Ask Your Question

Revision history [back]

click to hide/show revision 1
initial version

Yes, it's supposed to be readable by Elasticsearch. As the TShark man page says:

T ek|fields|json|jsonraw|pdml|ps|psml|tabs|text
Set the format of the output when viewing decoded packet data. The options are one of:

ek Newline delimited JSON format for bulk import into Elasticsearch. ...

I.e., it was designed, by the JSON/Elasticsearch people, for easy human readability, it was designed for easy readability by Elasticsearch. If that means that it's less human readable than intentionally human-readable text, that's life.

Yes, it's supposed to be readable by Elasticsearch. As the TShark man page says:

T ek|fields|json|jsonraw|pdml|ps|psml|tabs|text
Set the format of the output when viewing decoded packet data. The options are one of:

ek Newline delimited JSON format for bulk import into Elasticsearch. ...

I.e., it was not designed, by the JSON/Elasticsearch people, for easy human readability, it was designed for easy readability by Elasticsearch. If that means that it's less human readable than intentionally human-readable text, that's life.