Ethereal-users: Re: [Ethereal-users] how to capture only DNSpackets byapplyingfilterin ethereal?
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Vadiraj Kulkarni wrote:
| hello,
| As i am only interested in DNS response packet, i am trying to apply
filters
| in Ethereal to capture.
| I have tried all the below commands. Still not working.
|
| Say:
| DNS is at 192.168.1.1
| Domain : abc.def.com
| My system : 192.168.1.10
|
| I am exuting command nslookup abc.def.com 192.168.1.1
|
| Filters applied
| 1). port 53 - Etehreal captures only DNS query packets from
192.168.1.10 to
| 192.168.1.1
| 2). udp port 53 - Same as above
| 3). udp src port 53 - Same as above
| 4). udp dst port 53 - Same as above
| 5). ip host 192.168.1.1 and udp port 53 - save as above
| 6). proto domain - Same as above
| 6). udp src port 53 - No packets captured. (This is what i am excepting.
| because DNS response will come from src port 53)
|
| Can anyone of try to run nslookup and tell me how to capture only DNS
| response?
|
| Thanks
| Vadiraj Kulkarni
Assuming you are only interested in UDP DNS traffic you could try
'port 53 and udp[2] & 0x80 == 0x80'
For TCP it looks like it should be
'port 53 and tcp[4] & 0x80 == 0x80'
Works for me.
- --
There's no point in being grown up if you can't be childish sometimes.
~ -- Dr. Who
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.1 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
iD8DBQFANnbDUpRmj8xnsFgRAnntAKCYrupyHiRoPPGgDYHZWbB44FkD4ACfdMkb
jAELM92SDX+tIGp7eRylVrg=
=mTzx
-----END PGP SIGNATURE-----