You can use the -T fields switch and print "dns.qry.name" with tshark.
I've written a blog post to answer your question in better detail here:
http://netresec.com/?b=126C5CB
I hope it helps!
/erik
2012/6/15 nangergong <nangergong@xxxxxxxxx>:
> thanks, this is OK,
> but how to get the query name from a dns request packet with tshark?
> for example, the DNS request frame number is 29
> how to get the query name from this packet?
>
> On Tue, Jun 12, 2012 at 4:31 PM, <Tim.Poth@xxxxxxxxxxx> wrote:
>>
>> Something like this
>>
>> !dns.qry.name eq www.example.com
>>
>>
>>
>> From: wireshark-users-bounces@xxxxxxxxxxxxx
>> [mailto:wireshark-users-bounces@xxxxxxxxxxxxx] On Behalf Of nangergong
>> Sent: Tuesday, June 12, 2012 10:22 AM
>>
>>
>> To: wireshark-users@xxxxxxxxxxxxx
>> Subject: [Wireshark-users] are there any ways to filter specific DNS
>> queries
>>
>>
>>
>> Hi, all:
>>
>>
>>
>> I want to filter out some specific DNS queries. These DNS queries are
>> for some specific domain name or websites, for example www.example.com
>> are there any ways for this filtering? Thanks!
>>
>>
>>
>> ___________________________________________________________________________
>> Sent via: Wireshark-users mailing list <wireshark-users@xxxxxxxxxxxxx>
>> Archives: http://www.wireshark.org/lists/wireshark-users
>> Unsubscribe: https://wireshark.org/mailman/options/wireshark-users
>>
>> mailto:wireshark-users-request@xxxxxxxxxxxxx?subject=unsubscribe
>
>
>
> ___________________________________________________________________________
> Sent via: Wireshark-users mailing list <wireshark-users@xxxxxxxxxxxxx>
> Archives: http://www.wireshark.org/lists/wireshark-users
> Unsubscribe: https://wireshark.org/mailman/options/wireshark-users
> mailto:wireshark-users-request@xxxxxxxxxxxxx?subject=unsubscribe
--
blog: http://www.netresec.com/?page=Blog
twitter: http://twitter.com/netresec
