This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

tshark DNS request sequence numbers (?)

0

Hi everyone,

I am running tshark on a WAP to make various analyses of my clients' traffic. One of the things I do is monitor all DNS requests to find out which hosts the clients want to access. All I basically want for further processing (in Python) is the source MAC and DNS name of every query, so i came up with the following command...

tshark -n -T fields -e eth.src -e dns.qry.name -f "port 53" -i wlan0

...and it's working, basically, but some of the tshark output lines start with some kind of sequence number, like this:

c4:43:8f:c5:60:5c i.instagram.com
1 c4:43:8f:c5:60:5c telegraph-ash.instagram.com
c0:4a:00:10:0b:56 telegraph-ash.instagram.com
c0:4a:00:10:0b:56 i.instagram.com
4 c4:43:8f:c5:60:5c dict.leo.org
c0:4a:00:10:0b:56 dict.leo.org

What are those and how can I get rid of them? As I said, I'm only interested in who asks for which address to resolve.

Thanks in advance for any help.

asked 30 Apr '15, 09:51

teenious's gravatar image

teenious
11114
accept rate: 0%

tshark version and host OS?

(30 Apr '15, 10:06) grahamb ♦

It's tshark 1.10.6 on xubuntu 14.04

(30 Apr '15, 10:10) teenious

One Answer:

1

That's the packet count number. See the answer to a similar question.

https://ask.wireshark.org/questions/31564/tshark-output-refining

Regards
Kurt

answered 30 Apr '15, 12:07

Kurt%20Knochner's gravatar image

Kurt Knochner ♦
24.8k1039237
accept rate: 15%

Thank you very much, Kurt, upgrading tshark solved my problem. I'm a bit embarrassed I didn't stumble upon the other thread myself, but then again, my searches for "packet number" and "sequence number" didn't yield a lot of useful results...

(01 May '15, 10:13) teenious