Ask Your Question
0

Capture filter to record specific DNS responses?

asked 2022-05-30 19:03:33 +0000

CrimpOn gravatar image

I want to know how often my router accesses the manufacturer's support site over an extended length of time (several days). The support site changes IP address frequently, so my thought is to capture every time the router does a DNS request and gets a response. I know that DNS is port 53 and the responder is CloudFlare (1.1.1.1), but I want to capture only the responses that give the IP of "http.fw.updates1.netgear.com", not the thousands of DNS responses generated by all the other network activity (web, email, streaming, etc.) What I cannot figure out is a filter to capture only the DNS responses I want.

If that is simply not possible, I can capture all DNS responses, but I need to create a Display filter to pick out the relevant packets.

Looking for suggestions. Thanks.

edit retag flag offensive close merge delete

Comments

"Display filter" != "Capture filter"
You want to create a capture filter, not "create a Display filter " ?

Chuckc gravatar imageChuckc ( 2022-05-30 22:53:35 +0000 )edit

1 Answer

Sort by ยป oldest newest most voted
0

answered 2022-05-30 22:52:16 +0000

Chuckc gravatar image

updated 2022-05-30 23:09:14 +0000

There is a Wireshark tool for making TCP capture filters: String-Matching Capture Filter Generator

With a little math, you can do the same thing for UDP.

(udp port 53) && (udp[10] & 0x80 != 0) && (udp[11] & 0x0f == 0) && udp[20:4] = 0x04687474 && udp[24:4] = 0x70026677 && udp[28:4] = 0x08757064 && udp[32:4] = 0x61746573 && udp[36:4] = 0x31076e65 && udp[40:4] = 0x74676561 && udp[44:4] = 0x7203636f && udp[48:2] = 0x6d00

(udp port 53) - DNS typically responds from port 53
(udp[10] & 0x80 != 0) 8 bytes (0-7) of UDP header + 3rd byte in to UDP data = DNS flags high byte
(udp[11] & 0x0f == 0) 8 bytes (0-7) of UDP header + 4th byte in to UDP data = DNS flags low byte

Look for response with no errors

Flags: 0x8180 Standard query response, No error
    1... .... .... .... = Response: Message is a response
    .000 0... .... .... = Opcode: Standard query (0)
    .... .0.. .... .... = Authoritative: Server is not an authority for domain
    .... ..0. .... .... = Truncated: Message is not truncated
    .... ...1 .... .... = Recursion desired: Do query recursively
    .... .... 1... .... = Recursion available: Server can do recursive queries
    .... .... .0.. .... = Z: reserved (0)
    .... .... ..0. .... = Answer authenticated: Answer/authority portion was not
                                       authenticated by the server
    .... .... ...0 .... = Non-authenticated data: Unacceptable
    .... .... .... 0000 = Reply code: No error (0)

RFC 1035 - DOMAIN NAMES - IMPLEMENTATION AND SPECIFICATION
3. DOMAIN NAME SPACE AND RR DEFINITIONS

Domain names in messages are expressed in terms of a sequence of labels. Each label is represented as a one octet length field followed by that number of octets. Since every domain name ends with the null label of the root, a domain name is terminated by a length byte of zero. The high order two bits of every length octet must be zero, and the remaining six bits of the length field limit the label to 63 octets or less.

Queries
    http.fw.updates1.netgear.com: type A, class IN
        Name: http.fw.updates1.netgear.com
        [Name Length: 28]
        [Label Count: 5]
        Type: A (Host Address) (1)
        Class: IN (0x0001)

http.fw.updates1.netgear.com = 0468747470026677087570646174657331076e65746765617203636f6d00

http = Length: 04, Chars: 68 74 74 70
fw = Length: 02, Chars: 66 77
And so on .....
udp[20:4] = 0x04687474 && udp[24:4] = 0x70026677 && udp[28:4] = 0x08757064 && udp[32:4] = 0x61746573 && udp[36:4] = 0x31076e65 && udp[40:4] = 0x74676561 && udp[44:4] = 0x7203636f && udp[48:2] = 0x6d00

Break the Query name returned in the response into 4 byte (and final 2 byte) chunks.
Byte offsets start at 20 = UDP header (8) + DNS header (12) = 20 and go up 4 bytes each comparison.

pcap-filter man page:

proto [ expr : size ]

The byte offset, relative to the indicated protocol layer, is given by expr. Size is optional and indicates the number of bytes in the field of interest; it can be either one, two, or four, and defaults to one.

image description

edit flag offensive delete link more

Comments

This is beyond amazing! Have no need for the AAAA records, and am struggling to figure out which bytes to compare. If I count correctly, then udp[50:2] == 0x01 will match A records.

Have discovered two interesting results so far (at least to me):

  • The router makes 42 DNS requests over a period of about 44 seconds to find that there is no new firmware.
  • It appears to make a separate DNS request for each connection. (http GET, etc.)

My project is now well "on the way". By tomorrow, it should be clear how often the router "checks in". (My guess is every two hours starting sometime during the night, but that's the purpose of observing rather than guessing.)

THANK YOU.

CrimpOn gravatar imageCrimpOn ( 2022-05-31 00:09:22 +0000 )edit

Yes, indeed. udp[50:2] == 0x01 captures only A records!

CrimpOn gravatar imageCrimpOn ( 2022-05-31 00:15:13 +0000 )edit

The filter was getting a bit long so I didn't include that check. Looks like you're well on the way to tweaking as needed in the future.

Chuckc gravatar imageChuckc ( 2022-05-31 00:21:20 +0000 )edit

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account.

Add Answer

Question Tools

1 follower

Stats

Asked: 2022-05-30 19:03:33 +0000

Seen: 2,425 times

Last updated: May 30 '22