Wireshark-users: [Wireshark-users] Question regarding capturing DNS packets with tshark

Date Prev · Date Next · Thread Prev · Thread Next
Date Index · Thread Index · Other Months · All Mailing Lists
From: <bbrelin@xxxxxxxxx>
Date: Fri, 6 Jul 2012 00:08:51 +0100

Hi all,

 

I’m have a question regarding capturing DNS traffic with tshark.   I do a fairly simple command:

 

Tshark –V port 53 udp

 

 

I’m getting output like so:

 

 

Domain Name System (response)

    [Request In: 1]

    [Time: 0.000380000 seconds]

    Transaction ID: 0x0954

    Flags: 0x8080 (Standard query response, No error)

        1... .... .... .... = Response: Message is a response

        .000 0... .... .... = Opcode: Standard query (0)

        .... .0.. .... .... = Authoritative: Server is not an authority for domain

        .... ..0. .... .... = Truncated: Message is not truncated

        .... ...0 .... .... = Recursion desired: Don't do query recursively

        .... .... 1... .... = Recursion available: Server can do recursive queries

        .... .... .0.. .... = Z: reserved (0)

        .... .... ..0. .... = Answer authenticated: Answer/authority portion was not authenticated by the server

        .... .... .... 0000 = Reply code: No error (0)

    Questions: 1

    Answer RRs: 0

    Authority RRs: 13

    Additional RRs: 1

    Queries

        blackberry.net.mnc002.mcc505.gprs: type A, class IN

            Name: blackberry.net.mnc002.mcc505.gprs

            Type: A (Host address)

            Class: IN (0x0001)

 

 

 

This is in response to a query about an A record. 

 

My question is:  Where is the actual IP address that gets returned in the DNS response? 

 

Basically, all I want to do is capture DNS queries their responses and find out exactly what IP address is getting sent back to the client from the server. 

 

Any help appreciated.

 

 

Braun Brelin

 

p.s. if  Guy Harris is still on this mailing list, Hi there Guy!  J

 

 

 

 


***************************************************************
The information contained in this e-mail and any files transmitted 
with it is confidential and may be subject to legal professional 
privilege. It is intended solely for the use of the addressee(s). 
If you are not the intended recipient of this e-mail, please note 
that any review, dissemination, disclosure, alteration, printing, 
copying or transmission of this e-mail and/or any file transmitted 
with it, is prohibited and may be unlawful. 
If you have received this e-mail by mistake, please promptly 
inform the sender by reply e-mail and delete the material. 
Whilst this e-mail message has been swept for the presence of 
computer viruses, eircom does not, except as required by law, 
represent, warrant and/or guarantee that the integrity 
of this communication has been maintained nor that 
the communication is free of errors, viruses, interception or 
interference. 

eircom Limited. Private Company Limited by Shares. 
Registered in Dublin. Registration Number 98789.
Registered Office - 1 Heuston South Quarter, St. John’s Road, Dublin 8.

***************************************************************