Wireshark-dev: Re: [Wireshark-dev] dns fields to mysql
From: Martin Visser <martinvisser99@xxxxxxxxx>
Date: Wed, 7 Apr 2010 13:51:24 +1000
Unfortunately, you are going to have to do a bit of your own parsing I think. While a lot of the fields are properly parsed out as named fields, some are left as unnamed text items. You can see this if you look at a DNS response packet and select "useful" fields (such as the IP address in a resource record field) and watch the Status bar. You will note there that these are unnamed text items. It is also obvious when you export such a frame to PDML. You can see a number of fields with just "show" attributes, but no name -see a nippet below. I would suggest you could add a bug/feature request to the wireshark bugzilla and see if it gets worked on. (you would normally use some thing like custom columns in Wireshark, or "tshark -T fields" to display individual fields, but it won't work on fields without names)
 
    <field name="" show="Additional records" size="107" pos="272" value="c0a2000100010000b4170004d8ef3509c0b2000100010000b417000440e9b309c0c2000100010000b417000440e9a109c0d2000100010000b4040004d1558909c0e2000100010000b4040004480eeb09c092000100010000b404000440e9a7090000291000000000000000">
      <field name="" show="a.l.google.com: type A, class IN, addr 216.239.53.9" size="16" pos="272" value="c0a2000100010000b4170004d8ef3509">
        <field name="dns.resp.name" showname="Name: a.l.google.com" size="2" pos="272" show="a.l.google.com" value="c0a2"/>
        <field name="dns.resp.type" showname="Type: A (Host address)" size="2" pos="274" show="0x0001" value="0001"/>
        <field name="dns.resp.class" showname="Class: IN (0x0001)" size="2" pos="276" show="0x0001" value="0001"/>
        <field name="dns.resp.ttl" showname="Time to live: 12 hours, 48 minutes, 23 seconds" size="4" pos="278" show="46103" value="0000b417"/>
        <field name="dns.resp.len" showname="Data length: 4" size="2" pos="282" show="4" value="0004"/>
        <field name="" show="Addr: 216.239.53.9" size="4" pos="284" value="d8ef3509"/>
      </field>
      <field name="" show="b.l.google.com: type A, class IN, addr 64.233.179.9" size="16" pos="288" value="c0b2000100010000b417000440e9b309">
        <field name="dns.resp.name" showname="Name: b.l.google.com" size="2" pos="288" show="b.l.google.com" value="c0b2"/>
        <field name="dns.resp.type" showname="Type: A (Host address)" size="2" pos="290" show="0x0001" value="0001"/>
        <field name="dns.resp.class" showname="Class: IN (0x0001)" size="2" pos="292" show="0x0001" value="0001"/>
        <field name="dns.resp.ttl" showname="Time to live: 12 hours, 48 minutes, 23 seconds" size="4" pos="294" show="46103" value="0000b417"/>
        <field name="dns.resp.len" showname="Data length: 4" size="2" pos="298" show="4" value="0004"/>
        <field name="" show="Addr: 64.233.179.9" size="4" pos="300" value="40e9b309"/>
      </field>
 
On Wed, Apr 7, 2010 at 12:05 PM, Hamid Reza Alipour <hra@xxxxxxxxxxxxxxxxx> wrote:
I want to save the DNS header fields and RRs in mysql. As the tshark/wireshark  is a well-known protocol analyser I am thinking about a way that can pipe the out put of  tshark/wireshark to mysql.
is there any solution for this thanks.
I tried the tshark but the tshark will not give me all the protocol information and only will give me some summarized info. I can get a xml output by -pdml option but i don't know how I can pipe it to mysql.
I appreciate any help.

___________________________________________________________________________
Sent via:    Wireshark-dev mailing list <wireshark-dev@xxxxxxxxxxxxx>
Archives:    http://www.wireshark.org/lists/wireshark-dev
Unsubscribe: https://wireshark.org/mailman/options/wireshark-dev
            mailto:wireshark-dev-request@xxxxxxxxxxxxx?subject=unsubscribe