osmith
/
wireshark
forked from osmocom/wireshark
1
0
Fork 0
Code Pull Requests Releases Wiki Activity
wireshark/test/baseline/elastic-mapping-ip-subset.json

307 lines
8.5 KiB
JSON
Raw Normal View History

Replace JSON-GLib by custom JSON dumper library The (optional) JSON-GLib library adds dependencies on GObject, GIO. For statically linked oss-fuzz builds it also adds libffi and more. To avoid these dependencies, replace JSON-GLib by some custom code. This allows `tshark -G elastic-mapping` to be enabled by default without extra deps. API design goals of the new JSON dumper library: - Small interface without a lot of abstraction. - Avoid memory allocations if possible (currently none, but maybe json_puts_string will be replaced to improve UTF-8 support). - Do not implement parsing, this is currently handled by jsmn. Methods to open/close array/objects and to set members are inspired by the JsonGlib interface. The interfaces to write values is inspired by the sharkd code (json_puts_string is also borrowed from that). The only observed differences in the tshark output: - JSON-GLib ignores duplicates, json_dumper does not and may produce duplicates and currently print two "ip.opt.sec_prot_auth_unassigned". - JSON-GLib adds a space before a colon (unimportant formatting detail). - (Not observed, but UTF-8 strings will be wrong like bug 14948.) A test was added to catch changes in the tshark output. I also fuzzed json_dumper with libFuzzer + UBSAN/ASAN and fixed an off-by-one error. Change-Id: I0c85b18777b04d1e0f613a3d59935ec59be87ff4 Link: https://www.wireshark.org/lists/wireshark-dev/201811/msg00052.html Reviewed-on: https://code.wireshark.org/review/30732 Petri-Dish: Peter Wu <peter@lekensteyn.nl> Tested-by: Petri Dish Buildbot Reviewed-by: Anders Broman <a.broman58@gmail.com>
2018-11-20 01:47:36 +00:00
{
elastic: make fields all the same. The outputs of -T ek and -G elastic-mapping don't match. To be effective the fields in the mapping report and the fields in the traffic output must be the same. 2 issues have been fixed. The elastic-mapping requires the parent protocol to be prepended to the field to match the traffic output. The field "dns.a" has been changed to "dns_dns_a". The traffic output prints some fields with a leading "text_". This happens for some fields that have been created under a text only field. One example is "dns.a", that was printed as "text_dns_a". This has been fixed by accessing the parent hfinfo resulting in "dns_dns_a" as other fields for the dns protocol. Bug: 15759 Change-Id: Ibd000c865102ca49bb6a6394019a475483eae4cc Reviewed-on: https://code.wireshark.org/review/33099 Petri-Dish: Dario Lombardo <lomato@gmail.com> Tested-by: Petri Dish Buildbot Reviewed-by: Eneko Gómez <eneko.gomez.tecnalia@gmail.com> Reviewed-by: Dario Lombardo <lomato@gmail.com>
2019-05-07 07:42:38 +00:00
"settings": {
"index.mapping.total_fields.limit": 1000000
Replace JSON-GLib by custom JSON dumper library The (optional) JSON-GLib library adds dependencies on GObject, GIO. For statically linked oss-fuzz builds it also adds libffi and more. To avoid these dependencies, replace JSON-GLib by some custom code. This allows `tshark -G elastic-mapping` to be enabled by default without extra deps. API design goals of the new JSON dumper library: - Small interface without a lot of abstraction. - Avoid memory allocations if possible (currently none, but maybe json_puts_string will be replaced to improve UTF-8 support). - Do not implement parsing, this is currently handled by jsmn. Methods to open/close array/objects and to set members are inspired by the JsonGlib interface. The interfaces to write values is inspired by the sharkd code (json_puts_string is also borrowed from that). The only observed differences in the tshark output: - JSON-GLib ignores duplicates, json_dumper does not and may produce duplicates and currently print two "ip.opt.sec_prot_auth_unassigned". - JSON-GLib adds a space before a colon (unimportant formatting detail). - (Not observed, but UTF-8 strings will be wrong like bug 14948.) A test was added to catch changes in the tshark output. I also fuzzed json_dumper with libFuzzer + UBSAN/ASAN and fixed an off-by-one error. Change-Id: I0c85b18777b04d1e0f613a3d59935ec59be87ff4 Link: https://www.wireshark.org/lists/wireshark-dev/201811/msg00052.html Reviewed-on: https://code.wireshark.org/review/30732 Petri-Dish: Peter Wu <peter@lekensteyn.nl> Tested-by: Petri Dish Buildbot Reviewed-by: Anders Broman <a.broman58@gmail.com>
2018-11-20 01:47:36 +00:00
},
elastic: make fields all the same. The outputs of -T ek and -G elastic-mapping don't match. To be effective the fields in the mapping report and the fields in the traffic output must be the same. 2 issues have been fixed. The elastic-mapping requires the parent protocol to be prepended to the field to match the traffic output. The field "dns.a" has been changed to "dns_dns_a". The traffic output prints some fields with a leading "text_". This happens for some fields that have been created under a text only field. One example is "dns.a", that was printed as "text_dns_a". This has been fixed by accessing the parent hfinfo resulting in "dns_dns_a" as other fields for the dns protocol. Bug: 15759 Change-Id: Ibd000c865102ca49bb6a6394019a475483eae4cc Reviewed-on: https://code.wireshark.org/review/33099 Petri-Dish: Dario Lombardo <lomato@gmail.com> Tested-by: Petri Dish Buildbot Reviewed-by: Eneko Gómez <eneko.gomez.tecnalia@gmail.com> Reviewed-by: Dario Lombardo <lomato@gmail.com>
2019-05-07 07:42:38 +00:00
"mappings": {
elastic: fix mapping with recent es versions.
2022-03-13 20:30:01 +00:00
"dynamic": false,
"properties": {
"timestamp": {
"type": "date"
},
"layers": {
"properties": {
"ip": {
"properties": {
"ip_ip_version": {
"type": "short"
},
"ip_ip_hdr_len": {
"type": "short"
},
"ip_ip_dsfield": {
"type": "short"
},
"ip_ip_dsfield_dscp": {
"type": "short"
},
"ip_ip_dsfield_ecn": {
"type": "short"
},
"ip_ip_tos": {
"type": "short"
},
"ip_ip_tos_precedence": {
"type": "short"
},
"ip_ip_tos_delay": {
"type": "boolean"
},
"ip_ip_tos_throughput": {
"type": "boolean"
},
"ip_ip_tos_reliability": {
"type": "boolean"
},
"ip_ip_tos_cost": {
"type": "boolean"
},
"ip_ip_len": {
"type": "integer"
},
"ip_ip_id": {
"type": "integer"
},
"ip_ip_dst": {
"type": "ip"
},
"ip_ip_src": {
"type": "ip"
},
"ip_ip_addr": {
"type": "ip"
},
"ip_ip_geoip_asnum": {
"type": "long"
},
"ip_ip_geoip_lat": {
"type": "float"
},
"ip_ip_geoip_lon": {
"type": "float"
},
"ip_ip_geoip_src_asnum": {
"type": "long"
},
"ip_ip_geoip_src_lat": {
"type": "float"
},
"ip_ip_geoip_src_lon": {
"type": "float"
},
"ip_ip_geoip_dst_asnum": {
"type": "long"
},
"ip_ip_geoip_dst_lat": {
"type": "float"
},
"ip_ip_geoip_dst_lon": {
"type": "float"
},
"ip_ip_flags": {
"type": "short"
},
"ip_ip_flags_sf": {
"type": "boolean"
},
"ip_ip_flags_rb": {
"type": "boolean"
},
"ip_ip_flags_df": {
"type": "boolean"
},
"ip_ip_flags_mf": {
"type": "boolean"
},
"ip_ip_frag_offset": {
"type": "integer"
},
"ip_ip_ttl": {
"type": "short"
},
"ip_ip_proto": {
"type": "short"
},
"ip_ip_checksum": {
"type": "integer"
},
"ip_ip_checksum_calculated": {
"type": "integer"
},
"ip_ip_checksum_status": {
"type": "short"
},
"ip_ip_opt_type": {
"type": "short"
},
"ip_ip_opt_type_copy": {
"type": "boolean"
},
"ip_ip_opt_type_class": {
"type": "short"
},
"ip_ip_opt_type_number": {
"type": "short"
},
"ip_ip_opt_len": {
"type": "short"
},
"ip_ip_opt_ptr": {
"type": "short"
},
"ip_ip_opt_sid": {
"type": "integer"
},
"ip_ip_opt_mtu": {
"type": "integer"
},
"ip_ip_opt_id_number": {
"type": "integer"
},
"ip_ip_opt_ohc": {
"type": "integer"
},
"ip_ip_opt_rhc": {
"type": "integer"
},
"ip_ip_opt_originator": {
"type": "ip"
},
"ip_ip_opt_ra": {
"type": "integer"
},
"ip_ip_opt_addr": {
"type": "ip"
},
"ip_ip_opt_padding": {
"type": "byte"
},
"ip_ip_opt_qs_func": {
"type": "short"
},
"ip_ip_opt_qs_rate": {
"type": "short"
},
"ip_ip_opt_qs_ttl": {
"type": "short"
},
"ip_ip_opt_qs_ttl_diff": {
"type": "short"
},
"ip_ip_opt_qs_unused": {
"type": "short"
},
"ip_ip_opt_qs_nonce": {
"type": "long"
},
"ip_ip_opt_qs_reserved": {
"type": "long"
},
"ip_ip_opt_sec_rfc791_sec": {
"type": "integer"
},
"ip_ip_opt_sec_rfc791_comp": {
"type": "integer"
},
"ip_ip_opt_sec_cl": {
"type": "short"
},
"ip_ip_opt_sec_prot_auth_flags": {
"type": "short"
},
"ip_ip_opt_sec_prot_auth_genser": {
"type": "boolean"
},
"ip_ip_opt_sec_prot_auth_siop_esi": {
"type": "boolean"
},
"ip_ip_opt_sec_prot_auth_sci": {
"type": "boolean"
},
"ip_ip_opt_sec_prot_auth_nsa": {
"type": "boolean"
},
"ip_ip_opt_sec_prot_auth_doe": {
"type": "boolean"
},
"ip_ip_opt_sec_prot_auth_unassigned": {
"type": "short"
},
"ip_ip_opt_sec_prot_auth_unassigned": {
"type": "short"
},
"ip_ip_opt_sec_prot_auth_fti": {
"type": "boolean"
},
"ip_ip_opt_ext_sec_add_sec_info_format_code": {
"type": "short"
},
"ip_ip_opt_ext_sec_add_sec_info": {
"type": "byte"
},
"ip_ip_rec_rt": {
"type": "ip"
},
"ip_ip_cur_rt": {
"type": "ip"
},
"ip_ip_src_rt": {
"type": "ip"
},
"ip_ip_empty_rt": {
"type": "ip"
},
"ip_ip_cipso_tag_type": {
"type": "short"
},
"ip_ip_fragment_overlap": {
"type": "boolean"
},
"ip_ip_fragment_overlap_conflict": {
"type": "boolean"
},
"ip_ip_fragment_multipletails": {
"type": "boolean"
},
"ip_ip_fragment_toolongfragment": {
"type": "boolean"
},
"ip_ip_fragment_error": {
"type": "long"
},
"ip_ip_fragment_count": {
"type": "long"
},
"ip_ip_fragment": {
"type": "long"
},
"ip_ip_fragments": {
"type": "byte"
},
"ip_ip_reassembled_in": {
"type": "long"
},
"ip_ip_reassembled_length": {
"type": "long"
},
"ip_ip_reassembled_data": {
"type": "byte"
},
"ip_ip_cipso_doi": {
"type": "long"
},
"ip_ip_cipso_sensitivity_level": {
"type": "short"
},
"ip_ip_cipso_tag_data": {
"type": "byte"
},
"ip_ip_opt_overflow": {
"type": "short"
},
"ip_ip_opt_flag": {
"type": "short"
},
"ip_ip_opt_time_stamp": {
"type": "long"
},
"ip_ip_opt_time_stamp_addr": {
"type": "ip"
Replace JSON-GLib by custom JSON dumper library The (optional) JSON-GLib library adds dependencies on GObject, GIO. For statically linked oss-fuzz builds it also adds libffi and more. To avoid these dependencies, replace JSON-GLib by some custom code. This allows `tshark -G elastic-mapping` to be enabled by default without extra deps. API design goals of the new JSON dumper library: - Small interface without a lot of abstraction. - Avoid memory allocations if possible (currently none, but maybe json_puts_string will be replaced to improve UTF-8 support). - Do not implement parsing, this is currently handled by jsmn. Methods to open/close array/objects and to set members are inspired by the JsonGlib interface. The interfaces to write values is inspired by the sharkd code (json_puts_string is also borrowed from that). The only observed differences in the tshark output: - JSON-GLib ignores duplicates, json_dumper does not and may produce duplicates and currently print two "ip.opt.sec_prot_auth_unassigned". - JSON-GLib adds a space before a colon (unimportant formatting detail). - (Not observed, but UTF-8 strings will be wrong like bug 14948.) A test was added to catch changes in the tshark output. I also fuzzed json_dumper with libFuzzer + UBSAN/ASAN and fixed an off-by-one error. Change-Id: I0c85b18777b04d1e0f613a3d59935ec59be87ff4 Link: https://www.wireshark.org/lists/wireshark-dev/201811/msg00052.html Reviewed-on: https://code.wireshark.org/review/30732 Petri-Dish: Peter Wu <peter@lekensteyn.nl> Tested-by: Petri Dish Buildbot Reviewed-by: Anders Broman <a.broman58@gmail.com>
2018-11-20 01:47:36 +00:00
}
}
}
}
}
}
}
IPv4: Use FT_UINT8 for the 3 bits flags field XXX comment reworded to be more informative and reflect lack of consensus on removing RFC 3514. Change-Id: If15b8f5d7c450192b1b6ebbfa463b19f27de177c Reviewed-on: https://code.wireshark.org/review/35934 Petri-Dish: João Valverde <j@v6e.pt> Tested-by: Petri Dish Buildbot Reviewed-by: João Valverde <j@v6e.pt>
2020-01-24 14:58:37 +00:00
}