This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

addressing one of the DNS answers in response packet

0

Here is a pcap with DNS response containing multiple answers. How do we check if the TTL in the second answer is less than 10 second?

It seems that all the ttl fields (in all the answers in this packet) are referred in display filter as "dns.resp.ttl".

Any ideas? Thanks.

asked 06 Sep '15, 17:05

pktUser1001's gravatar image

pktUser1001
201495054
accept rate: 12%

One Answer:

1

When a field, such as dns.resp.ttl, occurs multiple times in a packet, there is no way to use display filters to distinguish individual occurrences of that field.

So the display filter "dns.resp.ttl < 10" will show all packets that have one or more dns.resp.ttl fields with a value less than 10. There is no way in the Wireshark GUI to compare specifically against the dns.resp.ttl field in the second answer.

answered 06 Sep '15, 17:53

Jim%20Aragon's gravatar image

Jim Aragon
7.2k733118
accept rate: 24%

We we can address it like dns.resp.answers[1].ttl.

(06 Sep '15, 20:08) pktUser1001