Reputation: 2902
How to extract DNS records from .cap files
How can I print the DNS names that were resolved in a tcpdump capture file?
Upvotes: 2
Views: 9406
Answers (1)
Reputation: 2902
The simplest way to do that is using tshark ( bundled with wireshark ). Something like:
tshark -nr <your_capture.cap> -Y "dns.flags.response == 0" -T fields -e dns.qry.name -e dns.qry
Will print all the DNS responses you have in that capture file. You can improve that result by printing only the unique results using:
tshark -nr <your_capture.cap> -Y "dns.flags.response == 0" -T fields -e dns.qry.name -e dns.qry | sort | uniq
Or improve a little further by counting the number of times each name appears adding -c to uniq:
tshark -nr <your_capture.cap> -Y "dns.flags.response == 0" -T fields -e dns.qry.name -e dns.qry | sort | uniq -c
Will print something like:
2 www.ac-dc.cc
2 www.acdc.com
2 www.acdc-discography.com
2 www.acdcrocks.com
2 www.albertmusic.com
2 www.allmusic.com
2 www.amazon.com
2 www.apra.com.au
Upvotes: 4
Related Questions
- Extracting DNS info from a captured packet in C
- Python library to parse DNS from Wireshark capture file pcap
- How can I capture dns packets in c?
- Extracting domain name from a DNS Response packet using dpkt library
- C libpcap API extracting DNS query
- Capture the hostname only
- How to extract domain name from this DNS message?
- Read IP addresses and TTL from DNS response with dpkt
- Capturing DNS responses with PCap.Net?
- capturing dns packets using java