This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

A question about dns filter dns.resp.ttl

0

I need to do some filtering on DNS response TTL field. However, I am not sure exactly what the following means:

dns.resp.ttl < 100

The problem is that in a DNS response, there could be multiple A record, each with a different IP and possibly a different TTL. So the above expression can potentially mean one of the following:

  • One of the A-records has TTL < 100
  • All the A-records have TTL < 100

The page https://www.wireshark.org/docs/dfref/d/dns.html didn't have enough information. Any ideas?

asked 23 Apr '16, 09:11

pktUser1001's gravatar image

pktUser1001
201495054
accept rate: 12%

One Answer:

2

The first one. It means "the packet has at least one dns.resp.ttl field with a value less than 100."

answered 23 Apr '16, 10:18

Jim%20Aragon's gravatar image

Jim Aragon
7.2k733118
accept rate: 24%

Thanks @jim-aragon, sorry for the late reply.

Wonder if there is a way to express "all TTLs < 100". Thanks.

(28 Apr '16, 06:59) pktUser1001

dns.resp.ttl and !(dns.resp.ttl >= 100) should do the job. Means: at least one field dns.resp.ttl is present in the packet and none of the ones present has a value >= 100.

(28 Apr '16, 08:33) sindy