Wireshark-dev: Re: [Wireshark-dev] tshark: -e field output limitation

From: Dario Lombardo <lomato@xxxxxxxxx>
Date: Mon, 13 Apr 2020 12:18:31 +0200
Hi Martin
Unless anyone objects, I'd go with --preserve-layers. I suggested you this way because tshark has so many short options that we've almost run out of alphabet letters. I'd be very careful and conservative when eating up more letters. Moreover -k is an option used by wireshark to run capture immediately. tshark and wireshark don't have the same option set, but I'd avoid to make them even more different by using overlapping options for different features.
A long option that improves the use of -e to fit your use-case seems more suitable to me.
If you'll take this way:
1) don't forget to update ALL docs. You've just updated tshark-h.txt, but there are man pages, READMEs, etc. Do a full review of which docs need to be updated
2) add the new option to the release notes: we need to inform the users that a new option is available
3) be sure this option works for all the json-related formats: ek, json but also jsonraw
4) add regression tests to cover your new option in all the 3 formats I mentioned above.
Thanks for contributing and happy locked-down Easter Monday.
Dario.

On Sun, Apr 12, 2020 at 5:44 PM kacer martin <kacer.martin@xxxxxxxxx> wrote:
Dear all,

there seems to be a limitation in current tshark fields output (-e switch). Currently there are not preserved protocol layers/hierarchy and the output fields are generated as flat structure. For simple protocols this behavior is ok, however for complex protocols it could result into ambiguous interpretation. (Additionally the current -e switch is not working together with -x switch (hex dump))

Here is proposed filtering method for -T ek|json output to preserve protocol layers and the related discussion with examples: https://code.wireshark.org/review/#/c/36774/
It sounds reasonable to extend -e switch with --preserve-layers option. Your opinion on this would be very useful.

Thank you and best regards

Martin Kacer




___________________________________________________________________________
Sent via:    Wireshark-dev mailing list <wireshark-dev@xxxxxxxxxxxxx>
Archives:    https://www.wireshark.org/lists/wireshark-dev
Unsubscribe: https://www.wireshark.org/mailman/options/wireshark-dev
             mailto:wireshark-dev-request@xxxxxxxxxxxxx?subject=unsubscribe


--
Naima is online.