Wireshark · Wireshark-dev: [Wireshark-dev] tshark: -e field output limitation

Wireshark-dev: [Wireshark-dev] tshark: -e field output limitation

From: kacer martin <kacer.martin@xxxxxxxxx>

Date: Sun, 12 Apr 2020 15:15:21 +0200

Dear all,

there seems to be a limitation in current tshark fields output (-e switch). Currently there are not preserved protocol layers/hierarchy and the output fields are generated as flat structure. For simple protocols this behavior is ok, however for complex protocols it could result into ambiguous interpretation. (Additionally the current -e switch is not working together with -x switch (hex dump))

Here is proposed filtering method for -T ek|json output to preserve protocol layers and the related discussion with examples: https://code.wireshark.org/review/#/c/36774/.

It sounds reasonable to extend -e switch with --preserve-layers option. Your opinion on this would be very useful.

Thank you and best regards

Martin Kacer

Follow-Ups:
- Re: [Wireshark-dev] tshark: -e field output limitation
  - From: Dario Lombardo

Prev by Date: [Wireshark-dev] Cant update preferred emaill after logined by GitHub oauth2
Next by Date: Re: [Wireshark-dev] tshark: -e field output limitation
Previous by thread: Re: [Wireshark-dev] Cant update preferred emaill after logined by GitHub oauth2
Next by thread: Re: [Wireshark-dev] tshark: -e field output limitation
Index(es):
- Date
- Thread