Re: tshark: -e field output limitation

[Dario Lombardo <lomato () gmail com>]

Hi Martin
Unless anyone objects, I'd go with --preserve-layers. I suggested you this
way because tshark has so many short options that we've almost run out of
alphabet letters. I'd be very careful and conservative when eating up more
letters. Moreover -k is an option used by wireshark to run capture
immediately. tshark and wireshark don't have the same option set, but I'd
avoid to make them even more different by using overlapping options for
different features.
A long option that improves the use of -e to fit your use-case seems more
suitable to me.
If you'll take this way:
1) don't forget to update ALL docs. You've just updated tshark-h.txt, but
there are man pages, READMEs, etc. Do a full review of which docs need to
be updated
2) add the new option to the release notes: we need to inform the users
that a new option is available
3) be sure this option works for all the json-related formats: ek, json but
also jsonraw
4) add regression tests to cover your new option in all the 3 formats I
mentioned above.
Thanks for contributing and happy locked-down Easter Monday.
Dario.

On Sun, Apr 12, 2020 at 5:44 PM kacer martin <kacer.martin () gmail com> wrote:

> Dear all,
>
> there seems to be a limitation in current tshark fields output (-e
> switch). Currently there are not preserved protocol layers/hierarchy and
> the output fields are generated as flat structure. For simple protocols
> this behavior is ok, however for complex protocols it could result into
> ambiguous interpretation. (Additionally the current -e switch is not
> working together with -x switch (hex dump))
>
> Here is proposed filtering method for -T ek|json output to preserve
> protocol layers and the related discussion with examples:
> https://code.wireshark.org/review/#/c/36774/.
> It sounds reasonable to extend -e switch with --preserve-layers option.
> Your opinion on this would be very useful.
>
> Thank you and best regards
>
> Martin Kacer
>
>
>
>
> ___________________________________________________________________________
> Sent via:    Wireshark-dev mailing list <wireshark-dev () wireshark org>
> Archives:    https://www.wireshark.org/lists/wireshark-dev
> Unsubscribe: https://www.wireshark.org/mailman/options/wireshark-dev
>              mailto:wireshark-dev-request () wireshark org
> ?subject=unsubscribe



-- 

Naima is online.

___________________________________________________________________________
Sent via:    Wireshark-dev mailing list <wireshark-dev () wireshark org>
Archives:    https://www.wireshark.org/lists/wireshark-dev
Unsubscribe: https://www.wireshark.org/mailman/options/wireshark-dev
             mailto:wireshark-dev-request () wireshark org?subject=unsubscribe