I am unable to get the orgname or whois output with The commands
Give me a empty lines. Why is it so? asked 08 Oct '16, 10:03  user31415 |
This is a static archive of our old Q&A Site.
Please post any new questions and answers at ask.wireshark.org.
Are you attempting to run tshark on a previous capture or a live capture as you don't seem to be providing either a file to read or an interface to capture on? By default, with no file or interface specified, tshark will attempt to capture on some interface which may not be what you intend.
In either case, are you sure the file or live capture traffic contains the fields of interest?
Can you provide an example that works for you? I tried
tshark -i wlp3s0 -lq -T fields -e ip.dst -w outputthentshark -lq -T fields -e whois.answer -r output. I only have blank lines. Same thing for anywhoisfields listed intshark -G.It can also be linked to my OS, I am using
Ubuntu 16.04Are you sure you have whois traffic in your capture? If I capture whois traffic then the field
whois.answerproduces the expected results.To get results from the ip.geoip.src_org field you must also have configured up geoip lookups in the Wireshark preferences (i.e. downloaded a database).
Try loading your capture in Wireshark and using a display filter of "whois" to see if you do have whois traffic.