Using XSLT to transform old XML to new XML format

Question

I am having trouble transforming one set of XML data into a new format using XSLT. Below is the code I am currently using.

<?xml version="1.0" encoding="UTF-8"?>
<xsl:stylesheet version="1.0" xmlns:xsl="http://www.w3.org/1999/XSL/Transform" xmlns:fo="http://www.w3.org/1999/XSL/Format">
<xsl:output method="xml" indent="yes"/>
<xsl:template match="/pdml/packet">

<PacketSRC id = "/proto/field[name='ip.src']/@show">

    <PacketDST>
    <xsl:value-of select="/proto/field[name='ip.dst']/@show"></xsl:value-of>
    </PacketDST>

    <PacketPORT> 
    <xsl:value-of select="/proto/field[name='tcp.dstport']/@show"></xsl:value-of>
    </PacketPORT>

    <PacketFLAG>
    <xsl:value-of select="/proto/field[name='tcp.flag']/@showname"></xsl:value-of>
    </PacketFLAG>

</PacketSRC>
</xsl:stylesheet>

The aim of this XSLT is to pull four values from original XML which are (using XPath):

/pdml/packet/proto/field[name='ip.src']/@show
/pdml/packet/proto/field[name='ip.dst']/@show
/pdml/packet/proto/field[name='tcp.dstport']/@show
/pdml/packet/proto/field[name='tcp.flags']/@showname

The idea is to have the PacketSRC be the key attribute/node for each packet. The original xml looks like this:

<pdml>
 <packet>
  <proto>
   <field>
  </proto>
 </packet>
</pdml>

The file contains multiple packets and I need to read each of them for their information. I have looked at: XSLT to transform xml to xml pulling out specific values and mapping to new format

But that question looks to attain a lot of node values rather than node attributes which happens in this case.

I am currently using Altova XMLSpy 2014 to create the stylesheet.

An example of a packet section looks like the following:

<packet>
  <proto name="geninfo" pos="0" showname="General information" size="58">
    <field name="num" pos="0" show="22" showname="Number" value="16" size="58"/>
    <field name="len" pos="0" show="58" showname="Frame Length" value="3a" size="58"/>
    <field name="caplen" pos="0" show="58" showname="Captured Length" value="3a" size="58"/>
    <field name="timestamp" pos="0" show="Aug 26, 2014 19:15:06.203826000 GMT Daylight Time" showname="Captured Time" value="1409076906.203826000" size="58"/>
  </proto>
  <proto name="frame" showname="Frame 22: 58 bytes on wire (464 bits), 58 bytes captured (464 bits)" size="58" pos="0">
    <field name="frame.encap_type" showname="Encapsulation type: Ethernet (1)" size="0" pos="0" show="1"/>
    <field name="frame.time" showname="Arrival Time: Aug 26, 2014 19:15:06.203826000 GMT Daylight Time" size="0" pos="0" show="&quot;Aug 26, 2014 19:15:06.203826000 GMT Daylight Time&quot;"/>
    <field name="frame.offset_shift" showname="Time shift for this packet: 0.000000000 seconds" size="0" pos="0" show="0.000000000"/>
    <field name="frame.time_epoch" showname="Epoch Time: 1409076906.203826000 seconds" size="0" pos="0" show="1409076906.203826000"/>
    <field name="frame.time_delta" showname="Time delta from previous captured frame: 0.001294000 seconds" size="0" pos="0" show="0.001294000"/>
    <field name="frame.time_delta_displayed" showname="Time delta from previous displayed frame: 0.001294000 seconds" size="0" pos="0" show="0.001294000"/>
    <field name="frame.time_relative" showname="Time since reference or first frame: 3.484800000 seconds" size="0" pos="0" show="3.484800000"/>
    <field name="frame.number" showname="Frame Number: 22" size="0" pos="0" show="22"/>
    <field name="frame.len" showname="Frame Length: 58 bytes (464 bits)" size="0" pos="0" show="58"/>
    <field name="frame.cap_len" showname="Capture Length: 58 bytes (464 bits)" size="0" pos="0" show="58"/>
    <field name="frame.marked" showname="Frame is marked: False" size="0" pos="0" show="0"/>
    <field name="frame.ignored" showname="Frame is ignored: False" size="0" pos="0" show="0"/>
    <field name="frame.protocols" showname="Protocols in frame: eth:ethertype:ip:tcp" size="0" pos="0" show="eth:ethertype:ip:tcp"/>
  </proto>
  <proto name="eth" showname="Ethernet II, Src: 78:e4:00:f9:ea:83 (78:e4:00:f9:ea:83), Dst: 98:8b:5d:b9:50:70 (98:8b:5d:b9:50:70)" size="14" pos="0">
    <field name="eth.dst" showname="Destination: 98:8b:5d:b9:50:70 (98:8b:5d:b9:50:70)" size="6" pos="0" show="98:8b:5d:b9:50:70" value="988b5db95070">
    <field name="eth.dst_resolved" showname="Destination (resolved): 98:8b:5d:b9:50:70" hide="yes" size="6" pos="0" show="98:8b:5d:b9:50:70" value="988b5db95070"/>
    <field name="eth.addr" showname="Address: 98:8b:5d:b9:50:70 (98:8b:5d:b9:50:70)" size="6" pos="0" show="98:8b:5d:b9:50:70" value="988b5db95070"/>
    <field name="eth.addr_resolved" showname="Address (resolved): 98:8b:5d:b9:50:70" hide="yes" size="6" pos="0" show="98:8b:5d:b9:50:70" value="988b5db95070"/>
    <field name="eth.lg" showname=".... ..0. .... .... .... .... = LG bit: Globally unique address (factory default)" size="3" pos="0" show="0" value="0" unmaskedvalue="988b5d"/>
    <field name="eth.ig" showname=".... ...0 .... .... .... .... = IG bit: Individual address (unicast)" size="3" pos="0" show="0" value="0" unmaskedvalue="988b5d"/> </field>
    <field name="eth.src" showname="Source: 78:e4:00:f9:ea:83 (78:e4:00:f9:ea:83)" size="6" pos="6" show="78:e4:00:f9:ea:83" value="78e400f9ea83">
    <field name="eth.src_resolved" showname="Source (resolved): 78:e4:00:f9:ea:83" hide="yes" size="6" pos="6" show="78:e4:00:f9:ea:83" value="78e400f9ea83"/>
    <field name="eth.addr" showname="Address: 78:e4:00:f9:ea:83 (78:e4:00:f9:ea:83)" size="6" pos="6" show="78:e4:00:f9:ea:83" value="78e400f9ea83"/>
    <field name="eth.addr_resolved" showname="Address (resolved): 78:e4:00:f9:ea:83" hide="yes" size="6" pos="6" show="78:e4:00:f9:ea:83" value="78e400f9ea83"/>
    <field name="eth.lg" showname=".... ..0. .... .... .... .... = LG bit: Globally unique address (factory default)" size="3" pos="6" show="0" value="0" unmaskedvalue="78e400"/>
    <field name="eth.ig" showname=".... ...0 .... .... .... .... = IG bit: Individual address (unicast)" size="3" pos="6" show="0" value="0" unmaskedvalue="78e400"/>
</field>
    <field name="eth.type" showname="Type: IP (0x0800)" size="2" pos="12" show="2048" value="0800"/>
  </proto>
  <proto name="ip" showname="Internet Protocol Version 4, Src: 192.168.1.211 (192.168.1.211), Dst: 192.168.1.254 (192.168.1.254)" size="20" pos="14">
    <field name="ip.version" showname="Version: 4" size="1" pos="14" show="4" value="45"/>
    <field name="ip.hdr_len" showname="Header Length: 20 bytes" size="1" pos="14" show="20" value="45"/>
    <field name="ip.dsfield" showname="Differentiated Services Field: 0x00 (DSCP 0x00: Default; ECN: 0x00: Not-ECT (Not ECN-Capable Transport))" size="1" pos="15" show="0" value="00">
    <field name="ip.dsfield.dscp" showname="0000 00.. = Differentiated Services Codepoint: Default (0x00)" size="1" pos="15" show="0" value="0" unmaskedvalue="00"/>
    <field name="ip.dsfield.ecn" showname=".... ..00 = Explicit Congestion Notification: Not-ECT (Not ECN-Capable Transport) (0x00)" size="1" pos="15" show="0" value="0" unmaskedvalue="00"/>
</field>
    <field name="ip.len" showname="Total Length: 44" size="2" pos="16" show="44" value="002c"/>
    <field name="ip.id" showname="Identification: 0xdf54 (57172)" size="2" pos="18" show="57172" value="df54"/>
    <field name="ip.flags" showname="Flags: 0x00" size="1" pos="20" show="0" value="00">
    <field name="ip.flags.rb" showname="0... .... = Reserved bit: Not set" size="1" pos="20" show="0" value="00"/>
    <field name="ip.flags.df" showname=".0.. .... = Don&apos;t fragment: Not set" size="1" pos="20" show="0" value="00"/>
    <field name="ip.flags.mf" showname="..0. .... = More fragments: Not set" size="1" pos="20" show="0" value="00"/>
</field>
    <field name="ip.frag_offset" showname="Fragment offset: 0" size="2" pos="20" show="0" value="0000"/>
    <field name="ip.ttl" showname="Time to live: 52" size="1" pos="22" show="52" value="34"/>
    <field name="ip.proto" showname="Protocol: TCP (6)" size="1" pos="23" show="6" value="06"/>
    <field name="ip.checksum" showname="Header checksum: 0x2256 [validation disabled]" size="2" pos="24" show="8790" value="2256">
    <field name="ip.checksum_good" showname="Good: False" size="2" pos="24" show="0" value="2256"/>
    <field name="ip.checksum_bad" showname="Bad: False" size="2" pos="24" show="0" value="2256"/>
</field>
    <field name="ip.src" showname="Source: 192.168.1.211 (192.168.1.211)" size="4" pos="26" show="192.168.1.211" value="c0a801d3"/>
    <field name="ip.addr" showname="Source or Destination Address: 192.168.1.211 (192.168.1.211)" hide="yes" size="4" pos="26" show="192.168.1.211" value="c0a801d3"/>
    <field name="ip.src_host" showname="Source Host: 192.168.1.211" hide="yes" size="4" pos="26" show="192.168.1.211" value="c0a801d3"/>
    <field name="ip.host" showname="Source or Destination Host: 192.168.1.211" hide="yes" size="4" pos="26" show="192.168.1.211" value="c0a801d3"/>
    <field name="ip.dst" showname="Destination: 192.168.1.254 (192.168.1.254)" size="4" pos="30" show="192.168.1.254" value="c0a801fe"/>
    <field name="ip.addr" showname="Source or Destination Address: 192.168.1.254 (192.168.1.254)" hide="yes" size="4" pos="30" show="192.168.1.254" value="c0a801fe"/>
    <field name="ip.dst_host" showname="Destination Host: 192.168.1.254" hide="yes" size="4" pos="30" show="192.168.1.254" value="c0a801fe"/>
    <field name="ip.host" showname="Source or Destination Host: 192.168.1.254" hide="yes" size="4" pos="30" show="192.168.1.254" value="c0a801fe"/>
    <field name="" show="Source GeoIP: Unknown" size="4" pos="26" value="c0a801d3"/>
    <field name="" show="Destination GeoIP: Unknown" size="4" pos="30" value="c0a801fe"/>
  </proto>
  <proto name="tcp" showname="Transmission Control Protocol, Src Port: 59634 (59634), Dst Port: 199 (199), Seq: 0, Len: 0" size="24" pos="34">
    <field name="tcp.srcport" showname="Source Port: 59634 (59634)" size="2" pos="34" show="59634" value="e8f2"/>
    <field name="tcp.dstport" showname="Destination Port: 199 (199)" size="2" pos="36" show="199" value="00c7"/>
    <field name="tcp.port" showname="Source or Destination Port: 59634" hide="yes" size="2" pos="34" show="59634" value="e8f2"/>
    <field name="tcp.port" showname="Source or Destination Port: 199" hide="yes" size="2" pos="36" show="199" value="00c7"/>
    <field name="tcp.stream" showname="Stream index: 0" size="0" pos="34" show="0"/>
    <field name="tcp.len" showname="TCP Segment Len: 0" size="1" pos="46" show="0" value="60"/>
    <field name="tcp.seq" showname="Sequence number: 0    (relative sequence number)" size="4" pos="38" show="0" value="1d78544a"/>
    <field name="tcp.ack" showname="Acknowledgment number: 0" size="4" pos="42" show="0" value="00000000"/>
    <field name="tcp.hdr_len" showname="Header Length: 24 bytes" size="1" pos="46" show="24" value="60"/>
    <field name="tcp.flags" showname=".... 0000 0000 0010 = Flags: 0x002 (SYN)" size="2" pos="46" show="2" value="2" unmaskedvalue="6002">
    <field name="tcp.flags.res" showname="000. .... .... = Reserved: Not set" size="1" pos="46" show="0" value="0" unmaskedvalue="60"/>
    <field name="tcp.flags.ns" showname="...0 .... .... = Nonce: Not set" size="1" pos="46" show="0" value="0" unmaskedvalue="60"/>
    <field name="tcp.flags.cwr" showname=".... 0... .... = Congestion Window Reduced (CWR): Not set" size="1" pos="47" show="0" value="0" unmaskedvalue="02"/>
    <field name="tcp.flags.ecn" showname=".... .0.. .... = ECN-Echo: Not set" size="1" pos="47" show="0" value="0" unmaskedvalue="02"/>
    <field name="tcp.flags.urg" showname=".... ..0. .... = Urgent: Not set" size="1" pos="47" show="0" value="0" unmaskedvalue="02"/>
    <field name="tcp.flags.ack" showname=".... ...0 .... = Acknowledgment: Not set" size="1" pos="47" show="0" value="0" unmaskedvalue="02"/>
    <field name="tcp.flags.push" showname=".... .... 0... = Push: Not set" size="1" pos="47" show="0" value="0" unmaskedvalue="02"/>
    <field name="tcp.flags.reset" showname=".... .... .0.. = Reset: Not set" size="1" pos="47" show="0" value="0" unmaskedvalue="02"/>
    <field name="tcp.flags.syn" showname=".... .... ..1. = Syn: Set" size="1" pos="47" show="1" value="1" unmaskedvalue="02">
    <field name="_ws.expert" showname="Expert Info (Chat/Sequence): Connection establish request (SYN): server port 199" size="0" pos="47">
      <field name="tcp.connection.syn" showname="Connection establish request (SYN): server port 199" size="0" pos="0" show="" value=""/>
      <field name="_ws.expert.message" showname="Message: Connection establish request (SYN): server port 199" hide="yes" size="0" pos="0" show="Connection establish request (SYN): server port 199"/>
      <field name="_ws.expert.severity" showname="Severity level: Chat" size="0" pos="0" show="2097152"/>
      <field name="_ws.expert.group" showname="Group: Sequence" size="0" pos="0" show="33554432"/>
    </field>
  </field>
    <field name="tcp.flags.fin" showname=".... .... ...0 = Fin: Not set" size="1" pos="47" show="0" value="0" unmaskedvalue="02"/>
</field>
    <field name="tcp.window_size_value" showname="Window size value: 1024" size="2" pos="48" show="1024" value="0400"/>
    <field name="tcp.window_size" showname="Calculated window size: 1024" size="2" pos="48" show="1024" value="0400"/>
    <field name="tcp.checksum" showname="Checksum: 0xb388 [validation disabled]" size="2" pos="50" show="45960" value="b388">
    <field name="tcp.checksum_good" showname="Good Checksum: False" size="2" pos="50" show="0" value="b388"/>
    <field name="tcp.checksum_bad" showname="Bad Checksum: False" size="2" pos="50" show="0" value="b388"/>
</field>
    <field name="tcp.urgent_pointer" showname="Urgent pointer: 0" size="2" pos="52" show="0" value="0000"/>
    <field name="tcp.options" showname="Options: (4 bytes), Maximum segment size" size="4" pos="54" show="02:04:05:b4" value="020405b4">
    <field name="tcp.options.mss" showname="Maximum segment size: 1460 bytes" size="4" pos="54" show="" value="">
    <field name="tcp.option_kind" showname="Kind: Maximum Segment Size (2)" size="1" pos="54" show="2" value="02"/>
    <field name="tcp.option_len" showname="Length: 4" size="1" pos="55" show="4" value="04"/>
    <field name="tcp.options.mss_val" showname="MSS Value: 1460" size="2" pos="56" show="1460" value="05b4"/>
   </field>
  </field>
 </proto>
</packet>

And an example of the output would look like this (for this packet):

<PacketSRC id = 192.168.1.211>
  <PacketDST>192.168.1.254</PacketDST>
  <PacketPORT>199</PacketPORT>
  <PacketFLAG>.... 0000 0000 0010 = Flags: 0x002 (SYN)</PacketFLAG>
</PacketSRC>

This would then need to happen for every 'packet' in the XML file.

Any help or pointers would be great. Thanks.

Answer 1

This would then need to happen for every 'packet' in the XML file.

Yes, but your XML input has only one packet, and no parent element, so it is not "representative". Similarly, your expected output has no root element - so it cannot contain multiple PacketSRC elements.

So, assuming your input has a pdml root element, try:

<xsl:stylesheet version="1.0" 
xmlns:xsl="http://www.w3.org/1999/XSL/Transform">
<xsl:output method="xml" version="1.0" encoding="UTF-8" indent="yes"/>

<xsl:template match="/">
    <root>
        <xsl:for-each select="pdml/packet">
            <PacketSRC id="{proto/field[@name='ip.src']/@show}">
                <PacketDST>
                    <xsl:value-of select="proto/field[@name='ip.dst']/@show"/>
                </PacketDST>
                <PacketPORT> 
                    <xsl:value-of select="proto/field[@name='tcp.dstport']/@show"/>
                </PacketPORT>
                <PacketFLAG>
                    <xsl:value-of select="proto/field[@name='tcp.flag']/@showname"/>
                </PacketFLAG>
            </PacketSRC>
        </xsl:for-each>
    </root>
</xsl:template>

</xsl:stylesheet>

Note:

• curly brackets to indicate attribute value template;
• the use of @ to select an attribute;
• XML is case-sensitive: </PacketPort> does not close <PacketPORT>;
• there is no field[@name='tcp.flag'] in your XML.