This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

Tshark, missing answer domain name in display filter for PTR records

0

OS: Ubuntu 10.04.4 LTS Tshark: 1.2.7

I'm trying to sniff all DNS traffic and output queries and answers to a text file for parsing. All queries for 'A' records return the needed information: response name, address and ttl. Queries for PTR records do not display all fields (the fields dns.resp.addr, dns.resp.name, and dns.resp.primaryname return no values).

What can be done to output the info to a text file? Specifying fields with Tshark is great but missing the domain name returned from the PTR query is odd. An oversight/bug?

Any help is appreciated.

---OUTPUT---

sudo tshark -n -s0 -i eth4 port 53
0.000000 [host] -> [dnsSRV] DNS Standard query A wireshark.com
0.000508 [dnsSRV] -> [host] DNS Standard query response A 184.172.141.116
2.868755 [host] -> [dnsSRV] DNS Standard query PTR 116.141.172.184.in-addr.arpa
2.869270 [dnsSRV] -> [host] DNS Standard query response PTR wir.wireshark.com

sudo tshark -n -s0 -i eth4 port 53 -T fields -E separator=\, -e frame.time -e ip.src -e ip.dst -e dns.qry.name -e dns.resp.name -e dns.resp.addr -e dns.resp.ttl
Nov 21, 2012 17:05:29.113891000,[host],[dnsSRV],wireshark.com,,,
Nov 21, 2012 17:05:29.114397000,[dnsSRV],[host],wireshark.com,wireshark.com,,4632
Nov 21, 2012 17:05:45.270631000,[host],[dnsSRV],116.141.172.184.in-addr.arpa,,,
Nov 21, 2012 17:05:45.271134000,[dnsSRV],[host],116.141.172.184.in-addr.arpa,116.141.172.184.in-addr.arpa,,12039

---ADDITION---
It also appears that this is failing for 'A' records (see above). The 'A' record dns.resp.addr is populated correctly with Tshark1.6.7 running on Ubuntu12.04.1LTS but 'PTR' records still do not show the dns.resp.addr or dns.resp.name fields (interesting).

asked 21 Nov '12, 09:21

twhisnant's gravatar image

twhisnant
1112
accept rate: 0%

edited 21 Nov '12, 09:34


One Answer:

0

There is no filter for the PTR response in the current release.

You can run tshark with option -V and then parse the full output of the DNS response.

tshark -r input.cap -V

or parse the 'text' field of the DNS responses.

tshark -r input.cap -R "dns.resp.len" -T fields -e text

Regards
Kurt

answered 21 Nov '12, 10:28

Kurt%20Knochner's gravatar image

Kurt Knochner ♦
24.8k1039237
accept rate: 15%

edited 21 Nov '12, 10:35