Hello, I am attempting to use tshark to collect DNS answers. Below is the command I am using: tshark -e frame.time -e dns.resp.name -e dns.resp.addr -e dns.resp.ttl -e dns.resp.type -e dns.resp.rpimaryname -E separator=/t -T fields -nl -e eth1 -f "port 53" -R "dns && dns.count.answers != 0 && dns.flags.response == 1" This works fine for DNS responses that contain ipv4 addresses, but fails to return ipv6 addresses. Unfortunately after going through the documentation and possible filters, it doesn't appear as though ipv6 is supported. Am I doing something incorrectly here or is this simply not currently supported? If it isn't supported, does anyone have any ideas for a solution or alternative? Thanks in advance for any help. asked 10 Sep '12, 10:17  joebasey |
One Answer:
AAAA answers are not accessible through the dns.xxx fields. They are however accessible through the Unfortunately, the output of
Regards answered 10 Sep '12, 10:42  Kurt Knochner ♦ edited 10 Sep '12, 17:46  Guy Harris ♦♦ |
...to which the answer is "because nobody's bothered giving them named fields". That's not a feature; bug 7709 speaks of "[making fields] filterable", so perhaps that's one thing Alexis will be fixing.