This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

capturing clients talking to my dns server

0

Can you show me a filter i can use to see who is looking at my server for DNS resolution. I have used tcp.port == 53 but need a more refined filter showing clients talking to the DNS server only.

asked 27 Apr '12, 11:10

bilweiser's gravatar image

bilweiser
1111
accept rate: 0%

3 Answers:

0

How about "ip.addr == 192.168.1.1 && tcp.port == 53" but substitute the address of your DNS server in place of 192.168.1.1.

answered 27 Apr '12, 12:32

Jim%20Aragon's gravatar image

Jim Aragon
7.2k733118
accept rate: 24%

0

If you're looking for a capture filter, then something like this may narrow it down (assuming standard UDP to port 53 for DNS):

"(dst host 192.168.1.1 and udp dst port 53) or (src host 192.168.1.1 and udp src port 53)"

If it's a display filter, then something like this:

(ip.dst==192.168.1.1 && udp.dstport==53)||(ip.src==10.4.0.249&&udp.srcport==53)

answered 30 Apr '12, 09:00

rickg421's gravatar image

rickg421
161
accept rate: 0%

0

tshark -n port 53 and dst 192.168.30.2

0.000000 192.168.30.148 -> 192.168.30.2 DNS Standard query A www.leo.org

Replace 192.168.30.2 with the ip address of your DNS server.

Alternatively: tshark -n -T text -E 'separator=;' -Tfields -e ip.src -e dns.qry.name port 53 and dst 192.168.30.2

192.168.30.148;www.leo.org

Regards
Kurt

answered 30 Apr '12, 09:32

Kurt%20Knochner's gravatar image

Kurt Knochner ♦
24.8k1039237
accept rate: 15%

edited 30 Apr '12, 13:23