Wireshark mailing list archives
Re: Question regarding capturing DNS packets with tshark
From: <bbrelin () eircom ie>
Date: Fri, 6 Jul 2012 00:57:13 +0100
Stuart,
Thanks for the response. I changed it to tshark -s 512 -V port 53 udp.
I'm still not getting what I want here... Here's some sample output...
Domain Name System (response)
[Request In: 12]
[Time: 0.000264000 seconds]
Transaction ID: 0xc837
Flags: 0x8080 (Standard query response, No error)
1... .... .... .... = Response: Message is a response
.000 0... .... .... = Opcode: Standard query (0)
.... .0.. .... .... = Authoritative: Server is not an authority
for domain
.... ..0. .... .... = Truncated: Message is not truncated
.... ...0 .... .... = Recursion desired: Don't do query
recursively
.... .... 1... .... = Recursion available: Server can do
recursive queries
.... .... .0.. .... = Z: reserved (0)
.... .... ..0. .... = Answer authenticated: Answer/authority
portion was not authenticated by the server
.... .... ...0 .... = Non-authenticated data: Unacceptable
.... .... .... 0000 = Reply code: No error (0)
Questions: 1
Answer RRs: 0
Authority RRs: 13
Queries
kindleatt1.amazon.com.mnc410.mcc310.gprs: type A, class IN
Name: kindleatt1.amazon.com.mnc410.mcc310.gprs
Type: A (Host address)
Class: IN (0x0001)
Authoritative nameservers
<Root>: type NS, class IN, ns B.ROOT-SERVERS.NET
Name: <Root>
Type: NS (Authoritative name server)
Class: IN (0x0001)
Time to live: 41 days, 16 hours
Data length: 20
Name server: B.ROOT-SERVERS.NET
<Lots more of the Authoritative nameserver records follow>
Finally, I get an "Additional records" section.
Nothing that shows me the actual resolved IP address...There doesn't
seem to be an "answer" section.
Thanks,
Braun Brelin
From: Stuart Kendrick [mailto:skendric () fhcrc org]
Sent: 06 July 2012 00:48
To: Community support list for Wireshark
Cc: Brelin, Braun
Subject: Re: [Wireshark-users] Question regarding capturing DNS packets
with tshark
Hi Braun,
I'm guessing that the frame you posted got truncated ... in the DNS
frame I'm examining right now, directly after the 'Queries' section, is
an 'Answers' section, which contains the IP address
I don't have a story as to how that would happen though ... had you
captured with 'tshark -s 64 -V port 53 udp', then we'd have a story ...
but I see no sign of 'slicking' on your tshark command line.
hope this scoots you closer to an answer to your question,
--sk
On 7/5/2012 4:08 PM, bbrelin () eircom ie wrote:
Hi all,
I'm have a question regarding capturing DNS traffic with tshark.
I do a fairly simple command:
Tshark -V port 53 udp
I'm getting output like so:
Domain Name System (response)
[Request In: 1]
[Time: 0.000380000 seconds]
Transaction ID: 0x0954
Flags: 0x8080 (Standard query response, No error)
1... .... .... .... = Response: Message is a response
.000 0... .... .... = Opcode: Standard query (0)
.... .0.. .... .... = Authoritative: Server is not an
authority for domain
.... ..0. .... .... = Truncated: Message is not
truncated
.... ...0 .... .... = Recursion desired: Don't do query
recursively
.... .... 1... .... = Recursion available: Server can do
recursive queries
.... .... .0.. .... = Z: reserved (0)
.... .... ..0. .... = Answer authenticated:
Answer/authority portion was not authenticated by the server
.... .... .... 0000 = Reply code: No error (0)
Questions: 1
Answer RRs: 0
Authority RRs: 13
Additional RRs: 1
Queries
blackberry.net.mnc002.mcc505.gprs: type A, class IN
Name: blackberry.net.mnc002.mcc505.gprs
Type: A (Host address)
Class: IN (0x0001)
This is in response to a query about an A record.
My question is: Where is the actual IP address that gets
returned in the DNS response?
Basically, all I want to do is capture DNS queries their
responses and find out exactly what IP address is getting sent back to
the client from the server.
Any help appreciated.
Braun Brelin
p.s. if Guy Harris is still on this mailing list, Hi there Guy!
J
***************************************************************
The information contained in this e-mail and any files
transmitted
with it is confidential and may be subject to legal professional
privilege. It is intended solely for the use of the
addressee(s).
If you are not the intended recipient of this e-mail, please
note
that any review, dissemination, disclosure, alteration,
printing,
copying or transmission of this e-mail and/or any file
transmitted
with it, is prohibited and may be unlawful.
If you have received this e-mail by mistake, please promptly
inform the sender by reply e-mail and delete the material.
Whilst this e-mail message has been swept for the presence of
computer viruses, eircom does not, except as required by law,
represent, warrant and/or guarantee that the integrity
of this communication has been maintained nor that
the communication is free of errors, viruses, interception or
interference.
eircom Limited. Private Company Limited by Shares.
Registered in Dublin. Registration Number 98789.
Registered Office - 1 Heuston South Quarter, St. John's Road,
Dublin 8.
***************************************************************
________________________________________________________________________
___
Sent via: Wireshark-users mailing list
<wireshark-users () wireshark org> <mailto:wireshark-users () wireshark org>
Archives: http://www.wireshark.org/lists/wireshark-users
Unsubscribe:
https://wireshark.org/mailman/options/wireshark-users
mailto:wireshark-users-request () wireshark org?subject=unsubscribe
*************************************************************** The information contained in this e-mail and any files transmitted with it is confidential and may be subject to legal professional privilege. It is intended solely for the use of the addressee(s). If you are not the intended recipient of this e-mail, please note that any review, dissemination, disclosure, alteration, printing, copying or transmission of this e-mail and/or any file transmitted with it, is prohibited and may be unlawful. If you have received this e-mail by mistake, please promptly inform the sender by reply e-mail and delete the material. Whilst this e-mail message has been swept for the presence of computer viruses, eircom does not, except as required by law, represent, warrant and/or guarantee that the integrity of this communication has been maintained nor that the communication is free of errors, viruses, interception or interference. eircom Limited. Private Company Limited by Shares. Registered in Dublin. Registration Number 98789. Registered Office - 1 Heuston South Quarter, St. John’s Road, Dublin 8. ***************************************************************
___________________________________________________________________________ Sent via: Wireshark-users mailing list <wireshark-users () wireshark org> Archives: http://www.wireshark.org/lists/wireshark-users Unsubscribe: https://wireshark.org/mailman/options/wireshark-users mailto:wireshark-users-request () wireshark org?subject=unsubscribe
Current thread:
- Question regarding capturing DNS packets with tshark bbrelin (Jul 05)
- Re: Question regarding capturing DNS packets with tshark Stuart Kendrick (Jul 05)
- Re: Question regarding capturing DNS packets with tshark bbrelin (Jul 05)
- Re: Question regarding capturing DNS packets withtshark bbrelin (Jul 05)
- Re: Question regarding capturing DNS packets withtshark Maynard, Chris (Jul 05)
- Re: Question regarding capturing DNSpackets withtshark bbrelin (Jul 05)
- Re: Question regarding capturing DNSpackets withtshark Maynard, Chris (Jul 05)
- Re: Question regardingcapturing DNSpackets withtshark bbrelin (Jul 05)
- Re: Question regarding capturing DNSpackets withtshark Maynard, Chris (Jul 05)
- Re: Question regardingcapturing DNSpackets withtshark bbrelin (Jul 05)
- Re: Question regardingcapturing DNSpackets withtshark Martin Visser (Jul 05)
- Re: Question regarding capturing DNS packets with tshark bbrelin (Jul 05)
- Re: Question regarding capturing DNS packets with tshark Stuart Kendrick (Jul 05)