https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=16656
--- Comment #7 from Santiago Ciciliani <santiago.cicili...@gmail.com> ---
(In reply to Guy Harris from comment #4)
> Currently, we have:
>
> "json", which looks like
>
> [
> {
> "_index": "packets-1999-05-19",
> "_type": "doc",
> "_score": null,
> "_source": {
> "layers": {
> "frame": {
> "frame.encap_type": "1",
> "frame.time": "May 19, 1999 17:48:39.708517000 PDT",
> "frame.offset_shift": "0.000000000",
> "frame.time_epoch": "927161319.708517000",
> "frame.time_delta": "0.000000000",
> "frame.time_delta_displayed": "0.000000000",
> "frame.time_relative": "0.000000000",
> "frame.number": "1",
> "frame.len": "60",
> "frame.cap_len": "60",
> "frame.marked": "0",
> "frame.ignored": "0",
> "frame.file_off": "24",
> "frame.protocols": "eth:ethertype:arp"
> },
> "eth": {
> "eth.dst": "ff:ff:ff:ff:ff:ff",
> "eth.dst_tree": {
> "eth.dst_resolved": "Broadcast",
> "eth.dst.oui": "16777215",
> "eth.addr": "ff:ff:ff:ff:ff:ff",
> "eth.addr_resolved": "Broadcast",
> "eth.addr.oui": "16777215",
> "eth.dst.lg": "1",
> "eth.lg": "1",
> "eth.dst.ig": "1",
> "eth.ig": "1"
> },
> "eth.src": "00:ab:cd:ef:01:23",
> "eth.src_tree": {
> "eth.src_resolved": "Example_ef:01:23",
> "eth.src.oui": "57426",
> "eth.src.oui_resolved": "Example Networks",
> "eth.addr": "00:ab:cd:ef:01:23",
> "eth.addr_resolved": "Example_ef:01:23",
> "eth.addr.oui": "57426",
> "eth.addr.oui_resolved": "Example Networks",
> "eth.src.lg": "0",
> "eth.lg": "0",
> "eth.src.ig": "0",
> "eth.ig": "0"
> },
> "eth.type": "0x00000806",
> "eth.padding":
> "00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00"
> },
> "arp": {
> "arp.hw.type": "1",
> "arp.proto.type": "0x00000800",
> "arp.hw.size": "6",
> "arp.proto.size": "4",
> "arp.opcode": "1",
> "arp.src.hw_mac": "00:ab:cd:ef:01:23",
> "arp.src.proto_ipv4": "192.168.4.1",
> "arp.dst.hw_mac": "00:00:00:00:00:00",
> "arp.dst.proto_ipv4": "192.168.4.255"
> }
> }
> }
> },
>
> ...
>
> {
> "_index": "packets-1999-05-19",
> "_type": "doc",
> "_score": null,
> "_source": {
> "layers": {
> "frame": {
> "frame.encap_type": "1",
> "frame.time": "May 19, 1999 17:49:40.951473000 PDT",
> "frame.offset_shift": "0.000000000",
> "frame.time_epoch": "927161380.951473000",
> "frame.time_delta": "0.000092000",
> "frame.time_delta_displayed": "0.000092000",
> "frame.time_relative": "61.242956000",
> "frame.number": "131",
> "frame.len": "60",
> "frame.cap_len": "60",
> "frame.marked": "0",
> "frame.ignored": "0",
> "frame.file_off": "12088",
> "frame.protocols": "eth:ethertype:arp"
> },
> "eth": {
> "eth.dst": "ff:ff:ff:ff:ff:ff",
> "eth.dst_tree": {
> "eth.dst_resolved": "Broadcast",
> "eth.dst.oui": "16777215",
> "eth.addr": "ff:ff:ff:ff:ff:ff",
> "eth.addr_resolved": "Broadcast",
> "eth.addr.oui": "16777215",
> "eth.dst.lg": "1",
> "eth.lg": "1",
> "eth.dst.ig": "1",
> "eth.ig": "1"
> },
> "eth.src": "00:ab:cd:ef:01:23",
> "eth.src_tree": {
> "eth.src_resolved": "Example_ef:01:23",
> "eth.src.oui": "57426",
> "eth.src.oui_resolved": "Example Networks",
> "eth.addr": "00:ab:cd:ef:01:23",
> "eth.addr_resolved": "Example_ef:01:23",
> "eth.addr.oui": "57426",
> "eth.addr.oui_resolved": "Example Networks",
> "eth.src.lg": "0",
> "eth.lg": "0",
> "eth.src.ig": "0",
> "eth.ig": "0"
> },
> "eth.type": "0x00000806",
> "eth.trailer":
> "52:ee:29:10:00:01:00:00:00:00:00:00:00:00:00:00:00:00",
> "eth.trailer_tree": {
> "_ws.expert": {
> "eth.padding_bad": "",
> "_ws.expert.message": "Didn't find padding of zeros, and an
> undecoded trailer exists. There may be padding of non-zeros.",
> "_ws.expert.severity": "4194304",
> "_ws.expert.group": "150994944"
> }
> }
> },
> "arp": {
> "arp.hw.type": "1",
> "arp.proto.type": "0x00000800",
> "arp.hw.size": "6",
> "arp.proto.size": "4",
> "arp.opcode": "1",
> "arp.src.hw_mac": "00:ab:cd:ef:01:23",
> "arp.src.proto_ipv4": "192.168.4.1",
> "arp.dst.hw_mac": "00:00:00:00:00:00",
> "arp.dst.proto_ipv4": "192.168.4.255"
> }
> }
> }
> }
> ]
>
> and "ek", which looks like:
>
> {"index":{"_index":"packets-1999-05-19","_type":"doc"}}
> {"timestamp":"927161319708","layers":{"frame":{"frame_frame_encap_type":"1",
> "frame_frame_time":"1999-05-20T00:48:39.708517000Z",
> "frame_frame_offset_shift":"0.000000000","frame_frame_time_epoch":"927161319.
> 708517000","frame_frame_time_delta":"0.000000000",
> "frame_frame_time_delta_displayed":"0.000000000","frame_frame_time_relative":
> "0.000000000","frame_frame_number":"1","frame_frame_len":"60",
> "frame_frame_cap_len":"60","frame_frame_marked":false,"frame_frame_ignored":
> false,"frame_frame_file_off":"24","frame_frame_protocols":"eth:ethertype:
> arp"},"eth":{"eth_eth_dst":"ff:ff:ff:ff:ff:ff","eth_eth_dst_resolved":
> "Broadcast","eth_eth_dst_oui":"16777215","eth_eth_addr":"ff:ff:ff:ff:ff:ff",
> "eth_eth_addr_resolved":"Broadcast","eth_eth_addr_oui":"16777215",
> "eth_eth_dst_lg":true,"eth_eth_lg":true,"eth_eth_dst_ig":true,"eth_eth_ig":
> true,"eth_eth_src":"00:ab:cd:ef:01:23","eth_eth_src_resolved":"Example_ef:01:
> 23","eth_eth_src_oui":"57426","eth_eth_src_oui_resolved":"Example
> Networks","eth_eth_addr":"00:ab:cd:ef:01:23","eth_eth_addr_resolved":
> "Example_ef:01:23","eth_eth_addr_oui":"57426","eth_eth_addr_oui_resolved":
> "Example
> Networks","eth_eth_src_lg":false,"eth_eth_lg":false,"eth_eth_src_ig":false,
> "eth_eth_ig":false,"eth_eth_type":"0x00000806","eth_eth_padding":"00:00:00:
> 00:00:00:00:00:00:00:00:00:00:00:00:00:00:00"},"arp":{"arp_arp_hw_type":"1",
> "arp_arp_proto_type":"0x00000800","arp_arp_hw_size":"6","arp_arp_proto_size":
> "4","arp_arp_opcode":"1","arp_arp_src_hw_mac":"00:ab:cd:ef:01:23",
> "arp_arp_src_proto_ipv4":"192.168.4.1","arp_arp_dst_hw_mac":"00:00:00:00:00:
> 00","arp_arp_dst_proto_ipv4":"192.168.4.255"}}}
> ...
>
> {"index":{"_index":"packets-1999-05-19","_type":"doc"}}
> {"timestamp":"927161380951","layers":{"frame":{"frame_frame_encap_type":"1",
> "frame_frame_time":"1999-05-20T00:49:40.951473000Z",
> "frame_frame_offset_shift":"0.000000000","frame_frame_time_epoch":"927161380.
> 951473000","frame_frame_time_delta":"0.000092000",
> "frame_frame_time_delta_displayed":"0.000092000","frame_frame_time_relative":
> "61.242956000","frame_frame_number":"131","frame_frame_len":"60",
> "frame_frame_cap_len":"60","frame_frame_marked":false,"frame_frame_ignored":
> false,"frame_frame_file_off":"12088","frame_frame_protocols":"eth:ethertype:
> arp"},"eth":{"eth_eth_dst":"ff:ff:ff:ff:ff:ff","eth_eth_dst_resolved":
> "Broadcast","eth_eth_dst_oui":"16777215","eth_eth_addr":"ff:ff:ff:ff:ff:ff",
> "eth_eth_addr_resolved":"Broadcast","eth_eth_addr_oui":"16777215",
> "eth_eth_dst_lg":true,"eth_eth_lg":true,"eth_eth_dst_ig":true,"eth_eth_ig":
> true,"eth_eth_src":"00:ab:cd:ef:01:23","eth_eth_src_resolved":"Example_ef:01:
> 23","eth_eth_src_oui":"57426","eth_eth_src_oui_resolved":"Example
> Networks","eth_eth_addr":"00:ab:cd:ef:01:23","eth_eth_addr_resolved":
> "Example_ef:01:23","eth_eth_addr_oui":"57426","eth_eth_addr_oui_resolved":
> "Example
> Networks","eth_eth_src_lg":false,"eth_eth_lg":false,"eth_eth_src_ig":false,
> "eth_eth_ig":false,"eth_eth_type":"0x00000806","eth_eth_trailer":"52:ee:29:
> 10:00:01:00:00:00:00:00:00:00:00:00:00:00:00","_ws_expert":
> {"eth_eth_padding_bad":null,"_ws_expert__ws_expert_message":"Didn't find
> padding of zeros, and an undecoded trailer exists. There may be padding of
> non-zeros.","_ws_expert__ws_expert_severity":"4194304",
> "_ws_expert__ws_expert_group":"150994944"}},"arp":{"arp_arp_hw_type":"1",
> "arp_arp_proto_type":"0x00000800","arp_arp_hw_size":"6","arp_arp_proto_size":
> "4","arp_arp_opcode":"1","arp_arp_src_hw_mac":"00:ab:cd:ef:01:23",
> "arp_arp_src_proto_ipv4":"192.168.4.1","arp_arp_dst_hw_mac":"00:00:00:00:00:
> 00","arp_arp_dst_proto_ipv4":"192.168.4.255"}}}
>
> Both of them have the index.
>
> For each packet, ek puts the index on one line and all the packet fields,
> combined, on the next line. It does not treat the entire capture as a JSON
> array (no square brackets wrapping the output).
>
> For each packet, json puts each member with a non-object and, I presume,
> non-array value on a line by itself, with the opening and closing square
> brackets of arrays on lines separate from any of the lines of the array
> elements, and with the opening and closing curly brackets of objects on
> lines separate from the lines of the object members (but, if the array or
> object is an element in a member, the opening bracket is, apparently, on the
> same line as the key).
>
> The NDJSON spec is, err, umm, a bit vague; "Each Line is a Valid JSON Value"
> doesn't say much, given that they then say "The most common values will be
> objects or arrays", which would seem to indicate that a format that puts a
> composite value (object or array) on a single line, and a format that puts
> each element with a "primitive" or "scalar" value (non-object, non-array,
> i.e. string, number, "true", "false", or "null") on a line by itself.
>
> So both
>
> [
> {
> "_index": "packets-1999-05-19",
> "_type": "doc",
> "_score": null,
> "_source": {
> "layers": {
> "frame": {
> "frame.encap_type": "1",
> "frame.time": "May 19, 1999 17:48:39.708517000 PDT",
> "frame.offset_shift": "0.000000000",
> "frame.time_epoch": "927161319.708517000",
> "frame.time_delta": "0.000000000",
> "frame.time_delta_displayed": "0.000000000",
> "frame.time_relative": "0.000000000",
> "frame.number": "1",
> "frame.len": "60",
> "frame.cap_len": "60",
> "frame.marked": "0",
> "frame.ignored": "0",
> "frame.file_off": "24",
> "frame.protocols": "eth:ethertype:arp"
> },
> "eth": {
> "eth.dst": "ff:ff:ff:ff:ff:ff",
> "eth.dst_tree": {
> "eth.dst_resolved": "Broadcast",
> "eth.dst.oui": "16777215",
> "eth.addr": "ff:ff:ff:ff:ff:ff",
> "eth.addr_resolved": "Broadcast",
> "eth.addr.oui": "16777215",
> "eth.dst.lg": "1",
> "eth.lg": "1",
> "eth.dst.ig": "1",
> "eth.ig": "1"
> },
> "eth.src": "00:ab:cd:ef:01:23",
> "eth.src_tree": {
> "eth.src_resolved": "Example_ef:01:23",
> "eth.src.oui": "57426",
> "eth.src.oui_resolved": "Example Networks",
> "eth.addr": "00:ab:cd:ef:01:23",
> "eth.addr_resolved": "Example_ef:01:23",
> "eth.addr.oui": "57426",
> "eth.addr.oui_resolved": "Example Networks",
> "eth.src.lg": "0",
> "eth.lg": "0",
> "eth.src.ig": "0",
> "eth.ig": "0"
> },
> "eth.type": "0x00000806",
> "eth.padding":
> "00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00"
> },
> "arp": {
> "arp.hw.type": "1",
> "arp.proto.type": "0x00000800",
> "arp.hw.size": "6",
> "arp.proto.size": "4",
> "arp.opcode": "1",
> "arp.src.hw_mac": "00:ab:cd:ef:01:23",
> "arp.src.proto_ipv4": "192.168.4.1",
> "arp.dst.hw_mac": "00:00:00:00:00:00",
> "arp.dst.proto_ipv4": "192.168.4.255"
> }
> }
> }
> },
>
> ...
>
> {
> "_index": "packets-1999-05-19",
> "_type": "doc",
> "_score": null,
> "_source": {
> "layers": {
> "frame": {
> "frame.encap_type": "1",
> "frame.time": "May 19, 1999 17:49:40.951473000 PDT",
> "frame.offset_shift": "0.000000000",
> "frame.time_epoch": "927161380.951473000",
> "frame.time_delta": "0.000092000",
> "frame.time_delta_displayed": "0.000092000",
> "frame.time_relative": "61.242956000",
> "frame.number": "131",
> "frame.len": "60",
> "frame.cap_len": "60",
> "frame.marked": "0",
> "frame.ignored": "0",
> "frame.file_off": "12088",
> "frame.protocols": "eth:ethertype:arp"
> },
> "eth": {
> "eth.dst": "ff:ff:ff:ff:ff:ff",
> "eth.dst_tree": {
> "eth.dst_resolved": "Broadcast",
> "eth.dst.oui": "16777215",
> "eth.addr": "ff:ff:ff:ff:ff:ff",
> "eth.addr_resolved": "Broadcast",
> "eth.addr.oui": "16777215",
> "eth.dst.lg": "1",
> "eth.lg": "1",
> "eth.dst.ig": "1",
> "eth.ig": "1"
> },
> "eth.src": "00:ab:cd:ef:01:23",
> "eth.src_tree": {
> "eth.src_resolved": "Example_ef:01:23",
> "eth.src.oui": "57426",
> "eth.src.oui_resolved": "Example Networks",
> "eth.addr": "00:ab:cd:ef:01:23",
> "eth.addr_resolved": "Example_ef:01:23",
> "eth.addr.oui": "57426",
> "eth.addr.oui_resolved": "Example Networks",
> "eth.src.lg": "0",
> "eth.lg": "0",
> "eth.src.ig": "0",
> "eth.ig": "0"
> },
> "eth.type": "0x00000806",
> "eth.trailer":
> "52:ee:29:10:00:01:00:00:00:00:00:00:00:00:00:00:00:00",
> "eth.trailer_tree": {
> "_ws.expert": {
> "eth.padding_bad": "",
> "_ws.expert.message": "Didn't find padding of zeros, and an
> undecoded trailer exists. There may be padding of non-zeros.",
> "_ws.expert.severity": "4194304",
> "_ws.expert.group": "150994944"
> }
> }
> },
> "arp": {
> "arp.hw.type": "1",
> "arp.proto.type": "0x00000800",
> "arp.hw.size": "6",
> "arp.proto.size": "4",
> "arp.opcode": "1",
> "arp.src.hw_mac": "00:ab:cd:ef:01:23",
> "arp.src.proto_ipv4": "192.168.4.1",
> "arp.dst.hw_mac": "00:00:00:00:00:00",
> "arp.dst.proto_ipv4": "192.168.4.255"
> }
> }
> }
> }
> ]
>
> and
>
> [
> {
> "_index": "packets-1999-05-19",
> "_type": "doc",
> "_score": null,
> "_source": {
> "layers": {
> "frame": {
> "frame.encap_type": "1",
> "frame.time": "May 19, 1999 17:48:39.708517000 PDT",
> "frame.offset_shift": "0.000000000",
> "frame.time_epoch": "927161319.708517000",
> "frame.time_delta": "0.000000000",
> "frame.time_delta_displayed": "0.000000000",
> "frame.time_relative": "0.000000000",
> "frame.number": "1",
> "frame.len": "60",
> "frame.cap_len": "60",
> "frame.marked": "0",
> "frame.ignored": "0",
> "frame.file_off": "24",
> "frame.protocols": "eth:ethertype:arp"
> },
> "eth": {
> "eth.dst": "ff:ff:ff:ff:ff:ff",
> "eth.dst_tree": {
> "eth.dst_resolved": "Broadcast",
> "eth.dst.oui": "16777215",
> "eth.addr": "ff:ff:ff:ff:ff:ff",
> "eth.addr_resolved": "Broadcast",
> "eth.addr.oui": "16777215",
> "eth.dst.lg": "1",
> "eth.lg": "1",
> "eth.dst.ig": "1",
> "eth.ig": "1"
> },
> "eth.src": "00:ab:cd:ef:01:23",
> "eth.src_tree": {
> "eth.src_resolved": "Example_ef:01:23",
> "eth.src.oui": "57426",
> "eth.src.oui_resolved": "Example Networks",
> "eth.addr": "00:ab:cd:ef:01:23",
> "eth.addr_resolved": "Example_ef:01:23",
> "eth.addr.oui": "57426",
> "eth.addr.oui_resolved": "Example Networks",
> "eth.src.lg": "0",
> "eth.lg": "0",
> "eth.src.ig": "0",
> "eth.ig": "0"
> },
> "eth.type": "0x00000806",
> "eth.padding":
> "00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00"
> },
> "arp": {
> "arp.hw.type": "1",
> "arp.proto.type": "0x00000800",
> "arp.hw.size": "6",
> "arp.proto.size": "4",
> "arp.opcode": "1",
> "arp.src.hw_mac": "00:ab:cd:ef:01:23",
> "arp.src.proto_ipv4": "192.168.4.1",
> "arp.dst.hw_mac": "00:00:00:00:00:00",
> "arp.dst.proto_ipv4": "192.168.4.255"
> }
> }
> }
> },
>
> ...
>
> {
> "_index": "packets-1999-05-19",
> "_type": "doc",
> "_score": null,
> "_source": {
> "layers": {
> "frame": {
> "frame.encap_type": "1",
> "frame.time": "May 19, 1999 17:49:40.951473000 PDT",
> "frame.offset_shift": "0.000000000",
> "frame.time_epoch": "927161380.951473000",
> "frame.time_delta": "0.000092000",
> "frame.time_delta_displayed": "0.000092000",
> "frame.time_relative": "61.242956000",
> "frame.number": "131",
> "frame.len": "60",
> "frame.cap_len": "60",
> "frame.marked": "0",
> "frame.ignored": "0",
> "frame.file_off": "12088",
> "frame.protocols": "eth:ethertype:arp"
> },
> "eth": {
> "eth.dst": "ff:ff:ff:ff:ff:ff",
> "eth.dst_tree": {
> "eth.dst_resolved": "Broadcast",
> "eth.dst.oui": "16777215",
> "eth.addr": "ff:ff:ff:ff:ff:ff",
> "eth.addr_resolved": "Broadcast",
> "eth.addr.oui": "16777215",
> "eth.dst.lg": "1",
> "eth.lg": "1",
> "eth.dst.ig": "1",
> "eth.ig": "1"
> },
> "eth.src": "00:ab:cd:ef:01:23",
> "eth.src_tree": {
> "eth.src_resolved": "Example_ef:01:23",
> "eth.src.oui": "57426",
> "eth.src.oui_resolved": "Example Networks",
> "eth.addr": "00:ab:cd:ef:01:23",
> "eth.addr_resolved": "Example_ef:01:23",
> "eth.addr.oui": "57426",
> "eth.addr.oui_resolved": "Example Networks",
> "eth.src.lg": "0",
> "eth.lg": "0",
> "eth.src.ig": "0",
> "eth.ig": "0"
> },
> "eth.type": "0x00000806",
> "eth.trailer":
> "52:ee:29:10:00:01:00:00:00:00:00:00:00:00:00:00:00:00",
> "eth.trailer_tree": {
> "_ws.expert": {
> "eth.padding_bad": "",
> "_ws.expert.message": "Didn't find padding of zeros, and an
> undecoded trailer exists. There may be padding of non-zeros.",
> "_ws.expert.severity": "4194304",
> "_ws.expert.group": "150994944"
> }
> }
> },
> "arp": {
> "arp.hw.type": "1",
> "arp.proto.type": "0x00000800",
> "arp.hw.size": "6",
> "arp.proto.size": "4",
> "arp.opcode": "1",
> "arp.src.hw_mac": "00:ab:cd:ef:01:23",
> "arp.src.proto_ipv4": "192.168.4.1",
> "arp.dst.hw_mac": "00:00:00:00:00:00",
> "arp.dst.proto_ipv4": "192.168.4.255"
> }
> }
> }
> }
> ]
>
> and
>
> [
> { "_index": "packets-1999-05-19", "_type": "doc", "_score": null,
> "_source": { "layers": { "frame": { "frame.encap_type": "1", "frame.time":
> "May 19, 1999 17:48:39.708517000 PDT", "frame.offset_shift": "0.000000000",
> "frame.time_epoch": "927161319.708517000", "frame.time_delta":
> "0.000000000", "frame.time_delta_displayed": "0.000000000",
> "frame.time_relative": "0.000000000", "frame.number": "1", "frame.len":
> "60", "frame.cap_len": "60", "frame.marked": "0", "frame.ignored": "0",
> "frame.file_off": "24", "frame.protocols": "eth:ethertype:arp" }, "eth": {
> "eth.dst": "ff:ff:ff:ff:ff:ff", "eth.dst_tree": { "eth.dst_resolved":
> "Broadcast", "eth.dst.oui": "16777215", "eth.addr": "ff:ff:ff:ff:ff:ff",
> "eth.addr_resolved": "Broadcast", "eth.addr.oui": "16777215", "eth.dst.lg":
> "1", "eth.lg": "1", "eth.dst.ig": "1", "eth.ig": "1" }, "eth.src":
> "00:ab:cd:ef:01:23", "eth.src_tree": { "eth.src_resolved":
> "Example_ef:01:23", "eth.src.oui": "57426", "eth.src.oui_resolved": "Example
> Networks", "eth.addr": "00:ab:cd:ef:01:23", "eth.addr_resolved":
> "Example_ef:01:23", "eth.addr.oui": "57426", "eth.addr.oui_resolved":
> "Example Networks", "eth.src.lg": "0", "eth.lg": "0", "eth.src.ig": "0",
> "eth.ig": "0" }, "eth.type": "0x00000806", "eth.padding":
> "00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00" }, "arp": {
> "arp.hw.type": "1", "arp.proto.type": "0x00000800", "arp.hw.size": "6",
> "arp.proto.size": "4", "arp.opcode": "1", "arp.src.hw_mac":
> "00:ab:cd:ef:01:23", "arp.src.proto_ipv4": "192.168.4.1", "arp.dst.hw_mac":
> "00:00:00:00:00:00", "arp.dst.proto_ipv4": "192.168.4.255" } } } },
>
> ...
>
> { "_index": "packets-1999-05-19", "_type": "doc", "_score": null,
> "_source": { "layers": { "frame": { "frame.encap_type": "1", "frame.time":
> "May 19, 1999 17:49:40.951473000 PDT", "frame.offset_shift": "0.000000000",
> "frame.time_epoch": "927161380.951473000", "frame.time_delta":
> "0.000092000", "frame.time_delta_displayed": "0.000092000",
> "frame.time_relative": "61.242956000", "frame.number": "131", "frame.len":
> "60", "frame.cap_len": "60", "frame.marked": "0", "frame.ignored": "0",
> "frame.file_off": "12088", "frame.protocols": "eth:ethertype:arp" }, "eth":
> { "eth.dst": "ff:ff:ff:ff:ff:ff", "eth.dst_tree": { "eth.dst_resolved":
> "Broadcast", "eth.dst.oui": "16777215", "eth.addr": "ff:ff:ff:ff:ff:ff",
> "eth.addr_resolved": "Broadcast", "eth.addr.oui": "16777215", "eth.dst.lg":
> "1", "eth.lg": "1", "eth.dst.ig": "1", "eth.ig": "1" }, "eth.src":
> "00:ab:cd:ef:01:23", "eth.src_tree": { "eth.src_resolved":
> "Example_ef:01:23", "eth.src.oui": "57426", "eth.src.oui_resolved": "Example
> Networks", "eth.addr": "00:ab:cd:ef:01:23", "eth.addr_resolved":
> "Example_ef:01:23", "eth.addr.oui": "57426", "eth.addr.oui_resolved":
> "Example Networks", "eth.src.lg": "0", "eth.lg": "0", "eth.src.ig": "0",
> "eth.ig": "0" }, "eth.type": "0x00000806", "eth.trailer":
> "52:ee:29:10:00:01:00:00:00:00:00:00:00:00:00:00:00:00", "eth.trailer_tree":
> { "_ws.expert": { "eth.padding_bad": "", "_ws.expert.message": "Didn't find
> padding of zeros, and an undecoded trailer exists. There may be padding of
> non-zeros.", "_ws.expert.severity": "4194304", "_ws.expert.group":
> "150994944" } } }, "arp": { "arp.hw.type": "1", "arp.proto.type":
> "0x00000800", "arp.hw.size": "6", "arp.proto.size": "4", "arp.opcode": "1",
> "arp.src.hw_mac": "00:ab:cd:ef:01:23", "arp.src.proto_ipv4": "192.168.4.1",
> "arp.dst.hw_mac": "00:00:00:00:00:00", "arp.dst.proto_ipv4": "192.168.4.255"
> } } } }
> ]
>
> would appear to be valid NDJSON (the only difference is that the latter has
> a bunch of newlines replaced by spaces).
As you said the NDJSON spec is a bit vague but I am confident that this json
option with newlines replaced by spaces would not be considered as a valid
NDJSON because of the array definition.
In other words the first and last lines (containing "[" and "]") wouldn't be
considered valid json objects.
Also the comma at the end of each object in the array would cause a syntax
error.
>
> So it sounds as if you want a format that:
>
> 1) doesn't have the indices;
Yes. The EK format is perfect but currently I would have to parse-out those
index definition that are designed for ElasticSearch
>
> 2) represents tha packet data as JSON in some fashion.
Similar to CSV where each line is a different row, NDJSON has a different
record per line but in json format.
>
> What's an example of the format you want? Show an example with two packets.
These are the two packets from your example but without the array definition [
] and the comma after the first record.
{ "_index": "packets-1999-05-19", "_type": "doc", "_score": null, "_source": {
"layers": { "frame": { "frame.encap_type": "1", "frame.time": "May 19, 1999
7:48:39.708517000 PDT", "frame.offset_shift": "0.000000000",
"frame.time_epoch": "927161319.708517000", "frame.time_delta": "0.000000000",
"frame.time_delta_displayed": "0.000000000", "frame.time_relative":
"0.000000000", "frame.number": "1", "frame.len": "60", "frame.cap_len": "60",
"frame.marked": "0", "frame.ignored": "0", "frame.file_off": "24",
"frame.protocols": "eth:ethertype:arp" }, "eth": { "eth.dst":
"ff:ff:ff:ff:ff:ff", "eth.dst_tree": { "eth.dst_resolved": "Broadcast",
"eth.dst.oui": "16777215", "eth.addr": "ff:ff:ff:ff:ff:ff",
"eth.addr_resolved": "Broadcast", "eth.addr.oui": "16777215", "eth.dst.lg":
"1", "eth.lg": "1", "eth.dst.ig": "1", "eth.ig": "1" }, "eth.src":
"00:ab:cd:ef:01:23", "eth.src_tree": { "eth.src_resolved": "Example_ef:01:23",
"eth.src.oui": "57426", "eth.src.oui_resolved": "Example Networks", "eth.addr":
"00:ab:cd:ef:01:23", "eth.addr_resolved": "Example_ef:01:23", "eth.addr.oui":
"57426", "eth.addr.oui_resolved": "Example Networks", "eth.src.lg": "0",
"eth.lg": "0", "eth.src.ig": "0", "eth.ig": "0" }, "eth.type": "0x00000806",
"eth.padding": "00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00" },
"arp": { "arp.hw.type": "1", "arp.proto.type": "0x00000800", "arp.hw.size":
"6", "arp.proto.size": "4", "arp.opcode": "1", "arp.src.hw_mac":
"00:ab:cd:ef:01:23", "arp.src.proto_ipv4": "192.168.4.1", "arp.dst.hw_mac":
"00:00:00:00:00:00", "arp.dst.proto_ipv4": "192.168.4.255" } } } }
{ "_index": "packets-1999-05-19", "_type": "doc", "_score": null, "_source": {
"layers": { "frame": { "frame.encap_type": "1", "frame.time": "May 19, 1999
17:49:40.951473000 PDT", "frame.offset_shift": "0.000000000",
"frame.time_epoch": "927161380.951473000", "frame.time_delta": "0.000092000",
"frame.time_delta_displayed": "0.000092000", "frame.time_relative":
"61.242956000", "frame.number": "131", "frame.len": "60", "frame.cap_len":
"60", "frame.marked": "0", "frame.ignored": "0", "frame.file_off": "12088",
"frame.protocols": "eth:ethertype:arp" }, "eth": { "eth.dst":
"ff:ff:ff:ff:ff:ff", "eth.dst_tree": { "eth.dst_resolved": "Broadcast",
"eth.dst.oui": "16777215", "eth.addr": "ff:ff:ff:ff:ff:ff",
"eth.addr_resolved": "Broadcast", "eth.addr.oui": "16777215", "eth.dst.lg":
"1", "eth.lg": "1", "eth.dst.ig": "1", "eth.ig": "1" }, "eth.src":
"00:ab:cd:ef:01:23", "eth.src_tree": { "eth.src_resolved": "Example_ef:01:23",
"eth.src.oui": "57426", "eth.src.oui_resolved": "Example Networks", "eth.addr":
"00:ab:cd:ef:01:23", "eth.addr_resolved": "Example_ef:01:23", "eth.addr.oui":
"57426", "eth.addr.oui_resolved": "Example Networks", "eth.src.lg": "0",
"eth.lg": "0", "eth.src.ig": "0", "eth.ig": "0" }, "eth.type": "0x00000806",
"eth.trailer": "52:ee:29:10:00:01:00:00:00:00:00:00:00:00:00:00:00:00",
"eth.trailer_tree": { "_ws.expert": { "eth.padding_bad": "",
"_ws.expert.message": "Didn't find padding of zeros, and an undecoded trailer
exists. There may be padding of non-zeros.", "_ws.expert.severity": "4194304",
"_ws.expert.group": "150994944" } } }, "arp": { "arp.hw.type": "1",
"arp.proto.type": "0x00000800", "arp.hw.size": "6", "arp.proto.size": "4",
"arp.opcode": "1", "arp.src.hw_mac": "00:ab:cd:ef:01:23", "arp.src.proto_ipv4":
"192.168.4.1", "arp.dst.hw_mac": "00:00:00:00:00:00", "arp.dst.proto_ipv4":
"192.168.4.255" } } } }
--
You are receiving this mail because:
You are watching all bug changes.
___________________________________________________________________________
Sent via: Wireshark-bugs mailing list <wireshark-bugs@wireshark.org>
Archives: https://www.wireshark.org/lists/wireshark-bugs
Unsubscribe: https://www.wireshark.org/mailman/options/wireshark-bugs
mailto:wireshark-bugs-requ...@wireshark.org?subject=unsubscribe