This is our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

Hello,

I need to use regular expressions to extract some data from the 'info' field in a psml file for a DNS query response packet. Since I am using regex, I need to know with certainty what the contents of this field might contain, to ensure that the regular expression doesn't match with any text that it shouldn't and return the wrong data. I was wondering whether there exists a guide to the format, or if somebody would be able to explain it to me? Any help would be much appreciated.

Many thanks.

asked 22 Aug '16, 09:32

Lobster's gravatar image

Lobster
11448
accept rate: 0%


You can find the PSML format here.

You'll need to find which section contains info, and work the packet data with that. Not sure if you could manage with a regexp alone.

permanent link

answered 22 Aug '16, 11:27

Jaap's gravatar image

Jaap ♦
11.7k16101
accept rate: 14%

Hi Jaap, thanks for the help. Looking at the link, it seems that PSML has a wider use than for Wireshark alone, and I think that the format of the DNS query response info section might be defined by Wireshark. I'm sure there is a specification - i.e. for an A record, the string always seems to take a form similar to:

Standard query response [a hex number] [record type] [domain] (CNAME [canonical domain])+ [record type] [IP Address] ([record type] [IP Address])+

... but I can't find it defined formally anywhere. It's this formal specification that I'm looking for.

(23 Aug '16, 01:46) Lobster

No, there isn't. All you find in the PSML output is a PSML compliant representation of the columns as configured in Wireshark. Their actual contents is defined by the dissector handling the respective protocols, in this case the DNS dissector. There is no formal format for its output, although its algorithmically constructed based on the input data. That also means that it may change in future Wireshark releases.

(23 Aug '16, 02:39) Jaap ♦

Ah, that's a pity :( Wireshark's open source, so I suppose that I could probably find the algorithm and deduce a format myself, though it is probably quite complicated.

(23 Aug '16, 08:20) Lobster

Yes it would, and I think it's the wrong way to go about this. I would suggest using a more detailed output format (PDML for instance) where several fields are individually provided, which you can then (programmatically, eg through awk or other tools) combine into the format you desire.

(23 Aug '16, 09:06) Jaap ♦

That's a good idea - thanks!

(23 Aug '16, 11:34) Lobster
Your answer
toggle preview

Follow this question

By Email:

Once you sign in you will be able to subscribe for any updates here

By RSS:

Answers

Answers and Comments

Markdown Basics

  • *italic* or _italic_
  • **bold** or __bold__
  • link:[text](http://url.com/ "title")
  • image?![alt text](/path/img.jpg "title")
  • numbered list: 1. Foo 2. Bar
  • to add a line break simply add two spaces to where you would like the new line to be.
  • basic HTML tags are also supported

Question tags:

×109
×33
×10

question asked: 22 Aug '16, 09:32

question was seen: 1,414 times

last updated: 23 Aug '16, 11:34

p​o​w​e​r​e​d by O​S​Q​A