From c2b59567d301b81ddb01acdc3cc1d67cfe4b908f Mon Sep 17 00:00:00 2001 From: Dario Lombardo Date: Mon, 7 Nov 2022 22:28:36 +0100 Subject: [PATCH] tshark: update man to explain why some fields are skipped in elastic-mapping. --- doc/tshark.adoc | 3 ++- epan/proto.c | 1 + 2 files changed, 3 insertions(+), 1 deletion(-) diff --git a/doc/tshark.adoc b/doc/tshark.adoc index d4539aac16..b8c1777ae4 100644 --- a/doc/tshark.adoc +++ b/doc/tshark.adoc @@ -468,7 +468,8 @@ Field 4:: base for display (for integer types) Field 5:: protocol name Field 6:: "decode as" support -*elastic-mapping* Dumps the ElasticSearch mapping file to stdout. +*elastic-mapping* Dumps the ElasticSearch mapping file to stdout. Fields +falling in the default case (string) won't be mapped. *fieldcount* Dumps the number of header fields to stdout. diff --git a/epan/proto.c b/epan/proto.c index 814b874a62..ab1473ea7e 100644 --- a/epan/proto.c +++ b/epan/proto.c @@ -11340,6 +11340,7 @@ proto_registrar_dump_elastic(const gchar* filter) } /* Skip the fields that would map into string. This is the default in elasticsearch. */ type = ws_type_to_elastic(hfinfo->type); + /* when type is NULL, we have the default mapping: string */ if (type) { str = ws_strdup_printf("%s_%s", prev_proto, hfinfo->abbrev); dot_to_underscore(str);