This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

Format of info field for DNS packets

0

Hello,

I need to use regular expressions to extract some data from the 'info' field in a psml file for a DNS query response packet. Since I am using regex, I need to know with certainty what the contents of this field might contain, to ensure that the regular expression doesn't match with any text that it shouldn't and return the wrong data. I was wondering whether there exists a guide to the format, or if somebody would be able to explain it to me? Any help would be much appreciated.

Many thanks.

asked 22 Aug '16, 09:32

Lobster's gravatar image

Lobster
11448
accept rate: 0%

One Answer:

0

You can find the PSML format here.

You'll need to find which section contains info, and work the packet data with that. Not sure if you could manage with a regexp alone.

answered 22 Aug '16, 11:27

Jaap's gravatar image

Jaap ♦
11.7k16101
accept rate: 14%

Hi Jaap, thanks for the help. Looking at the link, it seems that PSML has a wider use than for Wireshark alone, and I think that the format of the DNS query response info section might be defined by Wireshark. I'm sure there is a specification - i.e. for an A record, the string always seems to take a form similar to:

Standard query response [a hex number] [record type] [domain] (CNAME [canonical domain])+ [record type] [IP Address] ([record type] [IP Address])+

... but I can't find it defined formally anywhere. It's this formal specification that I'm looking for.

(23 Aug '16, 01:46) Lobster

No, there isn't. All you find in the PSML output is a PSML compliant representation of the columns as configured in Wireshark. Their actual contents is defined by the dissector handling the respective protocols, in this case the DNS dissector. There is no formal format for its output, although its algorithmically constructed based on the input data. That also means that it may change in future Wireshark releases.

(23 Aug '16, 02:39) Jaap ♦

Ah, that's a pity :( Wireshark's open source, so I suppose that I could probably find the algorithm and deduce a format myself, though it is probably quite complicated.

(23 Aug '16, 08:20) Lobster

Yes it would, and I think it's the wrong way to go about this. I would suggest using a more detailed output format (PDML for instance) where several fields are individually provided, which you can then (programmatically, eg through awk or other tools) combine into the format you desire.

(23 Aug '16, 09:06) Jaap ♦

That's a good idea - thanks!

(23 Aug '16, 11:34) Lobster