Wireshark mailing list archives

tshark: -e field output limitation

From: kacer martin <kacer.martin () gmail com>
Date: Sun, 12 Apr 2020 15:15:21 +0200

Dear all,

there seems to be a limitation in current tshark fields output (-e switch).
Currently there are not preserved protocol layers/hierarchy and the output
fields are generated as flat structure. For simple protocols this behavior
is ok, however for complex protocols it could result into ambiguous
interpretation. (Additionally the current -e switch is not working together
with -x switch (hex dump))

Here is proposed filtering method for -T ek|json output to preserve
protocol layers and the related discussion with examples:
https://code.wireshark.org/review/#/c/36774/.
It sounds reasonable to extend -e switch with --preserve-layers option.
Your opinion on this would be very useful.

Thank you and best regards

Martin Kacer

___________________________________________________________________________
Sent via:    Wireshark-dev mailing list <wireshark-dev () wireshark org>
Archives:    https://www.wireshark.org/lists/wireshark-dev
Unsubscribe: https://www.wireshark.org/mailman/options/wireshark-dev
             mailto:wireshark-dev-request () wireshark org?subject=unsubscribe

Current thread:

tshark: -e field output limitation kacer martin (Apr 12)
- Re: tshark: -e field output limitation Dario Lombardo (Apr 13)