Ask Your Question
0

Beginner trying to make display filter to only show DNS request and later responses

asked 2023-04-21 05:29:54 +0000

KDAM71 gravatar image

Hello,

I'm a beginner at display filters. I'm trying to make a filter to only show DNS requests and plan on make a filter to only show responses for use in the I/O graph. I selected a request packet and found the field that showed dns.flags in the bottom bar. The hex value of the field is 01 00. I typed in the display filter dns.flags==0x0100 and applied the filter. It showed only DNS respones in which the filed value is 81 80. What is going wrong?

edit retag flag offensive close merge delete

Comments

So, you applied the display filter dns.flags==0x0100 and the result is the output of applying dns.flags==0x8180? Maybe you should try again, since I'm unable to reproduce that result.

Jaap gravatar imageJaap ( 2023-04-21 06:04:50 +0000 )edit

I've checked and tried several times already. I can't figure it out.Here are all version numbers from Wireshark > help > about::

Version 4.0.5 (v4.0.5-0-ge556162d8da3).

Compiled (64-bit) using Microsoft Visual Studio 2022 (VC++ 14.32, build 31332),
with GLib 2.72.3, with PCRE2, with zlib 1.2.12, with Qt 5.15.2, with libpcap,
with Lua 5.2.4, with GnuTLS 3.6.3 and PKCS #11 support, with Gcrypt 1.10.1, with
Kerberos (MIT), with MaxMind, with nghttp2 1.46.0, with brotli, with LZ4, with
Zstandard, with Snappy, with libxml2 2.9.14, with libsmi 0.4.8, with
QtMultimedia, with automatic updates using WinSparkle 0.5.7, with AirPcap, with
SpeexDSP (using bundled resampler), with Minizip, with binary plugins.

Running on 64-bit Windows (22H2), build 22621, with 11th Gen Intel(R) Core(TM)
i5-11400H @ 2.70GHz (with ...
(more)
KDAM71 gravatar imageKDAM71 ( 2023-04-21 06:12:37 +0000 )edit

How about using the display filter dns.flags.response == 0 and dns.flags.response == 1? Does that show any difference?

Jaap gravatar imageJaap ( 2023-04-21 09:55:25 +0000 )edit

1 Answer

Sort by ยป oldest newest most voted
0

answered 2023-04-21 12:28:51 +0000

Chuckc gravatar image

The high bit of the flags indicates query or response.

dns.flags & 0x8000 == 0x0000

Flags: 0x0100 Standard query
    0... .... .... .... = Response: Message is a query
    .000 0... .... .... = Opcode: Standard query (0)
    .... ..0. .... .... = Truncated: Message is not truncated
    .... ...1 .... .... = Recursion desired: Do query recursively
    .... .... .0.. .... = Z: reserved (0)
    .... .... ...0 .... = Non-authenticated data: Unacceptable


dns.flags & 0x8000 == 0x8000

Flags: 0x8180 Standard query response, No error
    1... .... .... .... = Response: Message is a response
    .000 0... .... .... = Opcode: Standard query (0)
    .... .0.. .... .... = Authoritative: Server is not an authority for domain
    .... ..0. .... .... = Truncated: Message is not truncated
    .... ...1 .... .... = Recursion desired: Do query recursively
    .... .... 1... .... = Recursion available: Server can do recursive queries
    .... .... .0.. .... = Z: reserved (0)
    .... .... ..0. .... = Answer authenticated: Answer/authority portion was not authenticated by the server
    .... .... ...0 .... = Non-authenticated data: Unacceptable
    .... .... .... 0000 = Reply code: No error (0)
edit flag offensive delete link more

Comments

Ok. I still don't understand what is wrong with my approach though.

KDAM71 gravatar imageKDAM71 ( 2023-04-21 12:35:06 +0000 )edit

Description of header flags in rfc1035:
The highest bit (0x8000) indicates query/response:

QR A one bit field that specifies whether this message is a query (0), or a response (1).

The bit (0x0100) in your filter can be set for both:

RD Recursion Desired - this bit may be set in a query and is copied into the response. If RD is set, it directs the name server to pursue the query recursively. Recursive query support is optional.

Chuckc gravatar imageChuckc ( 2023-04-21 12:55:45 +0000 )edit

Thank you for the explanation.

KDAM71 gravatar imageKDAM71 ( 2023-04-21 13:54:40 +0000 )edit

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account.

Add Answer

Question Tools

1 follower

Stats

Asked: 2023-04-21 05:29:54 +0000

Seen: 2,544 times

Last updated: Apr 21 '23