Re: Filter by DNS query

[Guy Harris <guy () alum mit edu>]

On Jul 2, 2004, at 8:29 PM, J.R. Lillard wrote:

> Is it possible to filter packets by the DNS query?
>   For example, how could I dump all packets trying to resolve 
> google.com?

The filtering engine in libpcap isn't powerful enough to do that 
easily, if at all (it's intended to be simple enough to be put into OS 
kernel code and allow applications to hand it programs to evaluate 
filter expressions).  It might be possible to construct a fairly 
elaborate filter that would catch, for example, straightforward queries 
for A records for "google.com" (doing so is left purely as an exercise 
for the reader) but it might not even be possible to construct a filter 
to catch *all* queries for "google.com".

-
This is the tcpdump-workers list.
Visit https://lists.sandelman.ca/ to unsubscribe.