https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=15324
Bug ID: 15324
Summary: Support for Elasticsearch 5+ protocol
Product: Wireshark
Version: unspecified
Hardware: x86
OS: Mac OS X 10.4
Status: UNCONFIRMED
Severity: Enhancement
Priority: Low
Component: Dissection engine (libwireshark)
Assignee: bugzilla-ad...@wireshark.org
Reporter: david.tur...@elastic.co
Target Milestone: ---
Build Information:
Version 2.4.3 (v2.4.3-0-g368ba1e)
Copyright 1998-2017 Gerald Combs <ger...@wireshark.org> and contributors.
License GPLv2+: GNU GPL version 2 or later
<http://www.gnu.org/licenses/old-licenses/gpl-2.0.html>
This is free software; see the source for copying conditions. There is NO
warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.
Compiled (64-bit) with Qt 5.3.2, with libpcap, without POSIX capabilities, with
GLib 2.36.0, with zlib 1.2.5, with SMI 0.4.8, with c-ares 1.12.0, with Lua
5.2.4, with GnuTLS 3.4.17, with Gcrypt 1.7.7, with MIT Kerberos, with GeoIP,
with nghttp2 1.14.0, with LZ4, with Snappy, with libxml2 2.9.4, with
QtMultimedia, without AirPcap, with SBC, without SpanDSP.
Running on Mac OS X 10.14.1, build 18B75 (Darwin 18.2.0), with Intel(R)
Core(TM)
i7-7820HQ CPU @ 2.90GHz (with SSE4.2), with 16384 MB of physical memory, with
locale C, with libpcap version 1.8.1 -- Apple version 79.200.4, with GnuTLS
3.4.17, with Gcrypt 1.7.7, with zlib 1.2.11.
Built using llvm-gcc 4.2.1 (Based on Apple Inc. build 5658) (LLVM build
2336.9.00).
Wireshark is Open Source Software released under the GNU General Public
License.
Check the man page and http://www.wireshark.org for more information.
--
Today, Wireshark can dissect a few fields from the wire protocol that
Elasticsearch used prior to version 5. There were changes to the wire protocol
in version 5 and again in version 6.3.
In version 5 (`version >= 5000099`) in both requests and responses, immediately
after the 4-byte version field was added the thread context:
https://github.com/elastic/elasticsearch/blob/master/server/src/main/java/org/elasticsearch/common/util/concurrent/ThreadContext.java#L583-L589
The thread context comprises two structures: headers from the request and
headers for the response. The headers from the request is a list of pairs of
strings; the headers for the response is a list of pairs of (string,
list-of-string), and each list is prefixed with its number of items. The
`read_vint()` and `read_vstring()` functions in
`epan/dissectors/packet-elasticsearch.c` look suitable for reading the basic
elements of these structures.
In version 6.3 (`version >= 6030099`), in requests only, immediately after the
thread context described above comes the features list. This is a list of
strings (again, prefixed by its length):
https://github.com/elastic/elasticsearch/blob/master/server/src/main/java/org/elasticsearch/transport/TcpTransport.java#L790-L792
--
You are receiving this mail because:
You are watching all bug changes.___________________________________________________________________________
Sent via: Wireshark-bugs mailing list <wireshark-bugs@wireshark.org>
Archives: https://www.wireshark.org/lists/wireshark-bugs
Unsubscribe: https://www.wireshark.org/mailman/options/wireshark-bugs
mailto:wireshark-bugs-requ...@wireshark.org?subject=unsubscribe
