Wireshark-users: Re: [Wireshark-users] How do I slightly tweak the text output options of tshark?
From: "j.snelders" <j.snelders@xxxxxxxxxx>
Date: Wed, 20 Jul 2011 21:27:03 +0200
Hi Eric,

Try this:
tshark -r test.pcap -R "dns" -o column.format:""No.","%m", "Time", "%Yt",
"Source", "%s", "ID", "%Cus:dns.id", "Info", "%i"" > test.csv

Best regards
Joke

On Wed, 20 Jul 2011 13:29:47 -0400 Eric Howard wrote:
>Thanks you for all of your help.  I believe I found the solution:
>
>tshark -o column.format:'"Time", "%Yt", "Source", "%s", "No.", "%m",
>"Info", "%i", "ID", "%Cus:dns.id"' port 53
>
>
>On 07/20/2011 11:09 AM, Jaap Keuter wrote:
>> On Wed, 20 Jul 2011 09:52:42 -0400, Eric Howard wrote:
>> 
>>> Hi. I love the functionality that wireshark gives me. I am trying to
>>> log DNS transactions. The stand text display gives me most of what I
>>> want. For example:
>>>
>>> [root@myserv~]# tshark -tad port 53
>>> Running as user "root" and group "root". This could be dangerous.
>>> Capturing on eth0
>>> 2011-07-20 09:46:46.971987 152.75.52.18 -> 152.75.73.251 DNS Standard
>>> query A www.yahoo.com [1]
>>> 2011-07-20 09:46:46.972226 152.75.73.251 -> 152.75.52.18 DNS Standard
>>> query response CNAME fp.wg1.b.yahoo.com CNAME any-fp.wa1.b.yahoo.com
A
>>> 69.147.125.65 A 67.195.160.76
>>>
>>> However, I want to somehow capture queries and responses into a database
>>> base and need a way to associate the query and response data. In the
>>> above example I get a CNAME result but need to also record the fact the
>>> original request was for 'www.yahoo.com [2]' I believe that "dns.id"
>>> field
>>> would allow me to associate the query and response. Is there an easy
>>> way to modify the standard output to append this single field or do I
>>> have to write an extremely complicated fields directive to create the
>>> standard output with the additional field?
>>>
>>> Thanks for your help!
>>>
>>> -- Eric --
>>>
>> 
>> Hi,
>> 
>> Have a look at custom columns. You can show there (almost) anything.
>> 
>> Thanks,
>> Jaap