Wireshark mailing list archives

Previous By Date Next
Previous By Thread Next

Re: dns fields to mysql

From: Martin Visser <martinvisser99 () gmail com>
Date: Wed, 7 Apr 2010 13:51:24 +1000
Unfortunately, you are going to have to do a bit of your own parsing I
think. While a lot of the fields are properly parsed out as named fields,
some are left as unnamed text items. You can see this if you look at a DNS
response packet and select "useful" fields (such as the IP address in a
resource record field) and watch the Status bar. You will note there that
these are unnamed text items. It is also obvious when you export such a
frame to PDML. You can see a number of fields with just "show" attributes,
but no name -see a nippet below. I would suggest you could add a bug/feature
request to the wireshark bugzilla and see if it gets worked on. (you would
normally use some thing like custom columns in Wireshark, or "tshark -T
fields" to display individual fields, but it won't work on fields without
names)

    <field name="" show="Additional records" size="107" pos="272"
value="c0a2000100010000b4170004d8ef3509c0b2000100010000b417000440e9b309c0c2000100010000b417000440e9a109c0d2000100010000b4040004d1558909c0e2000100010000b4040004480eeb09c092000100010000b404000440e9a7090000291000000000000000">
      <field name="" show="a.l.google.com: type A, class IN, addr
216.239.53.9" size="16" pos="272" value="c0a2000100010000b4170004d8ef3509">
        <field name="dns.resp.name" showname="Name: a.l.google.com" size="2"
pos="272" show="a.l.google.com" value="c0a2"/>
        <field name="dns.resp.type" showname="Type: A (Host address)"
size="2" pos="274" show="0x0001" value="0001"/>
        <field name="dns.resp.class" showname="Class: IN (0x0001)" size="2"
pos="276" show="0x0001" value="0001"/>
        <field name="dns.resp.ttl" showname="Time to live: 12 hours, 48
minutes, 23 seconds" size="4" pos="278" show="46103" value="0000b417"/>
        <field name="dns.resp.len" showname="Data length: 4" size="2"
pos="282" show="4" value="0004"/>
        <field name="" show="Addr: 216.239.53.9" size="4" pos="284"
value="d8ef3509"/>
      </field>
      <field name="" show="b.l.google.com: type A, class IN, addr
64.233.179.9" size="16" pos="288" value="c0b2000100010000b417000440e9b309">
        <field name="dns.resp.name" showname="Name: b.l.google.com" size="2"
pos="288" show="b.l.google.com" value="c0b2"/>
        <field name="dns.resp.type" showname="Type: A (Host address)"
size="2" pos="290" show="0x0001" value="0001"/>
        <field name="dns.resp.class" showname="Class: IN (0x0001)" size="2"
pos="292" show="0x0001" value="0001"/>
        <field name="dns.resp.ttl" showname="Time to live: 12 hours, 48
minutes, 23 seconds" size="4" pos="294" show="46103" value="0000b417"/>
        <field name="dns.resp.len" showname="Data length: 4" size="2"
pos="298" show="4" value="0004"/>
        <field name="" show="Addr: 64.233.179.9" size="4" pos="300"
value="40e9b309"/>
      </field>


Regards, Martin

MartinVisser99 () gmail com


On Wed, Apr 7, 2010 at 12:05 PM, Hamid Reza Alipour
<hra () email arizona edu>wrote:


I want to save the DNS header fields and RRs in mysql. As the
tshark/wireshark  is a well-known protocol analyser I am thinking about a
way that can pipe the out put of  tshark/wireshark to mysql.
is there any solution for this thanks.
I tried the tshark but the tshark will not give me all the protocol
information and only will give me some summarized info. I can get a xml
output by -pdml option but i don't know how I can pipe it to mysql.
I appreciate any help.

___________________________________________________________________________
Sent via:    Wireshark-dev mailing list <wireshark-dev () wireshark org>
Archives:    http://www.wireshark.org/lists/wireshark-dev
Unsubscribe: https://wireshark.org/mailman/options/wireshark-dev
            mailto:wireshark-dev-request () wireshark org?subject=unsubscribe


___________________________________________________________________________
Sent via:    Wireshark-dev mailing list <wireshark-dev () wireshark org>
Archives:    http://www.wireshark.org/lists/wireshark-dev
Unsubscribe: https://wireshark.org/mailman/options/wireshark-dev
             mailto:wireshark-dev-request () wireshark org?subject=unsubscribe
Previous By Date Next
Previous By Thread Next

Current thread: