Ask Your Question

Revision history [back]

click to hide/show revision 1
initial version

So the question is: "why is the output of TShark different from Wireshark?"

There are a few possibilities. One that is most overlooked is that TShark uses the "Default" profile, unless you provide a configuration profile with the -C option. So when the profile used in Wireshark is different, the output can also be different.
An other way is to provide the settings you rely on, on the command line, for example -o nameres.network_name:TRUE or -NdNn.

The environment used to run Wireshark can also be different from TShark. Can you confirm that DNS resolving is working from the command line where TShark is used? Are commands like nslookup or dig working from this command line?

I needed -NNn to make it work, but with -NdNn captured DNS responses are also used. For example:

tshark -r file.pcapng -NdNn -T fields -e _ws.col.def_src -e _ws.col.def_dst -e ip.src -e ip.src_host -e ipv6.src_host -e ipv6.dst_host ...