====== Wireshark ======
Show all DNS queries from local IP that are for a specific FQDN. 

**NOTE**: This will obviously not show the return queries as we are only showing outbound requests.
<code>dns and ip.src==192.168.1.10 and dns.qry.name == "example.com"</code>

<code>dns.qry.name == "test.com" or dns.qry.name == "example.com"</code>

Show HTTPS sites visited
<code>tls.handshake.type == 1</code>
Filter by specific HTTPS site
<code>tls.handshake.extensions_server_name == "microsoft.com"</code>

List A record queries/responses
<code>dns.qry-type == 1</code>
Other types:
  * AAAA = 28
  * TXT = 16
  * NS = 2
  * PTR = 12
  * CNAME = 5
  * HTTPS = 65
  * MX = 15

Full list [[https://en.wikipedia.org/wiki/List_of_DNS_record_types|here]].

To get just queries (and not responses) add the following
<code> && (dns.count.answers == 0)</code>
To get just responses(and not queries) add the following
<code> && (dns.count.answers > 0)</code>
===== General Filters =====
Search Wireshark for packets that contain an IP address that are results of a DNS query.

<code>ip.addr == 1.2.3.4</code>
<code>ip.src == 1.2.3.4</code>
<code>ip.dst == 1.2.3.4</code>
<code>tcp.port eq 25 or icmp</code>
<code>udp.port eq 53</code>
<code>ip.src==192.168.0.0/16 and ip.dst==192.168.0.0/16</code>
<code>udp.stream eq ${udp.stream}</code>
<code>tcp.stream eq ${tcp.stream}</code>
===== DHCP =====
Filter queries based on the client MAC in the "client" field in the DHCP request.
<code>dhcp.hw.mac_addr</code>
===== DNS Filtering =====
Filter just DNS queries 
<code>dns</code>
Filter DNS from IP and to IP
<code>dns and (ip.src==10.42.0.174 and ip.dst==10.43.0.10)</code>
Filter both directions of flow from client to server.
<code>dns and (ip.src==10.42.0.174 and ip.dst==10.43.0.10) or  (ip.dst==10.42.0.174 and ip.src==10.43.0.10)</code>
Filter based on IP response to A record request
<code>dns.a == 1.2.3.4</code>
Filter by specific query
<code>dns.qry.name == "sinkhole.paloaltonetworks.com"</code>
Filter by query that contains string
<code>dns.qry.name contains "paloaltonetworks.com"</code>
Filter for DNS queries only
<code>dns.flags.response == 0</code>
Filter for DNS responses only
<code>dns.flags.response == 1</code>
Filter by DNS transaction ID (where XX is the transaction ID)
<code>dns.id eq XX</code>
Filter for Zone Transfers
<code>dns.qry.type in {251 252} or dns.flags.opcode eq 4</code>

Filter by DNS Option Codes
standard queries: <code>dns.flags.opcode == 0</code>
inverse queries: <code>dns.flags.opcode == 1</code>
server status requests: <code>dns.flags.opcode == 2</code>
zone change notifications: <code>dns.flags.opcode == 4</code>
dynamic updates: <code>dns.flags.opcode == 5 </code>

Filter by recursive query:
<code>dns.flags.recdesired == 1</code>
Filter by non-recursive query:
<code>dns.flags.recdesired == 0</code>

===== Filtering =====

Capture all DNS queries (non-responses) directed to the DNS servers:
<code>((ip.dst == 10.10.10.10 || ip.dst == 10.10.11.11 ) && (dns.flags.response == 0)) && (dns.flags.opcode == 0)</code>

The filtered data was exported to a plain text file for further processing.

Total DNS Queries Captured:
<code>wc -l queries.txt</code>
Top 30 Queried Domains:
<code>less queries.txt | awk '{split($8,a,".");b=length(a);print a[b-3]"."a[b-2]"."a[b-1]"."a[b]}'| sort | uniq -c | sort -nr | head -30</code>

Top 30 Querying Clients:
<code>less queries.txt | awk '{print $4}'|sort | uniq -c | sort -nr | head -30</code>

Top FQDNs Queried by the Top 5 Clients:
<code>grep '10.10.10.10\|10.10.10.2\|10.10.10.3\|10.10.10.4\|10.10.10.5' queries.txt | awk '{print $8}'|sort | uniq -c | sort -nr | head -30</code>

Top Domains Queried by the Top 5 Clients:
<code>grep '10.10.10.10\|10.10.10.2\|10.10.10.3\|10.10.10.4\|10.10.10.5' queries.txt | awk '{split($8,a,".");b=length(a);print a[b-3]"."a[b-2]"."a[b-1]"."a[b]}'| sort | uniq -c | sort -nr | head -30</code>