I'm afraid the ТCP and HTTP strings are only displayed as contents of "protocol" column in the packet list pane, and they always indicate the topmost client protocol in the frame, so eventual http packets carrying some payload object would not be displayed even if a corresponding field name would be available inside them.
So try -T fields -e frame.number -e frame.protocols -e dns.qry.name -e http.host -Y "dns.qry.name or http.host", you'll get the full list of protocol layers identified in each packet, and you'll have to use some post-process if necessary.
answered 20 Dec '15, 09:32
sindy
6.0k●4●8●51
accept rate: 24%
Thanks @sindy for the tip, it's almost there. The
-e dns.qry.namewill catch both the host name in request and reply. Is there a way to skip DNS responses?Sure there is.
As it seems you don't have a possibility to use GUI Wireshark, all the protocol fields that can be chosen for display using
-eas well for filtering using-Yor-Rin tshark (see the difference between-Yand -R here) are listed here.If you can use a GUI Wireshark, it is much more straightforward (especially if you are not familiar with your protocol of interest) to choose a packet which contains what you need, go to the packet dissection pane, unfold the protocol which you are interested in, and select the lines representing field dissections which seem to you as perspective candidates for being printed using
-eor becoming part of the-Yor-Rfilter conditions. When a line is selected, the field name in a display filter format is displayed in the bottom part of the window frame. On top of that, you can right-click the line and choose e.g.Prepare as filter -> ...or Selectedto extend the existing display filter in the required way, without applying the change immediately.So in case of a DNS query, the packet dissection looks like follows:
Frame 947: 71 bytes on wire (568 bits), 71 bytes captured (568 bits) on interface 0 Ethernet II, Src: 1c:3a:51:4c:47:74, Dst: 00:1e:56:71:9a:d3 Internet Protocol Version 4, Src: 192.168.15.160, Dst: 192.168.15.1 User Datagram Protocol, Src Port: 50670 (50670), Dst Port: 53 (53) Domain Name System (query) [Response In: 948] Transaction ID: 0x5acf Flags: 0x0100 Standard query 0... .... .... .... = Response: Message is a query .000 0... .... .... = Opcode: Standard query (0) .... ..0. .... .... = Truncated: Message is not truncated .... ...1 .... .... = Recursion desired: Do query recursively .... .... .0.. .... = Z: reserved (0) .... .... ...0 .... = Non-authenticated data: Unacceptable Questions: 1 Answer RRs: 0 Authority RRs: 0 Additional RRs: 0 ...You select (i.e. left-click) the line
Questions: 1and in the bottom of the window frame you'll see the field name:dns.count.queries. So you'll modify the-Ypart of the tshark filter to-Y "(dns.qry.name and dns.count.queries > 0) or http.host"and you are there. Or you can usedns.flags.response == 0instead, but purely theoretically there may be a query carrying no question.Thanks @sindy, I tried
tshark -r 2015-12-21-threatglass.pcap -T fields -e frame.number -e frame.protocols -e dns.qry.name -e http.host -Y "(dns.qry.name and dns.count.queries > 0) or http.host"but still see the output contains for both DNS request and DNS query.Okay, so replace the
dns.count.queries > 0withdns.flags.response == 0. Thedns.qry.namein the-Yshould be enough to eliminate packets without any queried name, even withoutdns.count.queries > 0. Just check how a PTR query looks like (as I'm not sure whether the IP address you want to resolve into name will be displayed asdns.qry.name). You can generate one usingnslookup ip.add.re.sson Windows ordig -x ip.add.re.sson Linux.