[Jeff Morriss <jeff.morriss.ws@xxxxxxxxx>]

On Thu, Jan 25, 2018 at 8:30 AM, Vinoth S <weknowth59@xxxxxxxxx> wrote:

Hi Team,

I am working on few exploration using tshark. Please find below command where I am extracting few fields from .pcap file. It has been executed in windows.

tshark.exe -r sample.pcap -E separator=, -E header=y -E occurrence=f -T fields -e frame.time -e frame.time_epoch -e frame.len -e ip.src -e ip.dst -e dns.resp.name -e dns.resp.type -e dns.resp.class -e dns.flags.rcode -e dns.a "(dns.flags.response==1) and (dns.a)" > sample.csv

I have tried in centos, it's not working. May I know what is an issue in below command.

tshark -r sample.pcap -E separator=, -E header=y -E occurrence=f -T fields -e frame.time -e frame.time_epoch -e frame.len -e ip.src -e ip.dst -e dns.resp.name -e dns.resp.type -e dns.resp.class -e dns.flags.rcode -e dns.a '(dns.flags.response==1) and (dns.a)' > sample.csv

(dns.flags.response==1) and (dns.a) => dns request has got response and ipv4 address is not empty

If possible, please share equivalent command for centos.

Are you sure you're using the same version of Wireshark on Windows and CentOS?  In particular you should be aware that CentOS tends to lag (far) behind the current release.

(In other words, the behavior you're seeing is quite possibly caused by differences between two versions of Wireshark.)