Differences

This shows you the differences between two versions of the page.

--- networking:wireshark [2025/07/29 08:16] – bstafford
+++ networking:wireshark [2025/08/24 17:06] (current) – bstafford
@@ Line 24: / Line 24: @@
 Full list [[https://en.wikipedia.org/wiki/List_of_DNS_record_types|here]].
+To get just queries (and not responses) add the following
+<code> && (dns.count.answers == 0)</code>
+To get just responses(and not queries) add the following
+<code> && (dns.count.answers > 0)</code>
 ===== General Filters =====
 Search Wireshark for packets that contain an IP address that are results of a DNS query.
@@ Line 72: / Line 77: @@
 <code>dns.flags.recdesired == 0</code>
+===== Filtering =====
+Capture all DNS queries (non-responses) directed to the DNS servers:
+<code>((ip.dst == 10.10.10.10 || ip.dst == 10.10.11.11 ) && (dns.flags.response == 0)) && (dns.flags.opcode == 0)</code>
+The filtered data was exported to a plain text file for further processing.
+Total DNS Queries Captured:
+<code>wc -l queries.txt</code>
+Top 30 Queried Domains:
+<code>less queries.txt | awk '{split($8,a,".");b=length(a);print a[b-3]"."a[b-2]"."a[b-1]"."a[b]}'| sort | uniq -c | sort -nr | head -30</code>
+Top 30 Querying Clients:
+<code>less queries.txt | awk '{print $4}'|sort | uniq -c | sort -nr | head -30</code>
+Top FQDNs Queried by the Top 5 Clients:
+<code>grep '10.10.10.10\|10.10.10.2\|10.10.10.3\|10.10.10.4\|10.10.10.5' queries.txt | awk '{print $8}'|sort | uniq -c | sort -nr | head -30</code>
+Top Domains Queried by the Top 5 Clients:
+<code>grep '10.10.10.10\|10.10.10.2\|10.10.10.3\|10.10.10.4\|10.10.10.5' queries.txt | awk '{split($8,a,".");b=length(a);print a[b-3]"."a[b-2]"."a[b-1]"."a[b]}'| sort | uniq -c | sort -nr | head -30</code>