Hi. I love the functionality that wireshark gives me. I am trying to
log DNS transactions. The stand text display gives me most of what I
want. For example:
[root@myserv~]# tshark -tad port 53
Running as user "root" and group "root". This could be dangerous.
Capturing on eth0
2011-07-20 09:46:46.971987 152.75.52.18 -> 152.75.73.251 DNS Standard
query A www.yahoo.com
2011-07-20 09:46:46.972226 152.75.73.251 -> 152.75.52.18 DNS Standard
query response CNAME fp.wg1.b.yahoo.com CNAME any-fp.wa1.b.yahoo.com A
69.147.125.65 A 67.195.160.76
However, I want to somehow capture queries and responses into a database
base and need a way to associate the query and response data. In the
above example I get a CNAME result but need to also record the fact the
original request was for 'www.yahoo.com' I believe that "dns.id" field
would allow me to associate the query and response. Is there an easy
way to modify the standard output to append this single field or do I
have to write an extremely complicated fields directive to create the
standard output with the additional field?
Thanks for your help!
-- Eric --