On Wed, 20 Jul 2011 09:52:42 -0400, Eric Howard wrote:
Hi. I love the functionality that wireshark gives me. I am trying to
log DNS transactions. The stand text display gives me most of what I
want. For example:
[root@myserv~]# tshark -tad port 53
Running as user "root" and group "root". This could be dangerous.
Capturing on eth0
2011-07-20 09:46:46.971987 152.75.52.18 -> 152.75.73.251 DNS Standard
query A www.yahoo.com [1]
2011-07-20 09:46:46.972226 152.75.73.251 -> 152.75.52.18 DNS Standard
query response CNAME fp.wg1.b.yahoo.com CNAME any-fp.wa1.b.yahoo.com
A
69.147.125.65 A 67.195.160.76
However, I want to somehow capture queries and responses into a
database
base and need a way to associate the query and response data. In the
above example I get a CNAME result but need to also record the fact
the
original request was for 'www.yahoo.com [2]' I believe that "dns.id"
field
would allow me to associate the query and response. Is there an easy
way to modify the standard output to append this single field or do I
have to write an extremely complicated fields directive to create the
standard output with the additional field?
Thanks for your help!
-- Eric --
Hi,
Have a look at custom columns. You can show there (almost) anything.
Thanks,
Jaap