1 | initial version |
The intended use of jsonraw was to reduce the "tshark -T json -x" output size and still to allow to dissect the protocol layers on raw/byte level and provide information regarding the dissected field. For possible use see the json2pcap script (however not all information are preserved in jsonraw compared to -T json -x, as frame timestamp).
The values in raw fields are:
"eth.src_raw": [
"881544b14f70", # hex string
6, # position in frame
6, # length
0, # bitmask
29 # type
],
The json2pcap script is flattening back the json into raw frame from highest layers to lowest. Certain fields are not byte aligned and then the bitmask is also used.