Wireshark · Wireshark-users: Re: [Wireshark-users] Any wireshark filter to differentiate between NXDOMAIN and NXRRSET

Wireshark-users: Re: [Wireshark-users] Any wireshark filter to differentiate between NXDOMAIN and

From: Jaap Keuter <jaap.keuter@xxxxxxxxx>

Date: Wed, 29 Mar 2017 13:30:23 +0200

Hi,

So we’re back at the question 'Why are you convinced NXRRSET should be present?’

You assume they are there, but so far I’ve seen no evidence that they are there.

As for the reason why NXRRSET is not set Wireshark cannot answer you, that depends on your DNS server software.

I think you’ll want to seek more information there.

Thanks,

Jaap

On 29 Mar 2017, at 11:56, Abdul Khader <akhader@xxxxxxxxxxxxxxx> wrote:

Clarification, when I said !(dns.flags.rcode == 0) works, I mean the filter is working but not giving me the what I am looking for.
I want to list only NXRRSET packets.

On 3/29/2017 1:54 PM, Abdul Khader wrote:

Hi,

Yes the filter !(dns.flags.rcode == 0) works.

I have a domain for example, abc.com.
I have A record for abc,com but NO SRV record.
If a client queries for SRV record for abc.com, it should result in NXRRSET ?

I have lot of such queries for SRV record, so I feel I should see NXRRSET in my wireshark for all those queries.

Regards
Abdul Khader

On 3/29/2017 1:44 PM, Jaap Keuter wrote:

Hi,

Oke, so you’re using an up to date Wireshark version, that’s good.
How about filtering out all ‘problems’, using:

!(dns.flags.rcode == 0)

Does anything show up? Does it give you a clue? Why are you convinced NXRRSET should be present?

Thanks,
Jaap

On 29 Mar 2017, at 11:35, Abdul Khader <akhader@xxxxxxxxxxxxxxx> wrote:

Hi,

I am using Version 2.2.5 (v2.2.5-0-g440fd4d).

dns.flags.rcode == 8 does not work. It's not giving any results.

Regards

On 3/29/2017 1:32 PM, Jaap Keuter wrote:

Hi,

According to RFC 6895 that value (8) is used as RCODE for NXRRSET, so the filter

dns.flags.rcode == 8

Should be fine. What Wireshark version are you using?

Thanks,
Jaap

On 29 Mar 2017, at 10:23, Abdul Khader <akhader@xxxxxxxxxxxxxxx> wrote:

Dear All,

Any wireshark filter which would give me NXRRSET and does not include NXDOMAIN

To get NXDOMAIN, we can use dns.flags.rcode == 3

But how do we get NXRRSET ?

dns.flags.rcode == 8 or dns.flags.rcode == 0x8 does not work.

References:
- [Wireshark-users] Any wireshark filter to differentiate between NXDOMAIN and NXRRSET
  - From: Abdul Khader
- Re: [Wireshark-users] Any wireshark filter to differentiate between NXDOMAIN and NXRRSET
  - From: Jaap Keuter
- Re: [Wireshark-users] Any wireshark filter to differentiate between NXDOMAIN and NXRRSET
  - From: Abdul Khader
- Re: [Wireshark-users] Any wireshark filter to differentiate between NXDOMAIN and NXRRSET
  - From: Jaap Keuter
- Re: [Wireshark-users] Any wireshark filter to differentiate between NXDOMAIN and NXRRSET
  - From: Abdul Khader
- Re: [Wireshark-users] Any wireshark filter to differentiate between NXDOMAIN and NXRRSET
  - From: Abdul Khader

Prev by Date: Re: [Wireshark-users] Any wireshark filter to differentiate between NXDOMAIN and NXRRSET
Next by Date: [Wireshark-users] Validating flow export time
Previous by thread: Re: [Wireshark-users] Any wireshark filter to differentiate between NXDOMAIN and NXRRSET
Next by thread: [Wireshark-users] Validating flow export time
Index(es):
- Date
- Thread