 | 1 | initial version |
Sorry for mis-reading your question, I now see it's querying the discrepancy between Wireshark and tshark representations.
Are you adding -2 to tshark to enable 2-pass processing? The output might depend on where the dns block is being stored in the pcapng.
