I'm testing tshark 1.10.14 on Centos 7.2.1511 and tshark 1.0.15 on Centos 5.11. I'd like to save for a range of 10 minutes or more mysql.user, ip.src and mysql.query.
I arrived to test these commands:
I'm able to capture mysql.user with these comands:
The second configuration capture different records: records with only mysql.user and ip.src and records with ip.src and mysql.query. @Jaap and @sindy confirmed only with an ad hoc script I can create a unique line with all three fields.
Is improvable the second configuration?
asked 24 Oct '16, 09:38
edited 26 Oct '16, 01:34