Wireshark · Wireshark-users: Re: [Wireshark-users] Any wireshark filter to differentiate between NXDOMAIN and NXRRSET

Wireshark-users: Re: [Wireshark-users] Any wireshark filter to differentiate between NXDOMAIN and

From: Abdul Khader <akhader@xxxxxxxxxxxxxxx>

Date: Wed, 29 Mar 2017 13:56:35 +0400

Clarification, when I said !(dns.flags.rcode == 0) works, I mean the filter is working but not giving me the what I am looking for.

I want to list only NXRRSET packets.

On 3/29/2017 1:54 PM, Abdul Khader wrote:

Hi,

Yes the filter !(dns.flags.rcode == 0) works.

I have a domain for example, abc.com.
I have A record for abc,com but NO SRV record.
If a client queries for SRV record for abc.com, it should result in NXRRSET ?

I have lot of such queries for SRV record, so I feel I should see NXRRSET in my wireshark for all those queries.

Regards
Abdul Khader

On 3/29/2017 1:44 PM, Jaap Keuter wrote:

Hi,

Oke, so you’re using an up to date Wireshark version, that’s good.
How about filtering out all ‘problems’, using:

    !(dns.flags.rcode == 0)

Does anything show up? Does it give you a clue? Why are you convinced NXRRSET should be present?

Thanks,
Jaap

On 29 Mar 2017, at 11:35, Abdul Khader <akhader@xxxxxxxxxxxxxxx> wrote:

Hi,

I am using Version 2.2.5 (v2.2.5-0-g440fd4d).

dns.flags.rcode == 8 does not work. It's not giving any results.

Regards

On 3/29/2017 1:32 PM, Jaap Keuter wrote:

Hi,

According to RFC 6895 that value (8) is used as RCODE for NXRRSET, so the filter

    dns.flags.rcode == 8

Should be fine. What Wireshark version are you using?

Thanks,
Jaap

On 29 Mar 2017, at 10:23, Abdul Khader <akhader@xxxxxxxxxxxxxxx> wrote:

Dear All,

Any wireshark filter which would give me NXRRSET and does not include NXDOMAIN

To get NXDOMAIN, we can use dns.flags.rcode == 3

But how do we get NXRRSET ?

dns.flags.rcode == 8 or dns.flags.rcode == 0x8 does not work.

___________________________________________________________________________
Sent via:    Wireshark-users mailing list <wireshark-users@xxxxxxxxxxxxx>
Archives:    https://www.wireshark.org/lists/wireshark-users
Unsubscribe: https://www.wireshark.org/mailman/options/wireshark-users
              mailto:wireshark-users-request@xxxxxxxxxxxxx?subject=unsubscribe

___________________________________________________________________________
Sent via:    Wireshark-users mailing list <wireshark-users@xxxxxxxxxxxxx>
Archives:    https://www.wireshark.org/lists/wireshark-users
Unsubscribe: https://www.wireshark.org/mailman/options/wireshark-users
            mailto:wireshark-users-request@xxxxxxxxxxxxx?subject=unsubscribe

Follow-Ups:
- Re: [Wireshark-users] Any wireshark filter to differentiate between NXDOMAIN and NXRRSET
  - From: Jaap Keuter

References:
- [Wireshark-users] Any wireshark filter to differentiate between NXDOMAIN and NXRRSET
  - From: Abdul Khader
- Re: [Wireshark-users] Any wireshark filter to differentiate between NXDOMAIN and NXRRSET
  - From: Jaap Keuter
- Re: [Wireshark-users] Any wireshark filter to differentiate between NXDOMAIN and NXRRSET
  - From: Abdul Khader
- Re: [Wireshark-users] Any wireshark filter to differentiate between NXDOMAIN and NXRRSET
  - From: Jaap Keuter
- Re: [Wireshark-users] Any wireshark filter to differentiate between NXDOMAIN and NXRRSET
  - From: Abdul Khader

Prev by Date: Re: [Wireshark-users] Any wireshark filter to differentiate between NXDOMAIN and NXRRSET
Next by Date: Re: [Wireshark-users] Any wireshark filter to differentiate between NXDOMAIN and NXRRSET
Previous by thread: Re: [Wireshark-users] Any wireshark filter to differentiate between NXDOMAIN and NXRRSET
Next by thread: Re: [Wireshark-users] Any wireshark filter to differentiate between NXDOMAIN and NXRRSET
Index(es):
- Date
- Thread