TSHARK does't accept filters when reading from files, so I combinates tshark with tcpdump.
tcpdump -r something.pcap udp and port 53 -w - | tshark -r - -V | less
you know that tshark filter expression is storonger than tcpdump's.
なんだかなぁ(no way)
By the way,
On a server of mine in internet , in half of days captured pcaps,
I watched INVITATION FOR COOPERATIVE ATTACK(?), ( or just scanning).
The values that X indicates is my address , its unique.
Same of Y is others address, some IP values are counted .
15:35:23.621063 IP Y.Y.Y.Y.39760 > X.X.X.X.53: 61442+ [1au] ANY? com. (32)
0x0000: 4500 003c d431 0000 f011 df80 YYYY YYYY E..<.1.......^o.
0x0010: XXXX XXXX 9b50 0035 0028 d91a f002 0100 ..\..P.5.(......
0x0020: 0001 0000 0000 0001 0363 6f6d 0000 ff00 .........com....
0x0030: 0100 0029 1000 0000 0000 0000 ...)........
16:03:59.663147 IP Y.Y.Y.Y.61354 > X.X.X.X.389: UDP, length 52
0x0000: 4500 0050 25de 4000 3011 85da YYYY YYYY E..P%.@.0....i..
0x0010: XXXX XXXX efaa 0185 003c 03e0 3084 0000 ..\......<..0...
0x0020: 002d 0201 0163 8400 0000 2404 000a 0100 .-...c....$.....
0x0030: 0a01 0002 0100 0201 0001 0100 870b 6f62 ..............ob
0x0040: 6a65 6374 636c 6173 7330 8400 0000 0000 jectclass0......
05:17:40.340904 IP Y.Y.Y.Y.38896 > X.X.X.X.161: GetRequest(28) .1.3.6.1.2.1.1.1.0
0x0000: 4500 0047 d431 0000 ea11 2fe3 YYYY YYYY E..G.1..../.4I..
0x0010: XXXX XXXX 97f0 00a1 0033 0000 3029 0201 ..\......3..0)..
0x0020: 0104 0670 7562 6c69 63a0 1c02 040c d8a2 ...public.......
0x0030: 6302 0100 0201 0030 0e30 0c06 082b 0601 c......0.0...+..
0x0040: 0201 0101 0005 00
08:45:00.966687 IP Y.Y.Y.Y.49139 > X.X.X.X.1900: UDP, length 91
0x0000: 4500 0077 0000 4000 3211 aa77 YYYY YYYY E..w..@.2..w....
0x0010: XXXX XXXX bff3 076c 0063 d96f 4d2d 5345 ..\....l.c.oM-SE
0x0020: 4152 4348 202a 2048 5454 502f 312e 310d ARCH.*.HTTP/1.1.
0x0030: 0a48 6f73 743a 3233 392e 3235 352e 3235 .Host:239.255.25
0x0040: 352e 3235 303a 3139 3030 0d0a 5354 3a73 5.250:1900..ST:s
0x0050: 7364 703a 616c 6c0d 0a4d 616e 3a22 7373 sdp:all..Man:"ss
0x0060: 6470 3a64 6973 636f 7665 7222 0d0a 4d58 dp:discover"..MX
0x0070: 3a33 0d0a 0d0a 00I beleaved all of ip address are masked:-p
