This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

What’a a display filter that matches DNS queries for a particular host name?

0

Hi,

If I want to filter for DNS queues sent by my machine to ANY DNS server for www.petenetlive.com what is the filter for that? Ive been searching google of 35 minutes. Why is that so hard to find :-/

Pete

asked 22 Sep '16, 07:43

Pete%20Long's gravatar image

Pete Long
11114
accept rate: 0%

edited 22 Sep '16, 12:31

Guy%20Harris's gravatar image

Guy Harris ♦♦
17.4k335196

One Answer:

1

The filter for that is dns.qry.name == "www.petenetlive.com".

If you take any DNS query packet you happen to find (use just dns as a display filter first), and click through the packet dissection down to the "Name" item inside the "Query", you can right-click the line with the name and choose the Apply as Filter -> Selected option. Then, you would change the name in the display filter field from the original one to "www.petenetlive.com" which you really want.

Why is it hard - because the generic question is "how do I filter for field X of protocol Y" and there are hundreds of protocols with hundreds of fields each. So there is no chance to have a tutorial for each, so finding a packet of the protocol you want and localizing the field of interest inside it is the most efficient way.

answered 22 Sep '16, 08:01

sindy's gravatar image

sindy
6.0k4851
accept rate: 24%

Perfect, just what I needed

Regards

Pete

(22 Sep '16, 08:08) Pete Long