": "May 19, 1999 17:49:40.951473000 PDT",
>           "frame.offset_shift": "0.000000000",
>           "frame.time_epoch": "927161380.951473000",
>           "frame.time_delta": "0.000092000",
>           "frame.time_delta_displayed": "0.000092000",
>           "frame.time_relative": "61.242956000",
>           "frame.number": "131",
>           "frame.len": "60",
>           "frame.cap_len": "60",
>           "frame.marked": "0",
>           "frame.ignored": "0",
>           "frame.file_off": "12088",
>           "frame.protocols": "eth:ethertype:arp"
>         },
>         "eth": {
>           "eth.dst": "ff:ff:ff:ff:ff:ff",
>           "eth.dst_tree": {
>             "eth.dst_resolved": "Broadcast",
>             "eth.dst.oui": "16777215",
>             "eth.addr": "ff:ff:ff:ff:ff:ff",
>             "eth.addr_resolved": "Broadcast",
>             "eth.addr.oui": "16777215",
>             "eth.dst.lg": "1",
>             "eth.lg": "1",
>             "eth.dst.ig": "1",
>             "eth.ig": "1"
>           },
>           "eth.src": "00:ab:cd:ef:01:23",
>           "eth.src_tree": {
>             "eth.src_resolved": "Example_ef:01:23",
>             "eth.src.oui": "57426",
>             "eth.src.oui_resolved": "Example Networks",
>             "eth.addr": "00:ab:cd:ef:01:23",
>             "eth.addr_resolved": "Example_ef:01:23",
>             "eth.addr.oui": "57426",
>             "eth.addr.oui_resolved": "Example Networks",
>             "eth.src.lg": "0",
>             "eth.lg": "0",
>             "eth.src.ig": "0",
>             "eth.ig": "0"
>           },
>           "eth.type": "0x00000806",
>           "eth.trailer":
> "52:ee:29:10:00:01:00:00:00:00:00:00:00:00:00:00:00:00",
>           "eth.trailer_tree": {
>             "_ws.expert": {
>               "eth.padding_bad": "",
>               "_ws.expert.message": "Didn't find padding of zeros, and an
> undecoded trailer exists. There may be padding of non-zeros.",
>               "_ws.expert.severity": "4194304",
>               "_ws.expert.group": "150994944"
>             }
>           }
>         },
>         "arp": {
>           "arp.hw.type": "1",
>           "arp.proto.type": "0x00000800",
>           "arp.hw.size": "6",
>           "arp.proto.size": "4",
>           "arp.opcode": "1",
>           "arp.src.hw_mac": "00:ab:cd:ef:01:23",
>           "arp.src.proto_ipv4": "192.168.4.1",
>           "arp.dst.hw_mac": "00:00:00:00:00:00",
>           "arp.dst.proto_ipv4": "192.168.4.255"
>         }
>       }
>     }
>   }
> ]
> 
> and
> 
> [
>   { "_index": "packets-1999-05-19", "_type": "doc", "_score": null,
> "_source": { "layers": { "frame": { "frame.encap_type": "1", "frame.time":
> "May 19, 1999 17:48:39.708517000 PDT", "frame.offset_shift": "0.000000000",
> "frame.time_epoch": "927161319.708517000", "frame.time_delta":
> "0.000000000", "frame.time_delta_displayed": "0.000000000",
> "frame.time_relative": "0.000000000", "frame.number": "1", "frame.len":
> "60", "frame.cap_len": "60", "frame.marked": "0", "frame.ignored": "0",
> "frame.file_off": "24", "frame.protocols": "eth:ethertype:arp" }, "eth": {
> "eth.dst": "ff:ff:ff:ff:ff:ff", "eth.dst_tree": { "eth.dst_resolved":
> "Broadcast", "eth.dst.oui": "16777215", "eth.addr": "ff:ff:ff:ff:ff:ff",
> "eth.addr_resolved": "Broadcast", "eth.addr.oui": "16777215", "eth.dst.lg":
> "1", "eth.lg": "1", "eth.dst.ig": "1", "eth.ig": "1" }, "eth.src":
> "00:ab:cd:ef:01:23", "eth.src_tree": { "eth.src_resolved":
> "Example_ef:01:23", "eth.src.oui": "57426", "eth.src.oui_resolved": "Example
> Networks", "eth.addr": "00:ab:cd:ef:01:23", "eth.addr_resolved":
> "Example_ef:01:23", "eth.addr.oui": "57426", "eth.addr.oui_resolved":
> "Example Networks", "eth.src.lg": "0", "eth.lg": "0", "eth.src.ig": "0",
> "eth.ig": "0" }, "eth.type": "0x00000806", "eth.padding":
> "00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00" }, "arp": {
> "arp.hw.type": "1", "arp.proto.type": "0x00000800", "arp.hw.size": "6",
> "arp.proto.size": "4", "arp.opcode": "1", "arp.src.hw_mac":
> "00:ab:cd:ef:01:23", "arp.src.proto_ipv4": "192.168.4.1", "arp.dst.hw_mac":
> "00:00:00:00:00:00", "arp.dst.proto_ipv4": "192.168.4.255" } } } },
> 
>       ...
> 
>   { "_index": "packets-1999-05-19", "_type": "doc", "_score": null,
> "_source": { "layers": { "frame": { "frame.encap_type": "1", "frame.time":
> "May 19, 1999 17:49:40.951473000 PDT", "frame.offset_shift": "0.000000000",
> "frame.time_epoch": "927161380.951473000", "frame.time_delta":
> "0.000092000", "frame.time_delta_displayed": "0.000092000",
> "frame.time_relative": "61.242956000", "frame.number": "131", "frame.len":
> "60", "frame.cap_len": "60", "frame.marked": "0", "frame.ignored": "0",
> "frame.file_off": "12088", "frame.protocols": "eth:ethertype:arp" }, "eth":
> { "eth.dst": "ff:ff:ff:ff:ff:ff", "eth.dst_tree": { "eth.dst_resolved":
> "Broadcast", "eth.dst.oui": "16777215", "eth.addr": "ff:ff:ff:ff:ff:ff",
> "eth.addr_resolved": "Broadcast", "eth.addr.oui": "16777215", "eth.dst.lg":
> "1", "eth.lg": "1", "eth.dst.ig": "1", "eth.ig": "1" }, "eth.src":
> "00:ab:cd:ef:01:23", "eth.src_tree": { "eth.src_resolved":
> "Example_ef:01:23", "eth.src.oui": "57426", "eth.src.oui_resolved": "Example
> Networks", "eth.addr": "00:ab:cd:ef:01:23", "eth.addr_resolved":
> "Example_ef:01:23", "eth.addr.oui": "57426", "eth.addr.oui_resolved":
> "Example Networks", "eth.src.lg": "0", "eth.lg": "0", "eth.src.ig": "0",
> "eth.ig": "0" }, "eth.type": "0x00000806", "eth.trailer":
> "52:ee:29:10:00:01:00:00:00:00:00:00:00:00:00:00:00:00", "eth.trailer_tree":
> { "_ws.expert": { "eth.padding_bad": "", "_ws.expert.message": "Didn't find
> padding of zeros, and an undecoded trailer exists. There may be padding of
> non-zeros.", "_ws.expert.severity": "4194304", "_ws.expert.group":
> "150994944" } } }, "arp": { "arp.hw.type": "1", "arp.proto.type":
> "0x00000800", "arp.hw.size": "6", "arp.proto.size": "4", "arp.opcode": "1",
> "arp.src.hw_mac": "00:ab:cd:ef:01:23", "arp.src.proto_ipv4": "192.168.4.1",
> "arp.dst.hw_mac": "00:00:00:00:00:00", "arp.dst.proto_ipv4": "192.168.4.255"
> } } } }
> ]
> 
> would appear to be valid NDJSON (the only difference is that the latter has
> a bunch of newlines replaced by spaces).

As you said the NDJSON spec is a bit vague but I am confident that this json
option  with newlines replaced by spaces would not be considered as a valid
NDJSON because of the array definition. 

In other words the first and last lines (containing "[" and "]") wouldn't be
considered valid json objects.
Also the comma at the end of each object in the array would cause a syntax
error.

> 
> So it sounds as if you want a format that:
> 
> 1) doesn't have the indices;

Yes. The EK format is perfect but currently I would have to parse-out those
index definition that are designed for ElasticSearch
> 
> 2) represents tha packet data as JSON in some fashion.
Similar to CSV where each line is a different row, NDJSON has a different
record per line but in json format.
> 
> What's an example of the format you want?  Show an example with two packets.

These are the two packets from your example but without the array definition [
] and the comma after the first record.

{ "_index": "packets-1999-05-19", "_type": "doc", "_score": null, "_source": {
"layers": { "frame": { "frame.encap_type": "1", "frame.time":  "May 19, 1999
7:48:39.708517000 PDT", "frame.offset_shift": "0.000000000", 
"frame.time_epoch": "927161319.708517000", "frame.time_delta": "0.000000000",
"frame.time_delta_displayed": "0.000000000", "frame.time_relative":
"0.000000000", "frame.number": "1", "frame.len": "60", "frame.cap_len": "60",
"frame.marked": "0", "frame.ignored": "0", "frame.file_off": "24",
"frame.protocols": "eth:ethertype:arp" }, "eth": { "eth.dst":
"ff:ff:ff:ff:ff:ff", "eth.dst_tree": { "eth.dst_resolved": "Broadcast",
"eth.dst.oui": "16777215", "eth.addr": "ff:ff:ff:ff:ff:ff",
"eth.addr_resolved": "Broadcast", "eth.addr.oui": "16777215", "eth.dst.lg":
"1", "eth.lg": "1", "eth.dst.ig": "1", "eth.ig": "1" }, "eth.src":
"00:ab:cd:ef:01:23", "eth.src_tree": { "eth.src_resolved": "Example_ef:01:23",
"eth.src.oui": "57426", "eth.src.oui_resolved": "Example Networks", "eth.addr":
"00:ab:cd:ef:01:23", "eth.addr_resolved": "Example_ef:01:23", "eth.addr.oui":
"57426", "eth.addr.oui_resolved": "Example Networks", "eth.src.lg": "0",
"eth.lg": "0", "eth.src.ig": "0", "eth.ig": "0" }, "eth.type": "0x00000806",
"eth.padding": "00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00" },
"arp": { "arp.hw.type": "1", "arp.proto.type": "0x00000800", "arp.hw.size":
"6", "arp.proto.size": "4", "arp.opcode": "1", "arp.src.hw_mac":
"00:ab:cd:ef:01:23", "arp.src.proto_ipv4": "192.168.4.1", "arp.dst.hw_mac":
"00:00:00:00:00:00", "arp.dst.proto_ipv4": "192.168.4.255" } } } }
{ "_index": "packets-1999-05-19", "_type": "doc", "_score": null, "_source": {
"layers": { "frame": { "frame.encap_type": "1", "frame.time": "May 19, 1999
17:49:40.951473000 PDT", "frame.offset_shift": "0.000000000",
"frame.time_epoch": "927161380.951473000", "frame.time_delta": "0.000092000",
"frame.time_delta_displayed": "0.000092000", "frame.time_relative":
"61.242956000", "frame.number": "131", "frame.len": "60", "frame.cap_len":
"60", "frame.marked": "0", "frame.ignored": "0", "frame.file_off": "12088",
"frame.protocols": "eth:ethertype:arp" }, "eth": { "eth.dst":
"ff:ff:ff:ff:ff:ff", "eth.dst_tree": { "eth.dst_resolved": "Broadcast",
"eth.dst.oui": "16777215", "eth.addr": "ff:ff:ff:ff:ff:ff",
"eth.addr_resolved": "Broadcast", "eth.addr.oui": "16777215", "eth.dst.lg":
"1", "eth.lg": "1", "eth.dst.ig": "1", "eth.ig": "1" }, "eth.src":
"00:ab:cd:ef:01:23", "eth.src_tree": { "eth.src_resolved": "Example_ef:01:23",
"eth.src.oui": "57426", "eth.src.oui_resolved": "Example Networks", "eth.addr":
"00:ab:cd:ef:01:23", "eth.addr_resolved": "Example_ef:01:23", "eth.addr.oui":
"57426", "eth.addr.oui_resolved": "Example Networks", "eth.src.lg": "0",
"eth.lg": "0", "eth.src.ig": "0", "eth.ig": "0" }, "eth.type": "0x00000806",
"eth.trailer": "52:ee:29:10:00:01:00:00:00:00:00:00:00:00:00:00:00:00",
"eth.trailer_tree": { "_ws.expert": { "eth.padding_bad": "",
"_ws.expert.message": "Didn't find padding of zeros, and an undecoded trailer
exists. There may be padding of non-zeros.", "_ws.expert.severity": "4194304",
"_ws.expert.group": "150994944" } } }, "arp": { "arp.hw.type": "1",
"arp.proto.type": "0x00000800", "arp.hw.size": "6", "arp.proto.size": "4",
"arp.opcode": "1", "arp.src.hw_mac": "00:ab:cd:ef:01:23", "arp.src.proto_ipv4":
"192.168.4.1", "arp.dst.hw_mac": "00:00:00:00:00:00", "arp.dst.proto_ipv4":
"192.168.4.255" } } } }

-- 
You are receiving this mail because:
You are watching all bug changes.

___________________________________________________________________________
Sent via:    Wireshark-bugs mailing list <wireshark-bugs@wireshark.org>
Archives:    https://www.wireshark.org/lists/wireshark-bugs
Unsubscribe: https://www.wireshark.org/mailman/options/wireshark-bugs
             mailto:wireshark-bugs-requ...@wireshark.org?subject=unsubscribe

[Wireshark-bugs] [Bug 16656] Add NDJSON output format

Reply via email to