This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

MATE web unable to capture third parties websites DNS IP

0

I have been using the configurantion file(web.mate) below to try and capture the DNS ip from the third parties web sites but unfortunelly no sucess. The configuration file works fine but i am only getting my router IP and my machine ip. Can someone shed some light to my torment or even provide me with a hint where i am going wrong??? Many Thanks Felgueiras

Pdu tcp_pdu Proto tcp Transport ip {
    Extract addr From ip.addr;
    Extract port From tcp.port;
    Extract tcp_start From tcp.flags.syn;
    Extract tcp_stop From tcp.flags.reset;
    Extract tcp_stop From tcp.flags.fin;
};

Gop tcp_ses On tcp_pdu Match (addr, addr, port, port) {
Start (tcp_start=1);
Stop (tcp_stop=1);
};


Transform rm_client_from_dns_resp {
Match (dns_resp=1, client) Insert (dns_resp=1);
};


Pdu dns_pdu Proto dns Transport ip {
Extract addr From ip.addr;
Extract dns_resp From dns.flags.response;
Extract host From dns.qry.name;
Extract client From ip.src;
Extract dns_id From dns.id;
Transform rm_client_from_dns_resp;


};


Transform rm_client_from_http_resp1 {
Match (http_rq);
Match (addr) Insert (not_rq);
Match (not_rq,client);
};


Transform rm_client_from_http_resp2 {
Match (not_rq,client);
};


Pdu http_pdu Proto http Transport tcp/ip {
Extract addr From ip.addr;
Extract port From tcp.port;
Extract http_rq From http.request.method;
Extract http_rs From http.response;
Extract host From http.host;
Extract client From ip.src;
Transform rm_client_from_http_resp1;
//  Transform rm_client_from_http_resp2;


};


Gop dns_req On dns_pdu Match (addr, addr, dns_id) {
Start (dns_resp=0);
Stop (dns_resp=1);
Extra (host, client);
};


Gop http_req On http_pdu Match (addr, addr, port, port) {
Start (http_rq);
Stop (http_rq);
Extra (host, client);
};

asked 08 Mar ‘14, 05:47

Astrokilla23's gravatar image

Astrokilla23
16225
accept rate: 0%

edited 09 Mar ‘14, 03:23

Kurt%20Knochner's gravatar image

Kurt Knochner ♦
24.8k1039237

what exactly do you mean by: “the DNS ip from the third parties web sites”?

Isn’t the destination IP address of the conversation, the address of the web site?

(09 Mar ‘14, 03:24) Kurt Knochner ♦

Thanks for replaying to my question Kurt .What i trying to explain is that the source ip and destination ip are almost same(there’s only two ip in which changes to source and destination)!!!So if i am on a web page and then a click on the add banner(Third party web site)i should be able to get the ip o source of the add() is coming from ???

(09 Mar ‘14, 05:32) Astrokilla23

One Answer:

1

So if i am on a web page and then a click on the add banner(Third party web site)i should be able to get the ip of source of the add() is coming from ?

I don't think that MATE can do that, as the page that get's loaded is totally unrelated to the previous TCP connection. The only 'link' between those two connections is the link in the HTML code of the web page transmitted in the first tcp connection.

So, you would have to

  • parse the HTML code
  • figure out that there are several links
  • remember all host names of those links
  • look for DNS requests to those names
  • look for new tcp connections to the IP address of one of those host names

AFIAK, there is no way to do that with MATE, especially because of the HTML parsing part!

Can you describe what you are trying to do? Maybe there is another solution.

Regards
Kurt

answered 09 Mar '14, 11:42

Kurt%20Knochner's gravatar image

Kurt Knochner ♦
24.8k1039237
accept rate: 15%

edited 09 Mar '14, 11:43

Hi Kurt thanks once again to take your time to answer my queries. I am doing a project on wireshark, called "Visualization of Third-Party websites" using Wireshark.I was instructed to use MATE because it can create group of protocols.By using mate i thought that i could create a gop of DNS's IP's and consequently use GEO IP to display their location on the map.I hope this gives you an insight of what i am trying to achieve.Can you please help me to get aroud this issue ?? Thanks Astrokilla.

(10 Mar '14, 13:15) Astrokilla23

I'm not quite sure what you are trying to do. Do you want to visualize 'nested' content in web pages, by geoip mapping the addresses of the hostnames in those 'nested' links? If so, I'm pretty sure you can't do that with MATE (see my explanation above), so there is no (simple) way around this 'issue'.

(10 Mar '14, 15:37) Kurt Knochner ♦

Well the visualization bit i can use any ip tracker website i am mostly interested in capturing the IP's and consequently track them if thats fine....

(10 Mar '14, 16:12) Astrokilla23