tshark: update man to explain why some fields are skipped in elastic-mapping.

2022-11-07 22:28:36 +01:00 · 2022-11-07 22:28:36 +01:00 · c2b59567d3
parent fd92228e54
commit c2b59567d3
2 changed files with 3 additions and 1 deletions
--- a/doc/tshark.adoc
+++ b/doc/tshark.adoc
@ -468,7 +468,8 @@ Field 4:: base for display (for integer types)
 Field 5:: protocol name
 Field 6:: "decode as" support

-*elastic-mapping*  Dumps the ElasticSearch mapping file to stdout.
+*elastic-mapping*  Dumps the ElasticSearch mapping file to stdout. Fields
+falling in the default case (string) won't be mapped.

 *fieldcount*  Dumps the number of header fields to stdout.

--- a/epan/proto.c
+++ b/epan/proto.c
@ -11340,6 +11340,7 @@ proto_registrar_dump_elastic(const gchar* filter)
 			}
 			/* Skip the fields that would map into string. This is the default in elasticsearch. */
 			type = ws_type_to_elastic(hfinfo->type);
+			/* when type is NULL, we have the default mapping: string */
 			if (type) {
 				str = ws_strdup_printf("%s_%s", prev_proto, hfinfo->abbrev);
 				dot_to_underscore(str);