On Sep 10, 2015, at 1:05 PM, Pascal Quantin <pascal.quantin@xxxxxxxxx> wrote:
> Just a random thought (as I'm far from being a script expert). In case only one of the 2 IP address is resolved, would it be harder to parse?
> Src: 192.0.2.1, Dst: localhost (127.0.0.1)
Is it harder to parse that or
<packet>
<section>15</section>
<section>7.646900</section>
<section>192.0.2.1</section>
<section>127.0.0.1</section>
<section>{protocol}</section>
<section>{info}</section>
</packet>
(PSML) or
192.0.2.1,127.0.0.1
(-T fields -E separator=, -e _ws.col.Source -e _ws.col.Destination)?
Perhaps the default packet detail output should be oriented towards being read by humans, with the output of -T psml, -T ldml, and -T fields being what you use if you want it to be read by software?
