Dear all, there seems to be a limitation in current tshark fields output (-e switch). Currently there are not preserved protocol layers/hierarchy and the output fields are generated as flat structure. For simple protocols this behavior is ok, however for complex protocols it could result into ambiguous interpretation. (Additionally the current -e switch is not working together with -x switch (hex dump))
Here is proposed filtering method for -T ek|json output to preserve protocol layers and the related discussion with examples: https://code.wireshark.org/review/#/c/36774/. It sounds reasonable to extend -e switch with --preserve-layers option. Your opinion on this would be very useful. Thank you and best regards Martin Kacer
___________________________________________________________________________ Sent via: Wireshark-dev mailing list <wireshark-dev@wireshark.org> Archives: https://www.wireshark.org/lists/wireshark-dev Unsubscribe: https://www.wireshark.org/mailman/options/wireshark-dev mailto:wireshark-dev-requ...@wireshark.org?subject=unsubscribe
