Wireshark-users: Re: [Wireshark-users] How do I slightly tweak the text output options of tshark?

From: Eric Howard <ehoward@xxxxxxx>
Date: Wed, 20 Jul 2011 11:47:53 -0400
Jaap, thanks for your answer.  How do I deconstruct the standard output
to find out the columns that are already being displayed?

-- Eric --

On 07/20/2011 11:09 AM, Jaap Keuter wrote:
> On Wed, 20 Jul 2011 09:52:42 -0400, Eric Howard wrote:
>> Hi. I love the functionality that wireshark gives me. I am trying to
>> log DNS transactions. The stand text display gives me most of what I
>> want. For example:
>> [root@myserv~]# tshark -tad port 53
>> Running as user "root" and group "root". This could be dangerous.
>> Capturing on eth0
>> 2011-07-20 09:46:46.971987 -> DNS Standard
>> query A www.yahoo.com [1]
>> 2011-07-20 09:46:46.972226 -> DNS Standard
>> query response CNAME fp.wg1.b.yahoo.com CNAME any-fp.wa1.b.yahoo.com A
>> A
>> However, I want to somehow capture queries and responses into a database
>> base and need a way to associate the query and response data. In the
>> above example I get a CNAME result but need to also record the fact the
>> original request was for 'www.yahoo.com [2]' I believe that "dns.id"
>> field
>> would allow me to associate the query and response. Is there an easy
>> way to modify the standard output to append this single field or do I
>> have to write an extremely complicated fields directive to create the
>> standard output with the additional field?
>> Thanks for your help!
>> -- Eric --
> Hi,
> Have a look at custom columns. You can show there (almost) anything.
> Thanks,
> Jaap
> ___________________________________________________________________________
> Sent via:    Wireshark-users mailing list <wireshark-users@xxxxxxxxxxxxx>
> Archives:    http://www.wireshark.org/lists/wireshark-users
> Unsubscribe: https://wireshark.org/mailman/options/wireshark-users
> mailto:wireshark-users-request@xxxxxxxxxxxxx?subject=unsubscribe