[Winpcap-users] capturing DNS responses?
Guy Harris
guy at alum.mit.edu
Tue Aug 17 17:28:42 PDT 2010
On Aug 17, 2010, at 4:12 AM, Greg Hauptmann wrote:
> Q1 - Is it possible to capture DNS request/responses with the library?
libpcap and the kernel mechanisms atop which it runs, and WinPcap, including both the library and the driver, and the kernel mechanism (NDIS) into which it plugs, are capable of handling any type of packets, including UDP packets to and from port 53, such as DNS traffic.
(I.e., there's nothing special required to capture DNS packets; it's just network traffic, and libpcap/WinPcap and the mechanisms they use don't care about details up at the UDP layer and above, and care little if anything about details below.)
The filtering mechanism used by libpcap/WinPcap is capable of, for example, checking for UDP packets to and from port 53, so if you want to set a capture filter to capture particular packets, including packets to and from UDP port 53, you can do that.
> Q2 - If yes, once I have the packet does anyone have any sample code
> that shows how I could extract the fields from the DNS response?
Some code that parses DNS packets is
1) print-domain.c in the tcpdump/WinDump source
and
2) epan/dissectors/packet-dns.c in the Wireshark source.
More information about the Winpcap-users
mailing list