This is our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

OS: Ubuntu 10.04.4 LTS Tshark: 1.2.7

I'm trying to sniff all DNS traffic and output queries and answers to a text file for parsing. All queries for 'A' records return the needed information: response name, address and ttl. Queries for PTR records do not display all fields (the fields dns.resp.addr, dns.resp.name, and dns.resp.primaryname return no values).

What can be done to output the info to a text file? Specifying fields with Tshark is great but missing the domain name returned from the PTR query is odd. An oversight/bug?

Any help is appreciated.

---OUTPUT---

sudo tshark -n -s0 -i eth4 port 53
0.000000 [host] -> [dnsSRV] DNS Standard query A wireshark.com
0.000508 [dnsSRV] -> [host] DNS Standard query response A 184.172.141.116
2.868755 [host] -> [dnsSRV] DNS Standard query PTR 116.141.172.184.in-addr.arpa
2.869270 [dnsSRV] -> [host] DNS Standard query response PTR wir.wireshark.com

sudo tshark -n -s0 -i eth4 port 53 -T fields -E separator=\, -e frame.time -e ip.src -e ip.dst -e dns.qry.name -e dns.resp.name -e dns.resp.addr -e dns.resp.ttl
Nov 21, 2012 17:05:29.113891000,[host],[dnsSRV],wireshark.com,,,
Nov 21, 2012 17:05:29.114397000,[dnsSRV],[host],wireshark.com,wireshark.com,,4632
Nov 21, 2012 17:05:45.270631000,[host],[dnsSRV],116.141.172.184.in-addr.arpa,,,
Nov 21, 2012 17:05:45.271134000,[dnsSRV],[host],116.141.172.184.in-addr.arpa,116.141.172.184.in-addr.arpa,,12039

---ADDITION---
It also appears that this is failing for 'A' records (see above). The 'A' record dns.resp.addr is populated correctly with Tshark1.6.7 running on Ubuntu12.04.1LTS but 'PTR' records still do not show the dns.resp.addr or dns.resp.name fields (interesting).

asked 21 Nov '12, 09:21

twhisnant's gravatar image

twhisnant
1112
accept rate: 0%

edited 21 Nov '12, 09:34


There is no filter for the PTR response in the current release.

You can run tshark with option -V and then parse the full output of the DNS response.

tshark -r input.cap -V

or parse the 'text' field of the DNS responses.

tshark -r input.cap -R "dns.resp.len" -T fields -e text

Regards
Kurt

permanent link

answered 21 Nov '12, 10:28

Kurt%20Knochner's gravatar image

Kurt Knochner ♦
24.8k1039237
accept rate: 15%

edited 21 Nov '12, 10:35

Your answer
toggle preview

Follow this question

By Email:

Once you sign in you will be able to subscribe for any updates here

By RSS:

Answers

Answers and Comments

Markdown Basics

  • *italic* or _italic_
  • **bold** or __bold__
  • link:[text](http://url.com/ "title")
  • image?![alt text](/path/img.jpg "title")
  • numbered list: 1. Foo 2. Bar
  • to add a line break simply add two spaces to where you would like the new line to be.
  • basic HTML tags are also supported

Question tags:

×832
×109
×3

question asked: 21 Nov '12, 09:21

question was seen: 4,392 times

last updated: 21 Nov '12, 10:35

p​o​w​e​r​e​d by O​S​Q​A