Wireshark-users: Re: [Wireshark-users] Any wireshark filter to differentiate between NXDOMAIN and
From: Jaap Keuter <jaap.keuter@xxxxxxxxx>
Date: Wed, 29 Mar 2017 11:44:48 +0200
Hi,

Oke, so you’re using an up to date Wireshark version, that’s good.
How about filtering out all ‘problems’, using:

	!(dns.flags.rcode == 0)

Does anything show up? Does it give you a clue? Why are you convinced NXRRSET should be present?

Thanks,
Jaap


> On 29 Mar 2017, at 11:35, Abdul Khader <akhader@xxxxxxxxxxxxxxx> wrote:
> 
> Hi,
> 
> I am using Version 2.2.5 (v2.2.5-0-g440fd4d).
> 
> dns.flags.rcode == 8 does not work. It's not giving any results.
> 
> 
> Regards
> 
> 
> 
> On 3/29/2017 1:32 PM, Jaap Keuter wrote:
>> Hi,
>> 
>> According to RFC 6895 that value (8) is used as RCODE for NXRRSET, so the filter
>> 
>> 	dns.flags.rcode == 8
>> 
>> Should be fine. What Wireshark version are you using?
>> 
>> Thanks,
>> Jaap
>> 
>> 
>> 
>>> On 29 Mar 2017, at 10:23, Abdul Khader <akhader@xxxxxxxxxxxxxxx> wrote:
>>> 
>>> Dear All,
>>> 
>>> Any wireshark filter which would give me NXRRSET and does not include NXDOMAIN
>>> 
>>> To get NXDOMAIN, we can use dns.flags.rcode == 3
>>> 
>>> But how do we get NXRRSET ?
>>> 
>>> 
>>> dns.flags.rcode == 8 or dns.flags.rcode == 0x8  does not work.
>>>