This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

dns qry class always nil?

1

hello,

I'm attempting to write a Lua tap to grab DNS info from some pcap files using tshark. I have one problem: every approach I've tried to get the dns.qry.class or dns.resp.class entities returns nil, even on packets that I know are dns packets (dns.qry.name, for example, isn't nil).

Example code:

local class = Field.new('dns.qry.class')
function init_listener()
    local tap = Listener.new("ip")
    function tap.packet(pinfo,buffer, ip)
        if class() == nil then
           debug('class is nil')
        end
    end
end
init_listener()

That bit of code always finds that the qry class is nil. I've tried downloading the nightly build of wireshark also, but that's giving me the same result. Does anyone have hints as to what I'm doing wrong here, or is there a bug in tshark's lua interface?

asked 20 Dec '11, 11:27

gclef's gravatar image

gclef
16112
accept rate: 0%

2 Answers:

0

This is a bug either in the Lua interface or in the DNS dissector [which should probably be reported].

I recreated your symptom using the DNS sample capture. The interesting thing is that Wireshark knows which packets contain dns.qry.class, as indicated by the packet results after entering this field name into the Display Filter Textbox. So, one would think Lua would have the same benefit but apparently not.

For some reason, the same Lua tap can detect dns.qry.class in the mDNS sample capture. To me, this suggests that the mDNS dissector might be doing something necessary for the Lua tap to work properly, and the DNS dissector isn't doing that.

answered 22 Dec '11, 18:05

helloworld's gravatar image

helloworld
3.1k42041
accept rate: 28%

0

It's a deficiency of the field specification in Lua. It uses the display filter string as identification of the field. But there's no guarantee of uniqueness of this string for each individual field.

If you look in the DNS dissector there are two fields using this filter string: hf_dns_qry_class and hf_dns_qry_class_mdns. The Lua script uses the latter, which isn't assigned a representation with your capture. It does get assigned one with the mDNS sample capture.

answered 23 Dec '11, 00:12

Jaap's gravatar image

Jaap ♦
11.7k16101
accept rate: 14%

Thanks for this. I will probably file a bug, but, having not dug into the source code that much, I want to make sure I've got the bug wording right. Would this be clear enough: the lua field specification for dns fields should check both the hf_dns_qry_class and hf_dns_qry_class_mdns fields, and use whichever one has a value.

Thanks.

(23 Dec '11, 08:22) gclef

I would phrase the bug as "Lua should handle field names for which there are multiple registered fields"; this problem is NOT DNS-specific (X.25 also has multiple registered fields with the same name, for example, to handle both mod-8 and mod-128 mode).

(23 Dec '11, 11:15) Guy Harris ♦♦

@gclef: Use your own wording referring to Lua, the DNS dissector is irrelevant in itself. Add a reference to this Ask item as an example.

(24 Dec '11, 03:23) Jaap ♦