Wireshark-users: Re: [Wireshark-users] Question regardingcapturing DNSpackets withtshark
Date: Fri, 6 Jul 2012 02:16:29 +0100
Still no difference.  
The real question for me is why don't I have an "Answer" section in the DNS response packet.  If the name server couldn't resolve the domain, I'd 
expect to get an NXDOMAIN response, but why wouldn't I see anything at all?  

Braun Brelin


-----Original Message-----
From: [email protected] [mailto:[email protected]] On Behalf Of Maynard, Chris
Sent: 06 July 2012 01:58
To: Community support list for Wireshark
Subject: Re: [Wireshark-users] Question regardingcapturing DNSpackets withtshark

Can you try it with the -n option?
- Chris
________________________________________
From: [email protected] [[email protected]] On Behalf Of [email protected] [[email protected]]
Sent: Thursday, July 05, 2012 8:47 PM
To: [email protected]; [email protected]
Subject: Re: [Wireshark-users] Question regarding capturing     DNSpackets      withtshark

All I get is data that looks like this:

40     eseye.com.mnc058.mcc234.gprs    <Root>,<Root>,<Root>,<Root>,<Root>,<Root>,<Root>,<Root>,<Root>,<Root>,<Root>,<Root>,<Root>,<Root>
441     eseye.com.mnc058.mcc234.gprs    <Root>
442     eseye.com.mnc058.mcc234.gprs    <Root>,<Root>,<Root>,<Root>,<Root>,<Root>,<Root>,<Root>,<Root>,<Root>,<Root>,<Root>,<Root>,<Root>

Basically, the problem seems to be that there is no "answer" section in the DNS response packet.  I don't get how that's possible, given
that my DNS server can manually resolve the IP addresses if I do an nslookup on the server itself.  For example:

# nslookup eseye.com.mnc058.mcc234.gprs
Server:         127.0.0.1
Address:        127.0.0.1#53

Non-authoritative answer:
Name:   eseye.com.mnc058.mcc234.gprs
Address: 195.10.99.228

This is totally confusing.

Braun Brelin


-----Original Message-----
From: [email protected] [mailto:[email protected]] On Behalf Of Maynard, Chris
Sent: 06 July 2012 01:39
To: Community support list for Wireshark; [email protected]
Subject: Re: [Wireshark-users] Question regarding capturing DNSpackets withtshark

Maybe something like this helps?
tshark -f "udp port 53" -T fields -e frame.number -e dns.qry.name -e dns.resp.name -e dns.resp.addr
- Chris


________________________________
From: [email protected] [[email protected]] On Behalf Of [email protected] [[email protected]]
Sent: Thursday, July 05, 2012 8:02 PM
To: [email protected]; [email protected]
Subject: Re: [Wireshark-users] Question regarding capturing DNS packets withtshark

Also, if I do this:

tshark -f "udp port 53"

I get output like:

14.419251  10.180.2.81 -> 10.141.1.160 DNS Standard query response
 14.427052 10.141.1.160 -> 10.180.2.81  DNS Standard query A wap.cingular.mnc410.mcc310.gprs
 14.427236  10.180.2.81 -> 10.141.1.160 DNS Standard query response
 14.427842 10.141.1.160 -> 10.180.2.81  DNS Standard query A m2mdata.mnc033.mcc234.gprs
 14.428024  10.180.2.81 -> 10.141.1.160 DNS Standard query response
 14.435468 10.141.1.160 -> 10.180.2.81  DNS Standard query A wap.cingular.mnc410.mcc310.gprs
 14.435667  10.180.2.81 -> 10.141.1.160 DNS Standard query response
 14.436354 10.141.1.160 -> 10.180.2.81  DNS Standard query A m2mdata.mnc033.mcc234.gprs
 14.436536  10.180.2.81 -> 10.141.1.160 DNS Standard query response
 14.445096 10.141.1.160 -> 10.180.2.81  DNS Standard query A m2mdata.mnc033.mcc234.gprs
 14.445281  10.180.2.81 -> 10.141.1.160 DNS Standard query response
 14.452264 10.141.1.160 -> 10.180.2.81  DNS Standard query A m2mdata.mnc033.mcc234.gprs

Question:  Why doesn't the line containing the "Standard query response" actually print out the response?

Braun Brelin

From: [email protected] [mailto:[email protected]] On Behalf Of [email protected]
Sent: 06 July 2012 00:57
To: [email protected]; [email protected]
Subject: Re: [Wireshark-users] Question regarding capturing DNS packets withtshark

Stuart,

Thanks for the response.  I changed it to tshark -s 512 -V port 53 udp.  I'm still not getting what I want here... Here's some sample output...

Domain Name System (response)
    [Request In: 12]
    [Time: 0.000264000 seconds]
    Transaction ID: 0xc837
    Flags: 0x8080 (Standard query response, No error)
        1... .... .... .... = Response: Message is a response
        .000 0... .... .... = Opcode: Standard query (0)
        .... .0.. .... .... = Authoritative: Server is not an authority for domain
        .... ..0. .... .... = Truncated: Message is not truncated
        .... ...0 .... .... = Recursion desired: Don't do query recursively
        .... .... 1... .... = Recursion available: Server can do recursive queries
        .... .... .0.. .... = Z: reserved (0)
        .... .... ..0. .... = Answer authenticated: Answer/authority portion was not authenticated by the server
        .... .... ...0 .... = Non-authenticated data: Unacceptable
        .... .... .... 0000 = Reply code: No error (0)
    Questions: 1
    Answer RRs: 0
    Authority RRs: 13
Queries
        kindleatt1.amazon.com.mnc410.mcc310.gprs: type A, class IN
            Name: kindleatt1.amazon.com.mnc410.mcc310.gprs
            Type: A (Host address)
            Class: IN (0x0001)
Authoritative nameservers
        <Root>: type NS, class IN, ns B.ROOT-SERVERS.NET
            Name: <Root>
            Type: NS (Authoritative name server)
            Class: IN (0x0001)
            Time to live: 41 days, 16 hours
            Data length: 20
            Name server: B.ROOT-SERVERS.NET

<Lots more of the Authoritative nameserver records follow>
Finally, I get an "Additional records" section.

Nothing that shows me the actual resolved IP address...There doesn't seem to be an "answer" section.

Thanks,

Braun Brelin



From: Stuart Kendrick [mailto:[email protected]]
Sent: 06 July 2012 00:48
To: Community support list for Wireshark
Cc: Brelin, Braun
Subject: Re: [Wireshark-users] Question regarding capturing DNS packets with tshark

Hi Braun,

I'm guessing that the frame you posted got truncated ... in the DNS frame I'm examining right now, directly after the 'Queries' section, is an 'Answers' section, which contains the IP address

I don't have a story as to how that would happen though ... had you captured with 'tshark -s 64 -V port 53 udp', then we'd have a story ... but I see no sign of 'slicking' on your tshark command line.

hope this scoots you closer to an answer to your question,

--sk
On 7/5/2012 4:08 PM, [email protected]<mailto:[email protected]> wrote:
Hi all,

I'm have a question regarding capturing DNS traffic with tshark.   I do a fairly simple command:

Tshark -V port 53 udp


I'm getting output like so:


Domain Name System (response)
    [Request In: 1]
    [Time: 0.000380000 seconds]
    Transaction ID: 0x0954
    Flags: 0x8080 (Standard query response, No error)
        1... .... .... .... = Response: Message is a response
        .000 0... .... .... = Opcode: Standard query (0)
        .... .0.. .... .... = Authoritative: Server is not an authority for domain
        .... ..0. .... .... = Truncated: Message is not truncated
        .... ...0 .... .... = Recursion desired: Don't do query recursively
        .... .... 1... .... = Recursion available: Server can do recursive queries
        .... .... .0.. .... = Z: reserved (0)
        .... .... ..0. .... = Answer authenticated: Answer/authority portion was not authenticated by the server
        .... .... .... 0000 = Reply code: No error (0)
    Questions: 1
    Answer RRs: 0
    Authority RRs: 13
    Additional RRs: 1
    Queries
        blackberry.net.mnc002.mcc505.gprs: type A, class IN
            Name: blackberry.net.mnc002.mcc505.gprs
            Type: A (Host address)
            Class: IN (0x0001)



This is in response to a query about an A record.

My question is:  Where is the actual IP address that gets returned in the DNS response?

Basically, all I want to do is capture DNS queries their responses and find out exactly what IP address is getting sent back to the client from the server.

Any help appreciated.


Braun Brelin

p.s. if  Guy Harris is still on this mailing list, Hi there Guy!  :)


--
CONFIDENTIALITY NOTICE: The information contained in this email message is intended only for use of the intended recipient. If the reader of this message is not the intended recipient, you are hereby notified that any dissemination, distribution or copying of this communication is strictly prohibited. If you have received this communication in error, please immediately delete it from your system and notify the sender by replying to this email.  Thank you.
___________________________________________________________________________
Sent via:    Wireshark-users mailing list <[email protected]>
Archives:    http://www.wireshark.org/lists/wireshark-users
Unsubscribe: https://wireshark.org/mailman/options/wireshark-users
             mailto:[email protected]?subject=unsubscribe


***************************************************************
The information contained in this e-mail and any files transmitted 
with it is confidential and may be subject to legal professional 
privilege. It is intended solely for the use of the addressee(s). 
If you are not the intended recipient of this e-mail, please note 
that any review, dissemination, disclosure, alteration, printing, 
copying or transmission of this e-mail and/or any file transmitted 
with it, is prohibited and may be unlawful. 
If you have received this e-mail by mistake, please promptly 
inform the sender by reply e-mail and delete the material. 
Whilst this e-mail message has been swept for the presence of 
computer viruses, eircom does not, except as required by law, 
represent, warrant and/or guarantee that the integrity 
of this communication has been maintained nor that 
the communication is free of errors, viruses, interception or 
interference. 

eircom Limited. Private Company Limited by Shares. 
Registered in Dublin. Registration Number 98789.
Registered Office - 1 Heuston South Quarter, St. John’s Road, Dublin 8.

***************************************************************