Filtering DNS traffic
by Charit Mishra, Yoram Orzach, James H Baxter
Wireshark Revealed: Essential Skills for IT Professionals
- Wireshark Revealed: Essential Skills for IT Professionals
- Table of Contents
- Wireshark Revealed: Essential Skills for IT Professionals
- Credits
- Preface
- 1. Module 1
- 1. Getting Acquainted with Wireshark
- 2. Networking for Packet Analysts
- The OSI model – why it matters
- IP networks and subnets
- Switching and routing packets
- WAN links
- Wireless networking
- Summary
- 3. Capturing All the Right Packets
- Picking the best capture point
- Test Access Ports and switch port mirroring
- Capturing interfaces, filters, and options
- Verifying a good capture
- Saving the bulk capture file
- Isolating conversations of interest
- Using the Conversations window
- Wireshark display filters
- Filter Expression Buttons
- Following TCP/UDP/SSL streams
- Marking and ignoring packets
- Saving the filtered traffic
- Summary
- 4. Configuring Wireshark
- 5. Network Protocols
- The OSI and DARPA reference models
- Transport layer protocols
- Application layer protocols
- Summary
- 6. Troubleshooting and Performance Analysis
- Troubleshooting methodology
- Troubleshooting connectivity issues
- Troubleshooting functional issues
- Performance analysis methodology
- Top five reasons for poor application performance
- Summary
- 7. Packet Analysis for Security Tasks
- 8. Command-line and Other Utilities
- 2. Module 2
- 1. Introducing Wireshark
- 2. Using Capture Filters
- 3. Using Display Filters
- 4. Using Basic Statistics Tools
- Introduction
- Using the Summary tool from the Statistics menu
- Using the Protocol Hierarchy tool from the Statistics menu
- Using the Conversations tool from the Statistics menu
- Using the Endpoints tool from the Statistics menu
- Using the HTTP tool from the Statistics menu
- Configuring Flow Graph for viewing TCP flows
- Creating IP-based statistics
- 5. Using Advanced Statistics Tools
- Introduction
- Configuring IO Graphs with filters for measuring network performance issues
- Throughput measurements with IO Graph
- Advanced IO Graph configurations with advanced Y-Axis parameters
- Getting information through TCP stream graphs – the Time-Sequence (Stevens) window
- Getting information through TCP stream graphs – the Time-Sequence (tcp-trace) window
- Getting information through TCP stream graphs – the Throughput Graph window
- Getting information through TCP stream graphs – the Round Trip Time window
- Getting information through TCP stream graphs – the Window Scaling Graph window
- 6. Using the Expert Infos Window
- 7. Ethernet, LAN Switching, and Wireless LAN
- 8. ARP and IP Analysis
- 9. UDP/TCP Analysis
- Introduction
- Configuring TCP and UDP preferences for troubleshooting
- TCP connection problems
- TCP retransmission – where do they come from and why
- Duplicate ACKs and fast retransmissions
- TCP out-of-order packet events
- TCP Zero Window, Window Full, Window Change, and other Window indicators
- TCP resets and why they happen
- 10. HTTP and DNS
- 11. Analyzing Enterprise Applications' Behavior
- Introduction
- Finding out what is running over your network
- Analyzing FTP problems
- Analyzing e-mail traffic and troubleshooting e-mail problems – POP, IMAP, and SMTP
- Analyzing MS-TS and Citrix communications problems
- Analyzing problems in the NetBIOS protocols
- Analyzing database traffic and common problems
- 12. SIP, Multimedia, and IP Telephony
- Introduction
- Using Wireshark's features for telephony and multimedia analysis
- Analyzing SIP connectivity
- Analyzing RTP/RTCP connectivity
- Troubleshooting scenarios for video and surveillance applications
- Troubleshooting scenarios for IPTV applications
- Troubleshooting scenarios for video conferencing applications
- Troubleshooting RTSP
- 13. Troubleshooting Bandwidth and Delay Problems
- 14. Understanding Network Security
- A. Links, Tools, and Reading
- 3. Module 3
- 1. Welcome to the World of Packet Analysis with Wireshark
- 2. Filtering Our Way in Wireshark
- 3. Mastering the Advanced Features of Wireshark
- 4. Inspecting Application Layer Protocols
- 5. Analyzing Transport Layer Protocols
- 6. Analyzing Traffic in Thin Air
- 7. Network Security Analysis
- 8. Troubleshooting
- 9. Introduction to Wireshark v2
- Bibliography
- Index
DNS is a protocol responsible for resolving names to the IP addresses. In this recipe, we will learn how to filter important parameters that are related to the DNS service.
When suspecting a network problem, port mirror the suspected server or install Wireshark on it, then, start capturing the data.
There are some common filters that will assist you in troubleshooting DNS problems. The common display filters are given as follows:
- The basic filter is simply for filtering DNS traffic. The filter is
dns.- For filtering only DNS queries we have
dns.flags.response == 0 - For filtering only DNS responses we have
dns.flags.response == 1
- For filtering only DNS queries we have
- For filtering error codes, we have the following filters:
- No error (rcode—reply code), we have
dns.flags.rcode == 0, marked in the following screenshot - No such name, we have
dns.flags.rcode == 3
- No error (rcode—reply code), we have
- For search problems, we have the following filters:
- When looking for a specific URL: This will be used, for example, when you are not sure whether your PC is sending the DNS query, use
dns.qry.name == "URL Name" - When looking for a query that contains a specific URL: For this case we have
dns.qry.name contains "URL Name"
- When looking for a specific URL: This will be used, for example, when you are not sure whether your PC is sending the DNS query, use
- For filtering DNS Opcodes (standard query or other requests or notifications), we have the following filters:
- For filtering only standard queries:
dns.flags.opcode == 0 - For filtering only inverse queries:
dns.flags.opcode == 1 - For filtering server status requests:
dns.flags.opcode == 2 - For filtering zone change notifications:
dns.flags.opcode == 4 - For filtering dynamic updates:
dns.flags.opcode == 5
- For filtering only standard queries:
- For querying the query types (recursive/non-recursive):
- For recursive query we have
dns.flags.recdesired == 1 - For non-recursive query we have
dns.flags.recdesired == 0
- For recursive query we have
All other display filters can be found by clicking on the expression button on the right-hand side of the display filter window at the top of the Wireshark window.
Display filters are described in depth in Chapter 3, Using Display Filters. As described in Chapter 3, Using Display Filters, you can do one of the following things to filter DNS parameters:
- Click on the expression button on the right to the display filter window, and choose the required filter from DNS
- Go to the packet details, right-click on the required field, and choose Apply a filter or Prepare a filter
- Simply write the filter string in the filter window at the top of the Wireshark window
DNS is quite a complicated protocol, and the purpose of this chapter is to provide methods to resolve common problems with this protocol and implementation. Not all filters are mentioned here; a full list of DNS filters can be found at http://www.wireshark.org/docs/dfref/d/dns.html.
-
No Comment
..................Content has been hidden....................
You can't read the all page of ebook, please click here login for view all page.