Wireshark mailing list archives

Previous By Date Next
Previous By Thread Next

Re: How to breakdown the dns queries and show total number against each domain

From: Abdul Khader <akhader () ies etisalat ae>
Date: Thu, 9 Feb 2017 08:22:51 +0400
Dear Peter Wu,

Thanks for the detailed reply.



Thanks all for the quick and swift responses.


Abdul Khader




On 2/8/2017 6:05 PM, Peter Wu wrote:

Hi Abdul,

On Wed, Feb 08, 2017 at 10:18:18AM +0400, Abdul Khader wrote:

Dear All,
I have DNS capture. I would like to know total DNS queries against each
domain.
For example :
If there are DNS queries for google.com, facebook.com and 1000 other domains
etc in my capture file, I want to know total queries for against each
domain.

Using the "tshark" program, you can produce a text file with all names
from DNS queries. Using coreutils tools (sort and uniq), you can then
for obtain a report. For example:

     tshark -r dns.pcapng -Y dns.flags.response==0 -Tfields -e dns.qry.name | sort | uniq -c | sort -n

Note that it happens quite often that two queries are done for each
name, an A and AAAA lookup (for IPv4 and IPv6 addresses respectively).
This can result in larger numbers than you would expect.



___________________________________________________________________________
Sent via:    Wireshark-users mailing list <wireshark-users () wireshark org>
Archives:    https://www.wireshark.org/lists/wireshark-users
Unsubscribe: https://www.wireshark.org/mailman/options/wireshark-users
             mailto:wireshark-users-request () wireshark org?subject=unsubscribe
Previous By Date Next
Previous By Thread Next

Current thread: