Beginner trying to make display filter to only show DNS request and later responses

asked 2023-04-21 05:29:54 +0000

KDAM71
1 ●1 ●2 ●3

Hello,

I'm a beginner at display filters. I'm trying to make a filter to only show DNS requests and plan on make a filter to only show responses for use in the I/O graph. I selected a request packet and found the field that showed dns.flags in the bottom bar. The hex value of the field is 01 00. I typed in the display filter dns.flags==0x0100 and applied the filter. It showed only DNS respones in which the filed value is 81 80. What is going wrong?

Comments

So, you applied the display filter dns.flags==0x0100 and the result is the output of applying dns.flags==0x8180? Maybe you should try again, since I'm unable to reproduce that result.

Jaap ( 2023-04-21 06:04:50 +0000 )edit

I've checked and tried several times already. I can't figure it out.Here are all version numbers from Wireshark > help > about::

Version 4.0.5 (v4.0.5-0-ge556162d8da3).

Compiled (64-bit) using Microsoft Visual Studio 2022 (VC++ 14.32, build 31332),
with GLib 2.72.3, with PCRE2, with zlib 1.2.12, with Qt 5.15.2, with libpcap,
with Lua 5.2.4, with GnuTLS 3.6.3 and PKCS #11 support, with Gcrypt 1.10.1, with
Kerberos (MIT), with MaxMind, with nghttp2 1.46.0, with brotli, with LZ4, with
Zstandard, with Snappy, with libxml2 2.9.14, with libsmi 0.4.8, with
QtMultimedia, with automatic updates using WinSparkle 0.5.7, with AirPcap, with
SpeexDSP (using bundled resampler), with Minizip, with binary plugins.

Running on 64-bit Windows (22H2), build 22621, with 11th Gen Intel(R) Core(TM)
i5-11400H @ 2.70GHz (with ...

(more)

KDAM71 ( 2023-04-21 06:12:37 +0000 )edit

How about using the display filter dns.flags.response == 0 and dns.flags.response == 1? Does that show any difference?

Jaap ( 2023-04-21 09:55:25 +0000 )edit

add a comment

answered 2023-04-21 12:28:51 +0000

Chuckc
3023 ●6 ●608 ●20

The high bit of the flags indicates query or response.

dns.flags & 0x8000 == 0x0000

Flags: 0x0100 Standard query
    0... .... .... .... = Response: Message is a query
    .000 0... .... .... = Opcode: Standard query (0)
    .... ..0. .... .... = Truncated: Message is not truncated
    .... ...1 .... .... = Recursion desired: Do query recursively
    .... .... .0.. .... = Z: reserved (0)
    .... .... ...0 .... = Non-authenticated data: Unacceptable

dns.flags & 0x8000 == 0x8000

Flags: 0x8180 Standard query response, No error
    1... .... .... .... = Response: Message is a response
    .000 0... .... .... = Opcode: Standard query (0)
    .... .0.. .... .... = Authoritative: Server is not an authority for domain
    .... ..0. .... .... = Truncated: Message is not truncated
    .... ...1 .... .... = Recursion desired: Do query recursively
    .... .... 1... .... = Recursion available: Server can do recursive queries
    .... .... .0.. .... = Z: reserved (0)
    .... .... ..0. .... = Answer authenticated: Answer/authority portion was not authenticated by the server
    .... .... ...0 .... = Non-authenticated data: Unacceptable
    .... .... .... 0000 = Reply code: No error (0)

edit flag offensive delete link

Comments

Ok. I still don't understand what is wrong with my approach though.

KDAM71 ( 2023-04-21 12:35:06 +0000 )edit

Description of header flags in rfc1035:
The highest bit (0x8000) indicates query/response:

QR A one bit field that specifies whether this message is a query (0), or a response (1).

The bit (0x0100) in your filter can be set for both:

RD Recursion Desired - this bit may be set in a query and is copied into the response. If RD is set, it directs the name server to pursue the query recursively. Recursive query support is optional.

Chuckc ( 2023-04-21 12:55:45 +0000 )edit

Thank you for the explanation.

KDAM71 ( 2023-04-21 13:54:40 +0000 )edit

add a comment

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account.

Beginner trying to make display filter to only show DNS request and later responses

Comments

1 Answer

Comments

Your Answer

Question Tools

Stats

Related questions

Beginner trying to make display filter to only show DNS request and later responses edit

Comments

1 Answer

Comments

Your Answer

Question Tools

Stats

Related questions

Beginner trying to make display filter to only show DNS request and later responses