I am trying to use tshark with a few flags and also get timestamp for each filtered trace. I am using this to filter all the DNS queries in my system. I am not able to get the time stamps along with the filters working. For instance if i try something like
tshark -t ad -n -T fields -e ip.src -e dns.qry.name -f 'dst port 53' -Y "dns.flags.response eq 0"
I get the output as I want
192.168.1.3 clientservices.googleapis.com
192.168.1.3 play.google.com
192.168.1.3 play.google.com
I get the timestamp with
tshark -t ad
1 2018-09-02 21:12:20.536204429 61.223.125.209 → 192.168.1.3 UDP 174 12929 → 51465 Len=132
2 2018-09-02 21:12:20.536355008 192.168.1.3 → 61.223.125.209 UDP 126 51465 → 12929 Len=84
3 2018-09-02 21:12:20.599264715 192.168.1.3 → 176.31.225.118 TCP 54 45942 → 80 [FIN, ACK] Seq=1 Ack=1 Win=30016 Len=0
However I am not able to get both working together. Though the command runs it just outputs without the timestamp.
tshark -t ad -T fields -e ip.src -e dns.qry.name -Y "dns.flags.response eq 0"
192.168.1.3 captive.apple.com
192.168.1.3 myip.opendns.com
192.168.1.3 ipv4.icanhazip.com
192.168.1.3 slack.com
Any pointers that can help in this regard. I am using tshark version 2.2.6 on Debian 9.
In your command, -t ad has no effect because -T fields overrides the output format. You'll need to display the timestamp as a new field in your fields format, using -e frame.time:
$ tshark -n -T fields -e frame.time -e ip.src -e dns.qry.name -f 'dst port 53' -Y "dns.flags.response eq 0"
Capturing on 'eno1'
Sep 3, 2018 15:49:46.354055274 CEST 10.0.0.1 google.co.uk
Sep 3, 2018 15:49:52.034315960 CEST 10.0.0.1 google.jp
Sep 3, 2018 15:49:54.561493702 CEST 10.0.0.1 google.cn