This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

Filter DNS queries without matched responses

0
1

I receive seldom messages during stress test about timed out DNS requests from c-ares used in download manager as part of libcurl. I have huge pcap and need to identify such failed DNS queries. Is it possible with Wireshark's expression language?

asked 11 Feb '13, 08:41

Andrey%20Starodubtsev's gravatar image

Andrey Staro...
6122
accept rate: 0%


2 Answers:

3

Perhaps the following as a Wireshark display filter will work:

dns && (dns.flags.response == 0) && ! dns.response_in

(Hat tip to what I think was a recent ask.wireshark.org answer (that I can't find right now)).

You can also use tshark -2 -R "dns && (dns.flags.response == 0) && ! dns.response_in" ...

(You may have to adjust the quoting depending upon the OS/shell you are using.

Update: A test using this filter with the latest 1.8 tshark seemed to sort of work. A DNS query without a response was found but, for some reason, the frame number was incorrect. (I.e. the frame found by wireshark using the filter was the same as that found by tshark, but tshark showed a different (incorrect) frame number).

I've filed Bug #8316 at bugs.wireshark.org.

answered 11 Feb '13, 11:04

Bill%20Meier's gravatar image

Bill Meier ♦♦
3.2k1850
accept rate: 17%

edited 15 Feb '13, 08:56

That's it, thank you!

(11 Feb '13, 11:12) Andrey Staro...

added -i eth1 arg for listening on interface eth1, worked flawlessly, thank you.

(12 Nov '13, 05:52) Mayura

0

To troubleshoot unsuccessful DNS query:

Browse to Domain Name System > Flags, last line is the reply code, the 0 of which means no error. Others are listed down according to iana.org: http://www.iana.org/assignments/dns-parameters/dns-parameters.xhtml

RCODE Name Description Reference 0 NoError No Error [RFC1035] 1 FormErr Format Error [RFC1035] 2 ServFail Server Failure [RFC1035] 3 NXDomain Non-Existent Domain [RFC1035] 4 NotImp Not Implemented [RFC1035] 5 Refused Query Refused [RFC1035] 6 YXDomain Name Exists when it should not [RFC2136][RFC6672] 7 YXRRSet RR Set Exists when it should not [RFC2136] 8 NXRRSet RR Set that should exist does not [RFC2136] 9 NotAuth Server Not Authoritative for zone [RFC2136] 9 NotAuth Not Authorized [RFC2845] 10 NotZone Name not contained in zone [RFC2136] 11-15 Unassigned
16 BADVERS Bad OPT Version [RFC6891] 16 BADSIG TSIG Signature Failure [RFC2845] 17 BADKEY Key not recognized [RFC2845] 18 BADTIME Signature out of time window [RFC2845] 19 BADMODE Bad TKEY Mode [RFC2930] 20 BADNAME Duplicate key name [RFC2930] 21 BADALG Algorithm not supported [RFC2930] 22 BADTRUNC Bad Truncation [RFC4635] 23 BADCOOKIE Bad/missing Server Cookie [RFC7873] 24-3840 Unassigned
3841-4095 Reserved for Private Use [RFC6895] 4096-65534 Unassigned
65535 Reserved, can be allocated by Standards Action [RFC6895]

You can use the expression:

(!(dns.flags.rcode==0))&&(dns.flags.response==1)

-- !(dns.flags.rcode==0) means the reply code does not match "no error" -- dns.flags.response==1 means match all the query answer packet.

Test if this work, start Wireshark capture, open a command window, ping a non exist website, like ping www.gggoogeld.com. Then stop the capture, apply the expression in the display filter, see if the unsuccessful query been listed and only that is listed.

answered 22 Jan '17, 21:47

FrankTrunk's gravatar image

FrankTrunk
61
accept rate: 0%