Extracting DNS queries

There was recently a question on the Wireshark users mailing list about “how to get the query name from a dns request packet with tshark”. This is a problem that many network analysts run into, so I decided to write a blog post instead of just replying to the mailing list.

Note: the pcap file used in this blog post is from the DFRWS 2009 Challenge.

Who queried for a particular domain?

Tshark can easily be used in order to determine who queried for a particular domain, such as google.com, by using the following command:

tshark -r nssal-capture-1.pcap -T fields -e ip.src -e dns.qry.name -R "dns.flags.response eq 0 and dns.qry.name contains google.com" google.com www.google.com id.google.com images.google.com tbn2.google.com tbn0.google.com tbn2.google.com tbn1.google.com tbn3.google.com tbn3.google.com

List all queries

A list of ALL queries can be built with the same command, but without filtering on a particular domain:

tshark -r nssal-capture-1.pcap -T fields -e ip.src -e dns.qry.name -R "dns.flags.response eq 0" fp.ps3.us.playstation.com cmt.us.playstation.com google.com www.google.com www.mardigrasday.com pagead2.googlesyndication.com googleads.g.doubleclick.net www.google-analytics.com mardigrasday.makesparties.com images.scanalert.com a248.e.akamai.net ssl-hints.netflame.cc

DNS lists in NetworkMiner

There is a DNS tab in NetworkMiner, which displays a nice list of all DNS queries and responses in a pcap file. Loading the same nssal-capture-1.pcap into NetworkMiner generates the following list:

DNS tab with nssal-capture-1.pcap loaded

NetworkMiner Professional also has the ability to export this data to a CSV file. The command line tool NetworkMinerCLI can also generate such a CSV file without a GUI, which is perfect if you wanna integrate it in a customized script.

Posted by Erik Hjelmvik on Sunday, 17 June 2012 17:45:00 (UTC/GMT)

Tags: #domain#tshark#pcap

Share: Facebook   Twitter   Reddit   Hacker News Short URL: https://netresec.com/?b=126C5CB

X / twitter

NETRESEC on X / Twitter: @netresec


NETRESEC on Mastodon: @netresec@infosec.exchange