There was recently a question on the Wireshark users mailing list about “how to get the query name from a dns request packet with tshark”. This is a problem that many network analysts run into, so I decided to write a blog post instead of just replying to the mailing list.
Note: the pcap file used in this blog post is from the DFRWS 2009 Challenge.
Who queried for a particular domain?
Tshark can easily be used in order to determine who queried for a particular domain, such as google.com, by using the following command:
tshark -r nssal-capture-1.pcap -T fields -e ip.src -e dns.qry.name -R "dns.flags.response eq 0 and dns.qry.name contains google.com"
List all queries
A list of ALL queries can be built with the same command, but without filtering on a particular domain:
tshark -r nssal-capture-1.pcap -T fields -e ip.src -e dns.qry.name -R "dns.flags.response eq 0"
DNS lists in NetworkMiner
There is a DNS tab in NetworkMiner, which displays a nice list of all DNS queries and responses in a pcap file. Loading the same nssal-capture-1.pcap into NetworkMiner generates the following list:
DNS tab with nssal-capture-1.pcap loaded
NetworkMiner Professional also has the ability to export this data to a CSV file. The command line tool NetworkMinerCLI can also generate such a CSV file without a GUI, which is perfect if you wanna integrate it in a customized script.
Posted by Erik Hjelmvik on Sunday, 17 June 2012 17:45:00 (UTC/GMT)