Ethereal-users: Re: [Ethereal-users] Re: Absolute beginner's question

Note: This archive is from the project's previous web site, ethereal.com. This list is no longer active.

Date Index Thread Index Other Months All Mailing Lists
Date Prev Date Next Thread Prev Thread Next
From: "Martin Regner" <martin.regner@xxxxxxxxx>
Date: Fri, 24 Jan 2003 22:38:25 +0100
Activeco wrote:
> > Actually I needed a tool for only one task: to catch the NXDomain 
> > requests (non existing domain names) from (part of) Internet, so I 

>I have managed to enter the filter (dns.flags.response) and I see all 
>the DN requests 
>and responses, but my intention is to see only the requests wich 
>return "No such 
>name" responses.
>Is there any way I could achieve that?

One of the easiest ways to create a display filter can be to use the Display/Prepare menu item, when you have a capture with similar data that you want to search for.
This method is not always resulting in a good Display filter, but often.

I captured a DNS reply packet by making a ping to a  (see packet below) and then I selected the row with the reply code :
        .... .... .... 0011 = Reply code: No such name (3)
and then i used the Display/Prepare/Selected menu item and then I got the following display fiter:
dns.flags.rcode == 3

That filter you could use to search for DNS packets with Reply code 3 (No such name ).

Other methods could be to use the Edit/Display Filter.../Add Expression.../DNS  dialog box
and/or using the SID and some description of the DNS protocol.
http://www.ethereal.com/docs/user-guide/siddomainnameservice.html

http://www.networksorcery.com/enp/protocol/dns.htm


Domain Name System (response)
    Transaction ID: 0x0001
    Flags: 0x8583 (Standard query response, No such name)
        1... .... .... .... = Response: Message is a response
        .000 0... .... .... = Opcode: Standard query (0)
        .... .1.. .... .... = Authoritative: Server is an authority for domain
        .... ..0. .... .... = Truncated: Message is not truncated
        .... ...1 .... .... = Recursion desired: Do query recursively
        .... .... 1... .... = Recursion available: Server can do recursive queries
        .... .... ..0. .... = Answer authenticated: Answer/authority portion was not authenticated by the server
        .... .... .... 0011 = Reply code: No such name (3)
    Questions: 1
    Answer RRs: 0
    Authority RRs: 1
    Additional RRs: 0
    Queries
        texxxxxx.se: type A, class inet
            Name: texxxxxx.se
            Type: Host address
            Class: inet
    Authoritative nameservers
        se: type SOA, class inet, mname catcher-in-the-rye.nic-se.se
            Name: se
            Type: Start of zone of authority
            Class: inet
            Time to live: 1 day
            Data length: 59
            Primary name server: catcher-in-the-rye.nic-se.se
            Responsible authority's mailbox: registry.nic-se.se
            Serial number: 2003000000
            Refresh interval: 2 hours
            Retry interval: 1 hour
            Expiration limit: 28 days
            Minimum TTL: 1 day