Wireshark · Wireshark-users: Re: [Wireshark-users] Need equivalent query

Wireshark-users: Re: [Wireshark-users] Need equivalent query

From: Vinoth S <weknowth59@xxxxxxxxx>

Date: Fri, 26 Jan 2018 11:48:42 +0530

Hi Team,

Please find below software version details:

CentOS Linux release 7.4.1708(core)

[root@192 ~]# rpm -qi wireshark

Name : wireshark

Version : 1.10.14

Release : 14.el7

Architecture: x86_64

Windows 8.1 - 64bit

Wireshark-win64-2.2.12.exe

PFA for reference from cent-os execution.

I could understand different OS and Software versions will give different output.

In case software is my issue, then how can achieve same thing in cent-os?

My ultimate aim is to satisfy this condition : (dns.flags.response==1) and (dns.a) => dns request has got response and ipv4 address is not empty

Thanks in advance.

On Thu, Jan 25, 2018 at 7:22 PM, Jaap Keuter <jaap.keuter@xxxxxxxxx> wrote:

Hi,

Not unless you give us the Wireshark version installed on your CentOS platform.

On 25 Jan 2018, at 14:30, Vinoth S <weknowth59@xxxxxxxxx> wrote:

Hi Team,

I am working on few exploration using tshark. Please find below command where I am extracting few fields from .pcap file. It has been executed in windows.

tshark.exe -r sample.pcap -E separator=, -E header=y -E occurrence=f -T fields -e frame.time -e frame.time_epoch -e frame.len -e ip.src -e ip.dst -e dns.resp.name -e dns.resp.type -e dns.resp.class -e dns.flags.rcode -e dns.a "(dns.flags.response==1) and (dns.a)" > sample.csv

I have tried in centos, it's not working. May I know what is an issue in below command.

tshark -r sample.pcap -E separator=, -E header=y -E occurrence=f -T fields -e frame.time -e frame.time_epoch -e frame.len -e ip.src -e ip.dst -e dns.resp.name -e dns.resp.type -e dns.resp.class -e dns.flags.rcode -e dns.a '(dns.flags.response==1) and (dns.a)' > sample.csv

(dns.flags.response==1) and (dns.a) => dns request has got response and ipv4 address is not empty

If possible, please share equivalent command for centos.

Thanks,
S.Vinoth

___________________________________________________________________________
Sent via: Wireshark-users mailing list <wireshark-users@xxxxxxxxxxxxx>
Archives: https://www.wireshark.org/lists/wireshark-users
Unsubscribe: https://www.wireshark.org/mailman/options/wireshark-users
mailto:wireshark-users-request@xxxxxxxxxxxxx?subject=unsubscribe

weknow(th)

Virus-free. www.avg.com

Attachment: CentOS-TShark.png
Description: PNG image

References:
- [Wireshark-users] Need equivalent query
  - From: Vinoth S
- Re: [Wireshark-users] Need equivalent query
  - From: Jaap Keuter

Prev by Date: Re: [Wireshark-users] Need equivalent query
Next by Date: [Wireshark-users] How to save the content of an RTP stream in WS 2.4.4?
Previous by thread: Re: [Wireshark-users] Need equivalent query
Next by thread: [Wireshark-users] How to save the content of an RTP stream in WS 2.4.4?
Index(es):
- Date
- Thread