More efficient EK (JSON) mode #558
KimiNewt
announced in
Announcements
Replies: 0 comments
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
-
I just merged #557 which adds experimental parsing in "EK" mode (which is a JSON used for Elastic).
From the PR:
I've revamped the way Layers are accessed so this should be more convenient than the JSON format (without the "_tree"s etc). Additionally it is 25% more memory-efficient. CPU is currently the same but it has a lot of potential to be optimized. It can also use the
tshark -G elastic-mappingcommand in the future for typing.Fields can now be accessed in a nested manner, and the "tree head"'s value can also be accessed. For example:
Please give it a shot, open any issues you may have and write any suggestions here. I think this is better than the JSON parsing and could replace the main parsing as well.
One known issue is that some JSON keys can be duplicated: https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=15719
This means that some fields will not be accessible AT ALL. From what I've seen so far these fields are accessible in other ways, but in case they are not, we would have to do something similar to the duplicate handling in the JSON prior to wireshark 2.2
Beta Was this translation helpful? Give feedback.
All reactions