I think you will find that a lot of DNS responses have compression. Search for the A record for www.google.com. Every name in the response apart from the first is compressed. Just click on a name field in the Packet Details in Wireshark and you will see in the highlighted hex that it corresponds to only 2 bytes.
Regards, Martin
Martin Visser
Technology Consultant
Technology Solutions Group
410 Concord Road
Rhodes NSW 2138
Australia
Mobile: +61-411-254-513
Fax: +61-2-9022-1800
E-mail: martin.visserAThp.com
This email (including any attachments) is intended only for the use of the individual or entity named above and may contain information that is confidential, proprietary or privileged. If you are not the intended recipient, please notify HP immediately by return email and then delete the email, destroy any printed copy and do not disclose or use the information in it.
-----Original Message-----
From: wireshark-users-bounces@xxxxxxxxxxxxx [mailto:wireshark-users-bounces@xxxxxxxxxxxxx] On Behalf Of Adsquaired
Sent: Wednesday, 2 July 2008 10:59 PM
To: wireshark-users@xxxxxxxxxxxxx
Subject: [Wireshark-users] DNS Compression?
Hello,
Can someone send me a capture that shows an example of what DNS compression looks like. I understand the concept but would like to see what it looks like in a packet capture.
Thanks
ad^2
_______________________________________________
Wireshark-users mailing list
Wireshark-users@xxxxxxxxxxxxx
https://wireshark.org/mailman/listinfo/wireshark-users
Attachment:
dns-response.pcap
Description: dns-response.pcap
