Ethereal-users: Re: [Ethereal-users] Re: Absolute beginner's question

Note: This archive is from the project's previous web site, ethereal.com. This list is no longer active.

Date Prev · Date Next · Thread Prev · Thread Next
Date Index · Thread Index · Other Months · All Mailing Lists
From: activeco@xxxxxxx
Date: Sat, 25 Jan 2003 16:52:19 +0100
That's it. Thanks for your time Martin. 


On 24 Jan 2003 at 22:38, Martin Regner wrote:

> Activeco wrote:
> > > Actually I needed a tool for only one task: to catch the NXDomain 
> > > requests (non existing domain names) from (part of) Internet, so I 
> 
> >I have managed to enter the filter (dns.flags.response) and I see all 
> >the DN requests 
> >and responses, but my intention is to see only the requests wich 
> >return "No such 
> >name" responses.
> >Is there any way I could achieve that?
> 
> One of the easiest ways to create a display filter can be to use the Display/Prepare menu item, when you have a capture with similar data that you want to search for.
> This method is not always resulting in a good Display filter, but often.
> 
> I captured a DNS reply packet by making a ping to a  (see packet below) and then I selected the row with the reply code :
>         .... .... .... 0011 = Reply code: No such name (3)
> and then i used the Display/Prepare/Selected menu item and then I got the following display fiter:
> dns.flags.rcode == 3
> 
> That filter you could use to search for DNS packets with Reply code 3 (No such name ).
> 
> Other methods could be to use the Edit/Display Filter.../Add Expression.../DNS  dialog box
> and/or using the SID and some description of the DNS protocol.
> http://www.ethereal.com/docs/user-guide/siddomainnameservice.html
> 
> http://www.networksorcery.com/enp/protocol/dns.htm
> 
> 
> Domain Name System (response)
>     Transaction ID: 0x0001
>     Flags: 0x8583 (Standard query response, No such name)
>         1... .... .... .... = Response: Message is a response
>         .000 0... .... .... = Opcode: Standard query (0)
>         .... .1.. .... .... = Authoritative: Server is an authority for domain
>         .... ..0. .... .... = Truncated: Message is not truncated
>         .... ...1 .... .... = Recursion desired: Do query recursively
>         .... .... 1... .... = Recursion available: Server can do recursive queries
>         .... .... ..0. .... = Answer authenticated: Answer/authority portion was not authenticated by the server
>         .... .... .... 0011 = Reply code: No such name (3)
>     Questions: 1
>     Answer RRs: 0
>     Authority RRs: 1
>     Additional RRs: 0
>     Queries
>         texxxxxx.se: type A, class inet
>             Name: texxxxxx.se
>             Type: Host address
>             Class: inet
>     Authoritative nameservers
>         se: type SOA, class inet, mname catcher-in-the-rye.nic-se.se
>             Name: se
>             Type: Start of zone of authority
>             Class: inet
>             Time to live: 1 day
>             Data length: 59
>             Primary name server: catcher-in-the-rye.nic-se.se
>             Responsible authority's mailbox: registry.nic-se.se
>             Serial number: 2003000000
>             Refresh interval: 2 hours
>             Retry interval: 1 hour
>             Expiration limit: 28 days
>             Minimum TTL: 1 day
> 
> 
>