1 | initial version |
So the question is: "why is the output of TShark different from Wireshark?"
There are a few possibilities. One that is most overlooked is that TShark uses the "Default" profile, unless you provide a configuration profile with the -C
option. So when the profile used in Wireshark is different, the output can also be different.
An other way is to provide the settings you rely on, on the command line, for example -o nameres.network_name:TRUE
or -NdNn
.
The environment used to run Wireshark can also be different from TShark. Can you confirm that DNS resolving is working from the command line where TShark is used? Are commands like nslookup
or dig
working from this command line?
I needed -NNn
to make it work, but with -NdNn
captured DNS responses are also used. For example:
tshark -r file.pcapng -NdNn -T fields -e _ws.col.def_src -e _ws.col.def_dst -e ip.src -e ip.src_host -e ipv6.src_host -e ipv6.dst_host ...