Wireshark-users: Re: [Wireshark-users] Display filter help need. how to do these filters? DNS /L2

From: Guy Harris <guy@xxxxxxxxxxxx>
Date: Thu, 20 Feb 2014 14:56:34 -0800
On Feb 20, 2014, at 2:28 PM, Jim Aragon <Jim@xxxxxxxxxxxxxxxxx> wrote:

> On 2/20/2014 2:10 PM, false wrote:
> 
>> Can someone provide an example please on how to do these filters
>> (display and/or capture)?
>> 
>> 1) DNS filter to see how all UNANSWERED queries. ??
> 
> Display filter: (dns.flags.response == 0) && !(dns.response_in)

Note that this requires that TShark be run in two-pass mode; in one-pass mode, it doesn't know, at the time the request is dissected, whether there's a response or not.

> Capture filter: I don't think you can do this with a capture filter.

You can't.  Capture filters maintain no state that persists from packet to packet, and the only way to match request packets that have no replies is to keep state of that sort (and it'd be even harder for capture filters, as you would have to delay the check for "unanswered" until a sufficient timeout to conclude that no answer is forthcoming).