Announcing: A Wireshark dissector for elasticsearch

Hi Guys

I have been working on a Wireshark dissector for elasticsearch. This allows
you to more intelligently debug elasticsearch problems at the network
level. I have been working in my own branch of Wireshark and will be
getting it merged in the official distribution as soon as I can get some
feedback from you guys!

Here is a sneak peek so far:

https://lh6.googleusercontent.com/-IUSq-Wh-E-c/VDh9FVycl8I/AAAAAAAAAIg/Ad_qXH3qgKs/s1600/es_discovery.png

https://lh6.googleusercontent.com/-T0DBxs0s4nw/VDh9NemE8uI/AAAAAAAAAIo/gtw3t2RT98Y/s1600/dissect_action.png

https://lh3.googleusercontent.com/-q1kZ_WwvDT0/VDh9T9iTrwI/AAAAAAAAAIw/4_nujAWABkU/s1600/dissect_track_request_id.png

https://lh6.googleusercontent.com/-jIlhal5E1QY/VDh9a7oGgSI/AAAAAAAAAI4/cG69wSp7d00/s1600/dissect_http_elasticsearch.png

If you be great if I could get some others to test this out before I get it
into the official Wireshark tree. It *should *support version of ES >
V0.20.0RC1 (I have been testing against the latest as of writing and I
don't think the binary protocol has changed since then). You can get it at
https://github.com/ryandoyle/wireshark.git on the branch es_dissector.
Build instructions are
at https://www.wireshark.org/docs/wsdg_html_chunked/ChSrcBuildFirstTime.html.
It's the usual ./configure && make && make install type deal.

There are some limitations currently, so on the to-do list is the following:

  • Dissect the whole packet for request/response packets.
  • Decompress compressed packets
  • Track request/response IDs so you can back reference a response to a
    request and vica-versa
  • *Maybe *support older versions

I'll update you once it's merged and/or I get feedback from you guys.
Cheers!

Ryan

--
You received this message because you are subscribed to the Google Groups "elasticsearch" group.
To unsubscribe from this group and stop receiving emails from it, send an email to elasticsearch+unsubscribe@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/elasticsearch/1add59e6-4e6f-4ee8-a5fc-df42a03f456e%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Hi again,

Just a heads up that this is now included in Wireshark master branch. You
can now get it by building Wireshark directly from their latest source code
and in a released version when the change makes its way through.

Cheers,
Ryan

On Saturday, October 11, 2014 11:57:44 AM UTC+11, Ryan Doyle wrote:

Hi Guys

I have been working on a Wireshark dissector for elasticsearch. This
allows you to more intelligently debug elasticsearch problems at the
network level. I have been working in my own branch of Wireshark and will
be getting it merged in the official distribution as soon as I can get some
feedback from you guys!

Here is a sneak peek so far:

https://lh6.googleusercontent.com/-IUSq-Wh-E-c/VDh9FVycl8I/AAAAAAAAAIg/Ad_qXH3qgKs/s1600/es_discovery.png

https://lh6.googleusercontent.com/-T0DBxs0s4nw/VDh9NemE8uI/AAAAAAAAAIo/gtw3t2RT98Y/s1600/dissect_action.png

https://lh3.googleusercontent.com/-q1kZ_WwvDT0/VDh9T9iTrwI/AAAAAAAAAIw/4_nujAWABkU/s1600/dissect_track_request_id.png

https://lh6.googleusercontent.com/-jIlhal5E1QY/VDh9a7oGgSI/AAAAAAAAAI4/cG69wSp7d00/s1600/dissect_http_elasticsearch.png

If you be great if I could get some others to test this out before I get
it into the official Wireshark tree. It *should *support version of ES >
V0.20.0RC1 (I have been testing against the latest as of writing and I
don't think the binary protocol has changed since then). You can get it at https://github.com/ryandoyle/wireshark.git
https://github.com/ryandoyle/wireshark.git
on the branch es_dissector.
Build instructions are at
https://www.wireshark.org/docs/wsdg_html_chunked/ChSrcBuildFirstTime.html.
It's the usual ./configure && make && make install type deal.

There are some limitations currently, so on the to-do list is the
following:

  • Dissect the whole packet for request/response packets.
  • Decompress compressed packets
  • Track request/response IDs so you can back reference a response to a
    request and vica-versa
  • *Maybe *support older versions

I'll update you once it's merged and/or I get feedback from you guys.
Cheers!

Ryan

--
You received this message because you are subscribed to the Google Groups "elasticsearch" group.
To unsubscribe from this group and stop receiving emails from it, send an email to elasticsearch+unsubscribe@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/elasticsearch/104d7acb-5cd4-42ca-a9c9-591e718441f0%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.