Wireshark-users: Re: [Wireshark-users] How do I slightly tweak the text output options of tshark?
Jaap, thanks for your answer. How do I deconstruct the standard output
to find out the columns that are already being displayed?
-- Eric --
On 07/20/2011 11:09 AM, Jaap Keuter wrote:
> On Wed, 20 Jul 2011 09:52:42 -0400, Eric Howard wrote:
>
>> Hi. I love the functionality that wireshark gives me. I am trying to
>> log DNS transactions. The stand text display gives me most of what I
>> want. For example:
>>
>> [root@myserv~]# tshark -tad port 53
>> Running as user "root" and group "root". This could be dangerous.
>> Capturing on eth0
>> 2011-07-20 09:46:46.971987 152.75.52.18 -> 152.75.73.251 DNS Standard
>> query A www.yahoo.com [1]
>> 2011-07-20 09:46:46.972226 152.75.73.251 -> 152.75.52.18 DNS Standard
>> query response CNAME fp.wg1.b.yahoo.com CNAME any-fp.wa1.b.yahoo.com A
>> 69.147.125.65 A 67.195.160.76
>>
>> However, I want to somehow capture queries and responses into a database
>> base and need a way to associate the query and response data. In the
>> above example I get a CNAME result but need to also record the fact the
>> original request was for 'www.yahoo.com [2]' I believe that "dns.id"
>> field
>> would allow me to associate the query and response. Is there an easy
>> way to modify the standard output to append this single field or do I
>> have to write an extremely complicated fields directive to create the
>> standard output with the additional field?
>>
>> Thanks for your help!
>>
>> -- Eric --
>>
>
> Hi,
>
> Have a look at custom columns. You can show there (almost) anything.
>
> Thanks,
> Jaap
> ___________________________________________________________________________
> Sent via: Wireshark-users mailing list <wireshark-users@xxxxxxxxxxxxx>
> Archives: http://www.wireshark.org/lists/wireshark-users
> Unsubscribe: https://wireshark.org/mailman/options/wireshark-users
>
> mailto:wireshark-users-request@xxxxxxxxxxxxx?subject=unsubscribe