Hello,
Right now to use the tshark -T json output in a project I have to use a streaming json parser in order to avoid values of duplicated keys being overwritten. Using a standard json parser like _javascript_'s JSON.parse() results in only the last value of the duplicated key being available in the resulting json. This is not ideal and I'd like to fix this bug so I can use JSON.parse() instead of a streaming json parser to read tshark's json output.
The way I work around the problem at the moment is by intercepting each duplicated key/value before it gets overwritten and storing the value next to the duplicated key values as an array with the same key with the "_array" suffix.
I'd solve the problem in wireshark in a similar way. A duplicate key in the current output would only be written once (in the object) and its value would be a json array containing all different values for the key. A simple suffix like "_array" or "s" could be added to the key in order to clearly indicate the key has mulitple values.
My current workaround with a streaming json parser does the same thing and this has worked for the ip, tcp, http and http/2 tshark json output. However, I don't know if there are other protocols where this approach would not work.
Would this be a good solution for the problem or am I missing something?
Regards,
Daan
