Wireshark-users: Re: [Wireshark-users] Filter for DNS tcp flags?

From: "Sake Blok" <sake@xxxxxxxxxx>
Date: Thu, 9 Apr 2009 22:39:09 +0200
And as of SVN-28006 (which will be included in 1.2.x and 1.1.4+), you can right click on a field and copy it's fieldname to the clipboard (or use CTRL-SHIFT-F) :-)

Cheers,
      Sake

----- Original Message ----- From: "Bill Meier" <wmeier@xxxxxxxxxxx>
To: "Community support list for Wireshark" <wireshark-users@xxxxxxxxxxxxx>
Sent: Thursday, April 09, 2009 8:43 PM
Subject: Re: [Wireshark-users] Filter for DNS tcp flags?


Also: For future reference:

You can determine the "filter name" of any particular field by clicking
on the field in the Packet Details window and then looking on the
left-hand side of the status bar (at the bottom) to see the field name.

EG: for a frame with a DNS "no such name" reply, expand the Flags field
within the DNS payload, then click on the 'Reply Code' line to see the
name of the field at tyhe botton of the screen.

In addition you can right-click on the field and then select 'Apply as
Filter --> Selected' to filter for that value in that field.

Jaap Keuter wrote:
Hi,

You're confused. It's dns.flags what you're looking for.
In fact "dns.flags.rcode == 3" is what you want to use as display filter.

Thanx,
Jaap




Scott Baker wrote:
> > I want to filter out all DNS queries that fail with a "no such name"
> > response. As far as I can tell that's tcp flag 0x8583, but I don't
> > know how to filter for that. The docs say tcp.flags is an 8 bit field,
> > so it can't be 0x8583. How do I filter DNS for specific flags?
> >
> > - Scott
___________________________________________________________________________
Sent via:    Wireshark-users mailing list <wireshark-users@xxxxxxxxxxxxx>
Archives:    http://www.wireshark.org/lists/wireshark-users
Unsubscribe: https://wireshark.org/mailman/options/wireshark-users

mailto:wireshark-users-request@xxxxxxxxxxxxx?subject=unsubscribe