I am not officially on the list, so I am not so sure where to go to reply to 
this reply.  I am basically trying to capture the payload of smtp packets i.e. 
the mail message, and I am trying to capture the DNS responses where it shows 
the domain name and IP address to which it resolved.  I am looking for the part 
of the DNS packet that has "a1509.g.akamai.net: type A, class IN, addr 
72.246.98.65" - as shown in the example below from a PDML file.  It has field = 
"" show "a1509.g.akamai.net: type A, class IN, addr 72.246.98.65", but I cannot 
figure out how to extract this data using tshark at a command line.  Any 
thoughts?
< snipped all frame, udp, etc stuff>

<proto name="dns" showname="Domain Name System (response)" size="68" pos="42">

<field name="dns.response_to" showname="Request In: 5567" size="0" pos="42" 
show="5567"/>

<field name="dns.time" showname="Time: 0.014816000 seconds" size="0" pos="42" 
show="0.014816000"/>

<field name="dns.id" showname="Transaction ID: 0x1c20" size="2" pos="42" 
show="0x1c20" value="1c20"/>

<field name="dns.flags" showname="Flags: 0x8400 (Standard query response, No 
error)" size="2" pos="44" show="0x8400" value="8400">

<field name="dns.flags.response" showname="1... .... .... .... = Response: 
Message is a response" size="2" pos="44" show="1" value="1" 
unmaskedvalue="8400"/>

<field name="dns.flags.opcode" showname=".000 0... .... .... = Opcode: Standard 
query (0)" size="2" pos="44" show="0" value="0" unmaskedvalue="8400"/>

<field name="dns.flags.authoritative" showname=".... .1.. .... .... = 
Authoritative: Server is an authority for domain" size="2" pos="44" show="1" 
value="1" unmaskedvalue="8400"/>

<field name="dns.flags.truncated" showname=".... ..0. .... .... = Truncated: 
Message is not truncated" size="2" pos="44" show="0" value="0" 
unmaskedvalue="8400"/>

<field name="dns.flags.recdesired" showname=".... ...0 .... .... = Recursion 
desired: Don&apos;t do query recursively" size="2" pos="44" show="0" value="0" 
unmaskedvalue="8400"/>

<field name="dns.flags.recavail" showname=".... .... 0... .... = Recursion 
available: Server can&apos;t do recursive queries" size="2" pos="44" show="0" 
value="0" unmaskedvalue="8400"/>

<field name="dns.flags.z" showname=".... .... .0.. .... = Z: reserved (0)" 
size="2" pos="44" show="0" value="0" unmaskedvalue="8400"/>

<field name="dns.flags.authenticated" showname=".... .... ..0. .... = Answer 
authenticated: Answer/authority portion was not authenticated by the server" 
size="2" pos="44" show="0" value="0" unmaskedvalue="8400"/>

<field name="dns.flags.rcode" showname=".... .... .... 0000 = Reply code: No 
error (0)" size="2" pos="44" show="0" value="0" unmaskedvalue="8400"/>

</field>

<field name="dns.count.queries" showname="Questions: 1" size="2" pos="46" 
show="1" value="0001"/>

<field name="dns.count.answers" showname="Answer RRs: 2" size="2" pos="48" 
show="2" value="0002"/>

<field name="dns.count.auth_rr" showname="Authority RRs: 0" size="2" pos="50" 
show="0" value="0000"/>

<field name="dns.count.add_rr" showname="Additional RRs: 0" size="2" pos="52" 
show="0" value="0000"/>

<field name="" show="Queries" size="24" pos="54" 
value="056131353039016706616b616d6169036e65740000010001">

<field name="" show="a1509.g.akamai.net: type A, class IN" size="24" pos="54" 
value="056131353039016706616b616d6169036e65740000010001">

<field name="dns.qry.name" showname="Name: a1509.g.akamai.net" size="20" 
pos="54" show="a1509.g.akamai.net" 
value="056131353039016706616b616d6169036e657400"/>

<field name="dns.qry.type" showname="Type: A (Host address)" size="2" pos="74" 
show="0x0001" value="0001"/>

<field name="dns.qry.class" showname="Class: IN (0x0001)" size="2" pos="76" 
show="0x0001" value="0001"/>

</field>

</field>

<field name="" show="Answers" size="32" pos="78" 
value="c00c0001000100000014000448f66219c00c0001000100000014000448f66241">

<field name="" show="a1509.g.akamai.net: type A, class IN, addr 72.246.98.25" 
size="16" pos="78" value="c00c0001000100000014000448f66219">

<field name="dns.resp.name" showname="Name: a1509.g.akamai.net" size="2" 
pos="78" show="a1509.g.akamai.net" value="c00c"/>

<field name="dns.resp.type" showname="Type: A (Host address)" size="2" pos="80" 
show="0x0001" value="0001"/>

<field name="dns.resp.class" showname="Class: IN (0x0001)" size="2" pos="82" 
show="0x0001" value="0001"/>

<field name="dns.resp.ttl" showname="Time to live: 20 seconds" size="4" 
pos="84" show="20" value="00000014"/>

<field name="dns.resp.len" showname="Data length: 4" size="2" pos="88" show="4" 
value="0004"/>

<field name="" show="Addr: 72.246.98.25" size="4" pos="90" value="48f66219"/>

</field>

<field name="" show="a1509.g.akamai.net: type A, class IN, addr 72.246.98.65" 
size="16" pos="94" value="c00c0001000100000014000448f66241">

<field name="dns.resp.name" showname="Name: a1509.g.akamai.net" size="2" 
pos="94" show="a1509.g.akamai.net" value="c00c"/>

<field name="dns.resp.type" showname="Type: A (Host address)" size="2" pos="96" 
show="0x0001" value="0001"/>

<field name="dns.resp.class" showname="Class: IN (0x0001)" size="2" pos="98" 
show="0x0001" value="0001"/>

<field name="dns.resp.ttl" showname="Time to live: 20 seconds" size="4" 
pos="100" show="20" value="00000014"/>

<field name="dns.resp.len" showname="Data length: 4" size="2" pos="104" 
show="4" value="0004"/>

<field name="" show="Addr: 72.246.98.65" size="4" pos="106" value="48f66241"/>

</field>

</field>

</proto>

</packet>



On Wed, Mar 26, 2008 at 04:06:50PM -0500, Mark Sass wrote:

> I am trying to extract fields from pcap files using tshark.  I am 
> currently using a format like this:
> 
> tshark -r pcapfile -R "tcp.port eq xxx" -Tfields -e field1 -e field2
> 
> I don't see the fields I wanted listed on the wireshark display filter 
> reference listing, and when looking at the pcap files after conversion 
> to PDML, the fields show up like this:

Which field(s) are you trying to extract?


Steve
_______________________________________________
Wireshark-users mailing list
Wireshark-users@wireshark.org
http://www.wireshark.org/mailman/listinfo/wireshark-users

Reply via email to