Comment # 23
on bug 11754
from Martin Kacer
Hi Thomas,
thanks for this question.
-j filter use the strings separated by spaces (so it corresponds to OR). Each
parent wireshark field which contains child elements is checked against this
filter. This means only parent nodes are checked, not the fields itself (so it
is some kind of parent/protocol filter). The best to understand this use json
output without filter and then try to apply -j with filter. If in the result is
attribute "filtered:", the value contains name of parent node which was
filtered. Also some parent nodes does not have names, but just "text" as a
name, therefor you see "text" in this DNS example.
- So this -j filter should not be confused with field filter, see bug 12529
(TODO).
- Regarding keys for EK. Dots were not accepted by EK, therefor I have changed
it to underscores. EK use dots for nested objects. Also into key I have added
the name of the parent node. (Because Kibana does not fully support fully
nested array objects. And some protocol fields are multiple times included in
single frame so this was some kind of solution for this.)
It is just included in master branch on git, not sure regarding release.
M
You are receiving this mail because:
- You are watching all bug changes.