This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

DNS Response filter

0

Could someone help me write a filter to select all DNS conversations with response "No such name". I believe this is a set of Flags value 0x8183, and not an actual text response. Thanks in Advance.

asked 03 Jun '15, 07:42

fixit9660's gravatar image

fixit9660
11113
accept rate: 0%


2 Answers:

1

Sure. It's "dns.flags == 0x8183"

answered 03 Jun '15, 07:49

Jasper's gravatar image

Jasper ♦♦
23.8k551284
accept rate: 18%

Yes that shows the responses, but I need the whole conversation, to show the actual query too please.

(03 Jun '15, 07:51) fixit9660

Why? the query is repeated in the answer, too. And it's not possible to filter on packet relationships, you can only match on things that exists in a packet.

(03 Jun '15, 08:01) Jasper ♦♦

OK it's in the Queries section but I need to open the packet to see it. I was hoping to see it in the traffic flow on the screen. Unless you can tell me how to save the Queries to a file for further analysis? Otherwise I'll have to open 10,000's of packets manually.

(03 Jun '15, 08:06) fixit9660

Well, you could just add a custom column, displaying "dns.qry.name" to display the query FQDNs in an extra column in the packet list.

(03 Jun '15, 08:15) Jasper ♦♦

That's exactly what I want! Thank you for the prompt and accurate help.

(04 Jun '15, 01:11) fixit9660

0

Take a look at MATE

https://wiki.wireshark.org/Mate

You can group request/response with it.

In the online MATE library you'll find a simple DNS example, which you'll have to extend to match "dns.flags == 0x8183"

https://wiki.wireshark.org/Mate/Library

Regards
Kurt

answered 03 Jun '15, 08:33

Kurt%20Knochner's gravatar image

Kurt Knochner ♦
24.8k1039237
accept rate: 15%