This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

Extracting ip addresses from dns answer section with tshark

0
1

I am trying to extract the ip addresses from a standard dns query response using "-e dns.resp.addr". Unfortunately, I also get the ip addresses from "additional records" section because the fieldname is the same: "dns.resp.addr"
When I query www.bfh.ch I would expect to get the A record.

tshark -i eth0 port 53 -R "dns.flags.response == 1" -T fields -E separator=\; -E quote=s -e frame.time -e dns.qry.name -e dns.resp.addr

'www.bfh.ch';'147.87.250.111,147.87.250.20,78.47.48.102,80.238.203.210,147.87.254.20'

Instead, I also get the ip addresses of their four nameservers.

I used the display filter reference for dns but couldn’t find a solution: http://www.wireshark.org/docs/dfref/d/dns.html

Is there a way to extract the addresses from the answer section only?

Thanks Luke

asked 04 Sep ‘12, 07:00

WireLuke's gravatar image

WireLuke
1121
accept rate: 0%


2 Answers:

1

Try also specifying -E occurrence=f. That will cause tshark to only display the first occurrence of the desired fields, rather than all occurrences, which is the default. Refer to the tshark man page for more information.

answered 04 Sep '12, 09:38

cmaynard's gravatar image

cmaynard ♦♦
9.4k1038142
accept rate: 20%

This works for domains which return only one address. For names with multiple addresses, I only get the first one. I would like to get the complete answer section without the "additional records" section.

Thanks anyway!

(10 Sep '12, 01:43) WireLuke

1

I would like to get the complete answer section without the "additional records" section.

Unfortunately that is not possible with tshark field extraction, as the fields in the additional records are also accessed by dns.resp.name and/or dns.resp.addr.

What you can do is this:

tshark -nr input.cap -R "dns" -V

This will print the DNS packets in full detail, like this one:

   Queries
       www.mircrosoft.com: type A, class IN
           Name: www.mircrosoft.com
           Type: A (Host address)
           Class: IN (0x0001)
   Answers
       www.mircrosoft.com: type CNAME, class IN, cname mircrosoft.com
           Name: www.mircrosoft.com
           Type: CNAME (Canonical name for an alias)
           Class: IN (0x0001)
           Time to live: 1 hour
           Data length: 2
           Primaryname: mircrosoft.com
       mircrosoft.com: type A, class IN, addr 64.4.6.100
           Name: mircrosoft.com
           Type: A (Host address)
           Class: IN (0x0001)
           Time to live: 1 hour
           Data length: 4
           Addr: 64.4.6.100 (64.4.6.100)
       mircrosoft.com: type A, class IN, addr 65.55.39.10
           Name: mircrosoft.com
           Type: A (Host address)
           Class: IN (0x0001)
           Time to live: 1 hour
           Data length: 4
           Addr: 65.55.39.10 (65.55.39.10)
   Authoritative nameservers
       mircrosoft.com: type NS, class IN, ns ns3.msft.net
           Name: mircrosoft.com
           Type: NS (Authoritative name server)
           Class: IN (0x0001)

Then you extract only the required information from that output (addrs in the Answers section) with a script. Use your preferred language for that (perl/python/lua/ruby).

Regards
Kurt

answered 10 Sep '12, 04:19

Kurt%20Knochner's gravatar image

Kurt Knochner ♦
24.8k1039237
accept rate: 15%

Unfortunately that is not possible with tshark field extraction, as the fields in the additional records are also accessed by dns.resp.name and/or dns.resp.addr.

This could be changed though so that different filters are used. I would suggest filing a DNS enhancement bug report requesting this.

(13 Sep '12, 17:57) cmaynard ♦♦