Re: Need equivalent query

[Jeff Morriss <jeff.morriss.ws () gmail com>]

On Thu, Jan 25, 2018 at 8:30 AM, Vinoth S <weknowth59 () gmail com> wrote:

> Hi Team,
>
> I am working on few exploration using tshark. Please find below command
> where I am extracting few fields from .pcap file. It has been executed in
> windows.
>
> tshark.exe -r sample.pcap -E separator=, -E header=y -E occurrence=f -T
> fields -e frame.time -e frame.time_epoch -e frame.len -e ip.src -e ip.dst
> -e dns.resp.name -e dns.resp.type -e dns.resp.class -e dns.flags.rcode -e
> dns.a "(dns.flags.response==1) and (dns.a)" > sample.csv
>
> I have tried in centos, it's not working. May I know what is an issue in
> below command.
>
> tshark -r sample.pcap -E separator=, -E header=y -E occurrence=f -T fields
> -e frame.time -e frame.time_epoch -e frame.len -e ip.src -e ip.dst -e
> dns.resp.name -e dns.resp.type -e dns.resp.class -e dns.flags.rcode -e
> dns.a '(dns.flags.response==1) and (dns.a)' > sample.csv
>
> *(dns.flags.response==1) and (dns.a)* => dns request has got response and
> ipv4 address is not empty
>
> If possible, please share equivalent command for centos.

Are you sure you're using the same version of Wireshark on Windows and
CentOS?  In particular you should be aware that CentOS tends to lag (far)
behind the current release.

(In other words, the behavior you're seeing is quite possibly caused by
differences between two versions of Wireshark.)

___________________________________________________________________________
Sent via:    Wireshark-users mailing list <wireshark-users () wireshark org>
Archives:    https://www.wireshark.org/lists/wireshark-users
Unsubscribe: https://www.wireshark.org/mailman/options/wireshark-users
             mailto:wireshark-users-request () wireshark org?subject=unsubscribe