Ask Your Question

Revision history [back]

The intended use of jsonraw was to reduce the "tshark -T json -x" output size and still to allow to dissect the protocol layers on raw/byte level and provide information regarding the dissected field. For possible use see the json2pcap script (however not all information are preserved in jsonraw compared to -T json -x, as frame timestamp).

The values in raw fields are:

          "eth.src_raw": [
            "881544b14f70",    # hex string
            6,                 # position in frame
            6,                 # length
            0,                 # bitmask
            29                 # type

The json2pcap script is flattening back the json into raw frame from highest layers to lowest. Certain fields are not byte aligned and then the bitmask is also used.