This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

Test DNS Source Port Randomization

0

I am trying to filter DNS traffic in a capture file based upon ip address and udp source port randomization. I tried multiple filter strings with tshark but have been unable to come up with a solution.

tshark -n -r capture.pcap -T fields -e ip.src -e udp.port|sort -u

asked 26 Oct '15, 08:03

m00p's gravatar image

m00p
11115
accept rate: 0%

edited 26 Oct '15, 08:26

One Answer:

1

What about this:

tshark -nr capture.pcap -Y "dns" -T fields -e ip.src -e udp.sport

BTW: What do you mean by "and udp source port randomization"?

Maybe I'm misunderstanding your question. If so, please add more information and probably a small example.

Regards
Kurt

answered 26 Oct '15, 09:54

Kurt%20Knochner's gravatar image

Kurt Knochner ♦
24.8k1039237
accept rate: 15%

Kurt,

The filter string worked well with parsing the output. IRT Source Port Randomization, I am checking my DNS traffic to verify queries are using proper security measures. Thanks!

m00p

(26 Oct '15, 12:49) m00p

good!

Hint: If a supplied answer resolves your question can you please "accept" it by clicking the checkmark icon next to it. This highlights good answers for the benefit of subsequent users with the same or similar questions. For extra points you can up vote the answer (thumb up).

(26 Oct '15, 13:00) Kurt Knochner ♦