Ask Your Question

Revision history [back]

Here are some proposed patches to address the issue. All are adding hex support to tshark fields filter (-T ek -x -e ...):

  • https://code.wireshark.org/review/#/c/36774/13 - adds hex support to -T ek -x -e ... and introduces --fields-xpath option (to group fields in the output based on their xpath location)
  • https://code.wireshark.org/review/#/c/36774/9 - adds hex support to -T ek -x -e ... and introduces --preserve-layers option (to preserve json hierarchy in the output)
  • https://code.wireshark.org/review/#/c/36774/2 - added -k option (fieldfilter). You can use it like -x -T ek -k "frame_raw" -e eth.dst, ... to control precisely which fields from -T ek are in the output

None of these patches is accepted yet and the approach is not concluded yet. (the -k option probably most closely do what was asked here).

To use it, you need to download source code of stable wireshark release, apply the selected patch and compile wireshark.