This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

tshark command to find answer field in dns query response with more than 1 answer RRs

0

My DNS trace contains more than 1 'Answer RRs'. How do I extract 'Name' (dns.resp.name) and 'Addr' (dns.resp.addr) field from each response & print it in same line as requested domain name. I tried using -Tfields -e "dns.resp.name" -e "dns.resp.addr" but I don't get any response at all.

asked 15 Jan '15, 08:20

Vijay%20Gharge's gravatar image

Vijay Gharge
36151620
accept rate: 0%


One Answer:

0

Hello,

I found issue. It is due to older version I could not print those fields. Thanks to Kali live linux CDs I found newer version !

After processing data using -T & -e options, I got request / response data on separate lines and then just wrote following bash script to map request & response on the same line.

#!/bin/bash
for i in `cat Gn_ADNS1.txt`
do
        line=`echo $i`
        response_frame=`echo $line | awk -F',' '{ print $2}'`
        if [ ${#response_frame} -gt 0 ] ; then
                req=`cat Gn_ADNS1.txt | grep -w "^$response_frame"`
                echo "$req => $line"
#       else
#               echo "$line !="
        fi
done

answered 08 Mar '15, 09:22

Vijay%20Gharge's gravatar image

Vijay Gharge
36151620
accept rate: 0%

edited 08 Mar '15, 09:24