Is there a way to use TShark to extract TCP/UDP DNS queries and end up with a list of the original query and query type in letter format? Right now my command looks like this: tshark -n -r capture.pcap -T fields -e dns.qry.name -e dns.qry.type -Y '( udp.port==53 || tcp.port==53 ) && dns.flags.response==0' What it generates is a file of query names with a tab and then a number of the query type. I then have to cat the file and SED looking for a combination of a <tab> plus the query type number to replace it with a <tab> and the right letter query - i.e., A is 1, CNAME is 5, AAAA is 2, etc. My goal is to come up with a list of domains I can replay against a DNS server using queryperf or dig. asked 28 Oct '14, 19:43  JerimiahF |
One Answer:
Then you could try this:
Regards answered 29 Oct '14, 04:56  Kurt Knochner ♦ edited 29 Oct '14, 05:02 |
Kurt - thanks for answering.
The challenge I have though is that besides the DNS name, I also need the type of record asked for either with a TAB or space between it so the list would look like this:
www.apple.com A
Queryperf (the faster and preferred tool) needs both pieces in order to do the query and ensure its asking the same request as the capture did.
O.K. then try this:
Please add some 'sed magic' to remove the : and ,. I leave that up to you ;-)
Wow - simple yet VERY effective. This is perfect! Thanks Kurt!!!
Difference of before/after is now a 150MB capture with ~240k of queries - now processes in about 1/3 the time and thus is far less complex of the SED hell I was going thru before with some massive -V dumps to parse thru.