Ask Your Question

Revision history [back]

click to hide/show revision 1
initial version

answered 2024-02-13 15:45:20 +0000

Chuckc gravatar image

Just to clarify, frame.raw is not a Wireshark field but there is a frame_raw in -T jsonraw output.

tshark -T jsonraw -j "frame" -x -r .\test.pcap

    "_index": "packets-2021-02-10",
    "_type": "doc",
    "_score": null,
    "_source": {
      "layers": {
        "frame_raw": [
          "000000000000000000000000080045000054000000007601ab6908080808c0a8c88700004a0200250002643c2460000000006c67020000000000101112131415161718191a1b1c1d1e1f202122232425262728292a2b2c2d2e2f3031323334353637",
          0,
          98,
          0,
          1
        ],
        "frame": {