I am trying to extract the ip addresses from a standard dns query response using "-e dns.resp.addr". Unfortunately, I also get the ip addresses from "additional records" section because the fieldname is the same: "dns.resp.addr"
Instead, I also get the ip addresses of their four nameservers.
I used the display filter reference for dns but couldn’t find a solution: http://www.wireshark.org/docs/dfref/d/dns.html
Is there a way to extract the addresses from the answer section only?
asked 04 Sep ‘12, 07:00
Try also specifying
answered 04 Sep '12, 09:38
Unfortunately that is not possible with tshark field extraction, as the fields in the additional records are also accessed by dns.resp.name and/or dns.resp.addr.
What you can do is this:
This will print the DNS packets in full detail, like this one:
Then you extract only the required information from that output (addrs in the Answers section) with a script. Use your preferred language for that (perl/python/lua/ruby).
answered 10 Sep '12, 04:19
Kurt Knochner ♦