This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

tshark conversation statistic not resolving hostnames

0

Executing the -z conv,ip command does not display the hostnames (like in wireshark). This happens on Fedora 17 and Windows 7. I execute the command, and after a bit of traffic was monitored, I stop tshark with Ctrl-C. After this the conversation table is printed.

Linux:

  • command: tshark -i 1 -N n -f "tcp or udp" -z conv,ip
  • OS: Fedora 17 x86
  • tshark version: 1.6.12
  • Solutions tried:
  • Ommiting -N
  • Using -N C

Windows:

  • command: tshark -i 2 -f "tcp or udp" -z conv,ip
  • OS: Windows 7 x64
  • tshark version: 1.8.4
  • Solutions tried:
  • Ommiting -N
  • Using -N C
  • Using -N n causes tshark error out: (tshark.exe:9692): CaptureChild-WARNING **: signal_pipe_capquit_to_child: 4 header: error Invalid argument

How do I make tshark -z conv,ip display resolve hostnames?

asked 16 Jan '13, 12:33

Daniel%20K's gravatar image

Daniel K
1113
accept rate: 100%

edited 16 Jan '13, 12:35


One Answer:

0

Having tshark showing resolved hostnames in the conversation statistic does not appear possible.

An alternative is to execute the following commands:

tshark -i 1 -N n -e ip.host -E separator=, -f "tcp or udp" -l > tshark_buffer

sort -u tshark_buffer -o tshark_buffer

Where the first command dumps packet information into a file named tshark_buffer, and the second command eliminates duplicate entries. The packet information is stored in the form host1,host2 on each line. However, the duplicate elimination will not catch entries with the hosts reversed (i.e. host2,host1).

answered 01 Feb ‘13, 06:39

Daniel%20K's gravatar image

Daniel K
1113
accept rate: 100%