Hey folks, I've spent quite a lot of time braining this out, but I can't seem to figure out how to solve the Problem.
I need certain fields like
eth.dst
eth.dst_resolved
but ( for example) not
eth.src
eth.src_resolved
plus I need the frame_raw (-x flag), but when I use this command it does not work:
tshark -T ek -e eth.dst -e eth.dst_resolved -e... -e... -x -r ../caps/trace_00049_20191116001454.pcap
The output does not contain the frame_raw / -x.
When I use the -J option (to export as json), I use this command:
tshark -T ek -J "ip" -x -r ...
I cannot figure out how to convert my filters from "wireshark" terminology to the required terminology for json.
-J "ip" gives me everything in layers.ip, and I cannot narrow it down. Any ideas?