Saucepan

User Tools

Site Tools

Trace: tar_gzip disk_administration install_cups dnsproxy crypto install_activemq ssh mail_servers odbc clone_centos_6
networking:wireshark

Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revisionPrevious revision
Next revision		Previous revision
networking:wireshark [2025/01/27 11:23] bstaffordnetworking:wireshark [2025/08/24 17:06] (current) bstafford
Line 1: Line 1:
 ====== Wireshark ====== ====== Wireshark ======
-Show all DNS queries from local IP that are for a specific FQDN+Show all DNS queries from local IP that are for a specific FQDN.  
 + 
 +**NOTE**: This will obviously not show the return queries as we are only showing outbound requests.
 <code>dns and ip.src==192.168.1.10 and dns.qry.name == "example.com"</code> <code>dns and ip.src==192.168.1.10 and dns.qry.name == "example.com"</code>
 +
 +<code>dns.qry.name == "test.com" or dns.qry.name == "example.com"</code>
 +
 +Show HTTPS sites visited
 +<code>tls.handshake.type == 1</code>
 +Filter by specific HTTPS site
 +<code>tls.handshake.extensions_server_name == "microsoft.com"</code>
 +
 +List A record queries/responses
 +<code>dns.qry-type == 1</code>
 +Other types:
 +  * AAAA = 28
 +  * TXT = 16
 +  * NS = 2
 +  * PTR = 12
 +  * CNAME = 5
 +  * HTTPS = 65
 +  * MX = 15
 +
 +Full list [[https://en.wikipedia.org/wiki/List_of_DNS_record_types|here]].
 +
 +To get just queries (and not responses) add the following
 +<code> && (dns.count.answers == 0)</code>
 +To get just responses(and not queries) add the following
 +<code> && (dns.count.answers > 0)</code>
 ===== General Filters ===== ===== General Filters =====
 Search Wireshark for packets that contain an IP address that are results of a DNS query. Search Wireshark for packets that contain an IP address that are results of a DNS query.
Line 50: Line 77:
 <code>dns.flags.recdesired == 0</code> <code>dns.flags.recdesired == 0</code>
  
 +===== Filtering =====
 +
 +Capture all DNS queries (non-responses) directed to the DNS servers:
 +<code>((ip.dst == 10.10.10.10 || ip.dst == 10.10.11.11 ) && (dns.flags.response == 0)) && (dns.flags.opcode == 0)</code>
 +
 +The filtered data was exported to a plain text file for further processing.
 +
 +Total DNS Queries Captured:
 +<code>wc -l queries.txt</code>
 +Top 30 Queried Domains:
 +<code>less queries.txt | awk '{split($8,a,".");b=length(a);print a[b-3]"."a[b-2]"."a[b-1]"."a[b]}'| sort | uniq -c | sort -nr | head -30</code>
 +
 +Top 30 Querying Clients:
 +<code>less queries.txt | awk '{print $4}'|sort | uniq -c | sort -nr | head -30</code>
 +
 +Top FQDNs Queried by the Top 5 Clients:
 +<code>grep '10.10.10.10\|10.10.10.2\|10.10.10.3\|10.10.10.4\|10.10.10.5' queries.txt | awk '{print $8}'|sort | uniq -c | sort -nr | head -30</code>
 +
 +Top Domains Queried by the Top 5 Clients:
 +<code>grep '10.10.10.10\|10.10.10.2\|10.10.10.3\|10.10.10.4\|10.10.10.5' queries.txt | awk '{split($8,a,".");b=length(a);print a[b-3]"."a[b-2]"."a[b-1]"."a[b]}'| sort | uniq -c | sort -nr | head -30</code>
  
  
networking/wireshark.1737976989.txt.gz · Last modified: by bstafford