what is the capture filter for dns.flags.opcode==5

asked 2025-05-15 17:21:18 +0000

FawadSiddiqi
1

What is the equivalent of display filter dns.flags.opcode==5 if I want to apply it as a capture filter?

Comments

Have you already constructed a capture filter to only capture DNS?

Chuckc ( 2025-05-15 17:33:35 +0000 )edit

add a comment

answered 2025-05-15 18:19:20 +0000

Chuckc
3133 ●6 ●648 ●20

updated 2025-05-15 18:28:59 +0000

I haven't had luck generating a DNS packet with an opcode other than 0 so this hasn't been tested.

https://www.tcpdump.org/manpages/pcap...
(PACKET DATA ACCESSORS)

PACKET DATA ACCESSORS
To use the packet data in an arithmetic expression, use the following syntax:
proto [ expr : size ]

DNS RFC (https://datatracker.ietf.org/doc/html...):

The header contains the following fields:

                                    1  1  1  1  1  1
      0  1  2  3  4  5  6  7  8  9  0  1  2  3  4  5
    +--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+
    |                      ID                       |
    +--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+
    |QR|   Opcode  |AA|TC|RD|RA|   Z    |   RCODE   |
    +--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+
--- snip ---

There are 8 bytes/octets in a UDP header (0-7), then two for the DNS ID (UDP 8-9).
Try udp port 53 && udp[10] & 0x78 == 0x28

edit flag offensive delete link

add a comment

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account.

what is the capture filter for dns.flags.opcode==5

Comments

1 Answer

Your Answer

Question Tools

Stats

Related questions

what is the capture filter for dns.flags.opcode==5 edit

Comments

1 Answer

Your Answer

Question Tools

Stats

Related questions

what is the capture filter for dns.flags.opcode==5