Ask Your Question

Revision history [back]

click to hide/show revision 1
initial version

There is a Wireshark tool for making TCP capture filters: String-Matching Capture Filter Generator

With a little math, you can do the same thing for UDP.

(udp port 53) && (udp[10] & 0x80 != 0) && (udp[11] & 0x0f == 0) && udp[20:4] = 0x04687474 && udp[24:4] = 0x70026677 && udp[28:4] = 0x08757064 && udp[32:4] = 0x61746573 && udp[36:4] = 0x31076e65 && udp[40:4] = 0x74676561 && udp[44:4] = 0x7203636f && udp[48:2] = 0x6d00

(udp port 53) - DNS typically responds from port 53
(udp[10] & 0x80 != 0) 8 bytes (0-7) of UDP header + 3rd byte in to UDP data = DNS flags high byte
(udp[11] & 0x0f == 0) 8 bytes (0-7) of UDP header + 4th byte in to UDP data = DNS flags low byte

Look for response with no errors

Flags: 0x8180 Standard query response, No error
    1... .... .... .... = Response: Message is a response
    .000 0... .... .... = Opcode: Standard query (0)
    .... .0.. .... .... = Authoritative: Server is not an authority for domain
    .... ..0. .... .... = Truncated: Message is not truncated
    .... ...1 .... .... = Recursion desired: Do query recursively
    .... .... 1... .... = Recursion available: Server can do recursive queries
    .... .... .0.. .... = Z: reserved (0)
    .... .... ..0. .... = Answer authenticated: Answer/authority portion was not
                                       authenticated by the server
    .... .... ...0 .... = Non-authenticated data: Unacceptable
    .... .... .... 0000 = Reply code: No error (0)

RFC 1035 - DOMAIN NAMES - IMPLEMENTATION AND SPECIFICATION
3. DOMAIN NAME SPACE AND RR DEFINITIONS

Domain names in messages are expressed in terms of a sequence of labels. Each label is represented as a one octet length field followed by that number of octets. Since every domain name ends with the null label of the root, a domain name is terminated by a length byte of zero. The high order two bits of every length octet must be zero, and the remaining six bits of the length field limit the label to 63 octets or less.

Queries
    http.fw.updates1.netgear.com: type A, class IN
        Name: http.fw.updates1.netgear.com
        [Name Length: 28]
        [Label Count: 5]
        Type: A (Host Address) (1)
        Class: IN (0x0001)

http.fw.updates1.netgear.com = 0468747470026677087570646174657331076e65746765617203636f6d00

http = Length: 04, Chars: 68 74 74 70
fw = Length: 02, Chars: 66 77
And so on .....
udp[20:4] = 0x04687474 && udp[24:4] = 0x70026677 && udp[28:4] = 0x08757064 && udp[32:4] = 0x61746573 && udp[36:4] = 0x31076e65 && udp[40:4] = 0x74676561 && udp[44:4] = 0x7203636f && udp[48:2] = 0x6d00

Break the Query name returned in the response into 4 bytes (and final 2 bytes) chunks.
Byte offsets start at 20 = UDP header (8) + DNS header (12) = 20 and go up 4 bytes each comparison.

pcap-filter man page:

proto [ expr : size ]

The byte offset, relative to the indicated protocol layer, is given by expr. Size is optional and indicates the number of bytes in the field of interest; it can be either one, two, or four, and defaults to one.

There is a Wireshark tool for making TCP capture filters: String-Matching Capture Filter Generator

With a little math, you can do the same thing for UDP.

(udp port 53) && (udp[10] & 0x80 != 0) && (udp[11] & 0x0f == 0) && udp[20:4] = 0x04687474 && udp[24:4] = 0x70026677 && udp[28:4] = 0x08757064 && udp[32:4] = 0x61746573 && udp[36:4] = 0x31076e65 && udp[40:4] = 0x74676561 && udp[44:4] = 0x7203636f && udp[48:2] = 0x6d00

(udp port 53) - DNS typically responds from port 53
(udp[10] & 0x80 != 0) 8 bytes (0-7) of UDP header + 3rd byte in to UDP data = DNS flags high byte
(udp[11] & 0x0f == 0) 8 bytes (0-7) of UDP header + 4th byte in to UDP data = DNS flags low byte

Look for response with no errors

Flags: 0x8180 Standard query response, No error
    1... .... .... .... = Response: Message is a response
    .000 0... .... .... = Opcode: Standard query (0)
    .... .0.. .... .... = Authoritative: Server is not an authority for domain
    .... ..0. .... .... = Truncated: Message is not truncated
    .... ...1 .... .... = Recursion desired: Do query recursively
    .... .... 1... .... = Recursion available: Server can do recursive queries
    .... .... .0.. .... = Z: reserved (0)
    .... .... ..0. .... = Answer authenticated: Answer/authority portion was not
                                       authenticated by the server
    .... .... ...0 .... = Non-authenticated data: Unacceptable
    .... .... .... 0000 = Reply code: No error (0)

RFC 1035 - DOMAIN NAMES - IMPLEMENTATION AND SPECIFICATION
3. DOMAIN NAME SPACE AND RR DEFINITIONS

Domain names in messages are expressed in terms of a sequence of labels. Each label is represented as a one octet length field followed by that number of octets. Since every domain name ends with the null label of the root, a domain name is terminated by a length byte of zero. The high order two bits of every length octet must be zero, and the remaining six bits of the length field limit the label to 63 octets or less.

Queries
    http.fw.updates1.netgear.com: type A, class IN
        Name: http.fw.updates1.netgear.com
        [Name Length: 28]
        [Label Count: 5]
        Type: A (Host Address) (1)
        Class: IN (0x0001)

http.fw.updates1.netgear.com = 0468747470026677087570646174657331076e65746765617203636f6d00

http = Length: 04, Chars: 68 74 74 70
fw = Length: 02, Chars: 66 77
And so on .....
udp[20:4] = 0x04687474 && udp[24:4] = 0x70026677 && udp[28:4] = 0x08757064 && udp[32:4] = 0x61746573 && udp[36:4] = 0x31076e65 && udp[40:4] = 0x74676561 && udp[44:4] = 0x7203636f && udp[48:2] = 0x6d00

Break the Query name returned in the response into 4 bytes byte (and final 2 bytes) byte) chunks.
Byte offsets start at 20 = UDP header (8) + DNS header (12) = 20 and go up 4 bytes each comparison.

pcap-filter man page:

proto [ expr : size ]

The byte offset, relative to the indicated protocol layer, is given by expr. Size is optional and indicates the number of bytes in the field of interest; it can be either one, two, or four, and defaults to one. one.

There is a Wireshark tool for making TCP capture filters: String-Matching Capture Filter Generator

With a little math, you can do the same thing for UDP.

(udp port 53) && (udp[10] & 0x80 != 0) && (udp[11] & 0x0f == 0) && udp[20:4] = 0x04687474 && udp[24:4] = 0x70026677 && udp[28:4] = 0x08757064 && udp[32:4] = 0x61746573 && udp[36:4] = 0x31076e65 && udp[40:4] = 0x74676561 && udp[44:4] = 0x7203636f && udp[48:2] = 0x6d00

(udp port 53) - DNS typically responds from port 53
(udp[10] & 0x80 != 0) 8 bytes (0-7) of UDP header + 3rd byte in to UDP data = DNS flags high byte
(udp[11] & 0x0f == 0) 8 bytes (0-7) of UDP header + 4th byte in to UDP data = DNS flags low byte

Look for response with no errors

Flags: 0x8180 Standard query response, No error
    1... .... .... .... = Response: Message is a response
    .000 0... .... .... = Opcode: Standard query (0)
    .... .0.. .... .... = Authoritative: Server is not an authority for domain
    .... ..0. .... .... = Truncated: Message is not truncated
    .... ...1 .... .... = Recursion desired: Do query recursively
    .... .... 1... .... = Recursion available: Server can do recursive queries
    .... .... .0.. .... = Z: reserved (0)
    .... .... ..0. .... = Answer authenticated: Answer/authority portion was not
                                       authenticated by the server
    .... .... ...0 .... = Non-authenticated data: Unacceptable
    .... .... .... 0000 = Reply code: No error (0)

RFC 1035 - DOMAIN NAMES - IMPLEMENTATION AND SPECIFICATION
3. DOMAIN NAME SPACE AND RR DEFINITIONS

Domain names in messages are expressed in terms of a sequence of labels. Each label is represented as a one octet length field followed by that number of octets. Since every domain name ends with the null label of the root, a domain name is terminated by a length byte of zero. The high order two bits of every length octet must be zero, and the remaining six bits of the length field limit the label to 63 octets or less.

Queries
    http.fw.updates1.netgear.com: type A, class IN
        Name: http.fw.updates1.netgear.com
        [Name Length: 28]
        [Label Count: 5]
        Type: A (Host Address) (1)
        Class: IN (0x0001)

http.fw.updates1.netgear.com = 0468747470026677087570646174657331076e65746765617203636f6d00

http = Length: 04, Chars: 68 74 74 70
fw = Length: 02, Chars: 66 77
And so on .....
udp[20:4] = 0x04687474 && udp[24:4] = 0x70026677 && udp[28:4] = 0x08757064 && udp[32:4] = 0x61746573 && udp[36:4] = 0x31076e65 && udp[40:4] = 0x74676561 && udp[44:4] = 0x7203636f && udp[48:2] = 0x6d00

Break the Query name returned in the response into 4 byte (and final 2 byte) chunks.
Byte offsets start at 20 = UDP header (8) + DNS header (12) = 20 and go up 4 bytes each comparison.

pcap-filter man page:

proto [ expr : size ]

The byte offset, relative to the indicated protocol layer, is given by expr. Size is optional and indicates the number of bytes in the field of interest; it can be either one, two, or four, and defaults to one.

image description