Problem
I am trying to understand how to use jsonraw as an option, as I saw it on the manpage. The major difference between it and json is that jsonraw includes the hex for each field.
Example Packet Capture/Packet
For example, packet 4 of this PacketLife capture is an ARP packet.
If we run tshark on this capture, and then grep for a specific field (eth.src-raw), we see that there is the raw hex 881544b14f70, but also 4 other values.
$ tshark -r STP\ UplinkFast.pcapng -T jsonraw -Y "frame.number == 4" | grep eth.src_raw -A 6
"eth.src_raw": [
"881544b14f70",
6,
6,
0,
29
],
Speculation Time
It's fair to assume that the two 6's in json["eth.src_raw"][1:3] have something to do with the fact that a MAC address takes up 6 bytes. 29 might be where this value starts? And then 0 is...?
Searching for Info
Searching for jsonraw in the User Guide turns up no results. Tshark's manpage admits that it exists, but not much more.
Question
Where can I find more information on tshark -T jsonraw?