I am trying to run this command "tshark -r /root/Desktop/a.pcap -T fields -e "dns.count.answers>3"" however I always see; " (process:2009): WARNING : 'dns.count.answers>3' isn't a valid field! tshark: Some fields aren't valid"
Do you have any idea about how can I see "dns.count.answers>3" on tshark and then output it as a cvs. file.
Thank you very much.
asked 27 Jul '17, 05:43
edited 27 Jul '17, 05:45
I think you aren't using -e correctly. If you look for a field having certain values, use a filter (with "-Y"), and -e without the operator, like this:
answered 27 Jul '17, 05:52
You have mixed together two things - a display filter and list of fields. The correct way to achieve your goal would be to write
answered 27 Jul '17, 05:59