This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

tshark output refining

0

Hello,

I'm using this command to see DNS requests:

tshark -pni fxp0 -f 'dst port 53' -T fields -e dns.qry.name

And the output looks like this:

livejournal.com
1 www.youtube.com
apis.google.com
platform.twitter.com
connect.facebook.net
5 cnt.sup.com
6 l-api.livejournal.com
l-stat.livejournal.net

I don't understand where those numbers come from (1, 5, 6). And how to suppress those?

asked 06 Apr '14, 02:04

tesuto's gravatar image

tesuto
16114
accept rate: 0%


One Answer:

3

Those numbers are the packet counts.

Which version of Wireshark are you using? Because this was fixed with Guy's r51227 (or r51227) commit on August 9, 2013. It doesn't appear that that fix was backported to the 1.10 trunk, so you would need to either:

  • Use a development version of Wireshark released after that date, such as 1.11.2 released on November 18, 2013 (which is incorrectly indicated as being the 1.11.0 release, but 1.11.0 was released on October 15, 2013. Incidentally, 1.11.1 released on November 15, 2013 is also incorrectly indicated as 1.11.0)
  • Download and run a recent automated build.
  • Download the Wireshark source code and build your own version with the fix. See http://www.wireshark.org/develop.html.
  • Submit a bug report asking for this fix to be backported to the 1.10 branch (if that's what you're running and want to continue to run it) and then wait for the next 1.10 release with the fix.

answered 07 Apr '14, 09:19

cmaynard's gravatar image

cmaynard ♦♦
9.4k1038142
accept rate: 20%

Thanks for your reply! I'm using wireshark 1.10.5. Looks like I have to wait until 1.11 version will be available on FreeBSD ports.

(07 Apr '14, 09:37) tesuto