I receive seldom messages during stress test about timed out DNS requests from c-ares used in download manager as part of libcurl. I have huge pcap and need to identify such failed DNS queries. Is it possible with Wireshark's expression language? asked 11 Feb '13, 08:41 Andrey Staro... |
2 Answers:
Perhaps the following as a Wireshark display filter will work:
(Hat tip to what I think was a recent ask.wireshark.org answer (that I can't find right now)). You can also use (You may have to adjust the quoting depending upon the OS/shell you are using. Update: A test using this filter with the latest 1.8 tshark seemed to sort of work. A DNS query without a response was found but, for some reason, the frame number was incorrect. (I.e. the frame found by wireshark using the filter was the same as that found by tshark, but tshark showed a different (incorrect) frame number). I've filed Bug #8316 at bugs.wireshark.org. answered 11 Feb '13, 11:04 Bill Meier ♦♦ edited 15 Feb '13, 08:56 |
To troubleshoot unsuccessful DNS query: Browse to Domain Name System > Flags, last line is the reply code, the 0 of which means no error. Others are listed down according to iana.org: http://www.iana.org/assignments/dns-parameters/dns-parameters.xhtml RCODE Name Description Reference 0 NoError No Error [RFC1035] 1 FormErr Format Error [RFC1035] 2 ServFail Server Failure [RFC1035] 3 NXDomain Non-Existent Domain [RFC1035] 4 NotImp Not Implemented [RFC1035] 5 Refused Query Refused [RFC1035] 6 YXDomain Name Exists when it should not [RFC2136][RFC6672] 7 YXRRSet RR Set Exists when it should not [RFC2136] 8 NXRRSet RR Set that should exist does not [RFC2136] 9 NotAuth Server Not Authoritative for zone [RFC2136] 9 NotAuth Not Authorized [RFC2845] 10 NotZone Name not contained in zone [RFC2136] 11-15 Unassigned You can use the expression: (!(dns.flags.rcode==0))&&(dns.flags.response==1) -- !(dns.flags.rcode==0) means the reply code does not match "no error" -- dns.flags.response==1 means match all the query answer packet. Test if this work, start Wireshark capture, open a command window, ping a non exist website, like ping www.gggoogeld.com. Then stop the capture, apply the expression in the display filter, see if the unsuccessful query been listed and only that is listed. answered 22 Jan '17, 21:47 FrankTrunk |
That's it, thank you!
added
-i eth1
arg for listening on interface eth1, worked flawlessly, thank you.