On Sat, Feb 8, 2014 at 3:34 AM, Jonathan Lassoff <j...@thejof.com> wrote: > This is going to be tricky to do, as DNS packets don't necessarily contain > entire query values or FQDNs as complete strings due to packet label > compression (remember, original DNS only has 512 bytes to work with).
Howdy, The DNS query essentially always contains the full string in a sequence. It doesn't *have* to per the protocol but you'll be hard pressed to find a real-world example where it doesn't. The catch is, the dots aren't encoded. The components of the name being queried are separated by a byte indicating the length of the next piece. So, instead of www.google.com the query packet contains www 0x06 google 0x03 com. You can implement this with --hex-string instead of --string but you'll have to convert the entire thing to hex first Regards, Bill Herrin -- William D. Herrin ................ her...@dirtside.com b...@herrin.us 3005 Crane Dr. ...................... Web: <http://bill.herrin.us/> Falls Church, VA 22042-3004