Ask Your Question

Revision history [back]

click to hide/show revision 1
initial version

answered 2025-05-15 18:19:20 +0000

Chuckc gravatar image

I haven't had luck generating a DNS packet with an opcode other than 0 so this hasn't been tested.

https://www.tcpdump.org/manpages/pcap-filter.7.html
(PACKET DATA ACCESSORS)

PACKET DATA ACCESSORS
To use the packet data in an arithmetic expression, use the following syntax:
proto [ expr : size ]

DNS RFC (https://datatracker.ietf.org/doc/html/rfc1035#section-4.1.1):

The header contains the following fields:

                                    1  1  1  1  1  1
      0  1  2  3  4  5  6  7  8  9  0  1  2  3  4  5
    +--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+
    |                      ID                       |
    +--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+
    |QR|   Opcode  |AA|TC|RD|RA|   Z    |   RCODE   |
    +--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+
--- snip ---

There are 8 bytes/octets in a UDP header (0-7), then two for the DNS ID (UDP 8-9).
Try udp port 53 && udp[10] & 0x78 == 5

I haven't had luck generating a DNS packet with an opcode other than 0 so this hasn't been tested.

https://www.tcpdump.org/manpages/pcap-filter.7.html
(PACKET DATA ACCESSORS)

PACKET DATA ACCESSORS
To use the packet data in an arithmetic expression, use the following syntax:
proto [ expr : size ]

DNS RFC (https://datatracker.ietf.org/doc/html/rfc1035#section-4.1.1):

The header contains the following fields:

                                    1  1  1  1  1  1
      0  1  2  3  4  5  6  7  8  9  0  1  2  3  4  5
    +--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+
    |                      ID                       |
    +--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+
    |QR|   Opcode  |AA|TC|RD|RA|   Z    |   RCODE   |
    +--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+
--- snip ---

There are 8 bytes/octets in a UDP header (0-7), then two for the DNS ID (UDP 8-9).
Try udp port 53 && udp[10] & 0x78 == 5
(the bit math may not shift the result) so could be udp port 53 && udp[10] & 0x78 == 0x28

I haven't had luck generating a DNS packet with an opcode other than 0 so this hasn't been tested.

https://www.tcpdump.org/manpages/pcap-filter.7.html
(PACKET DATA ACCESSORS)

PACKET DATA ACCESSORS
To use the packet data in an arithmetic expression, use the following syntax:
proto [ expr : size ]

DNS RFC (https://datatracker.ietf.org/doc/html/rfc1035#section-4.1.1):

The header contains the following fields:

                                    1  1  1  1  1  1
      0  1  2  3  4  5  6  7  8  9  0  1  2  3  4  5
    +--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+
    |                      ID                       |
    +--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+
    |QR|   Opcode  |AA|TC|RD|RA|   Z    |   RCODE   |
    +--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+
--- snip ---

There are 8 bytes/octets in a UDP header (0-7), then two for the DNS ID (UDP 8-9).
Try udp port 53 && udp[10] & 0x78 == 5
(the bit math may not shift the result) so could be udp port 53 && udp[10] & 0x78 == 0x28