Does anyone know how I might be able to filter DNS requests in tshark which ask for the ANY record?
So far I am able to filter DNS queries with:
tshark -r capture.cap -T fields -e ip.src -e ip.dst -e dns.qry.name -R "dns.flags.response eq 0"
How would I also filter by ANY ?
Asked
Active
Viewed 4,411 times
5
user2284355
- 455
- 2
- 10
- 23
1 Answers
8
You would need to filter queries where the QTYPE is * (also known as ANY) (represented by the integer 255):
In WireShark or NetMon this would be
"dns.qry.type==255"
So for tshark I assume it would be:
"dns.qry.type eq 255"
You can find the numerical values for all query types in RFC 1035 ยง3.2.3 "QTYPE Values"
Mathias R. Jessen
- 24,907
- 4
- 62
- 95