Hi Team,
I am working on few exploration using tshark. Please find below command where I am extracting few fields from .pcap file. It has been executed in windows.
tshark.exe -r sample.pcap -E separator=, -E header=y -E occurrence=f -T fields -e frame.time -e frame.time_epoch -e frame.len -e ip.src -e ip.dst -e
dns.resp.name -e dns.resp.type -e dns.resp.class -e dns.flags.rcode -e dns.a "(dns.flags.response==1) and (dns.a)" > sample.csv
I have tried in centos, it's not working. May I know what is an issue in below command.
tshark -r sample.pcap -E separator=, -E header=y -E occurrence=f -T fields -e frame.time -e frame.time_epoch -e frame.len -e ip.src -e ip.dst -e
dns.resp.name -e dns.resp.type -e dns.resp.class -e dns.flags.rcode -e dns.a '(dns.flags.response==1) and (dns.a)' > sample.csv
(dns.flags.response==1) and (dns.a) => dns request has got response and ipv4 address is not empty
If possible, please share equivalent command for centos.
Thanks,
S.Vinoth