Filtering for DNS queries does not yield an answer?

jpr5 / ngrep

ngrep is like GNU grep applied to the network layer. It's a PCAP-based tool that allows you to specify an extended regular or hexadecimal expression to match against data payloads of packets. It understands many kinds of protocols, including IPv4/6, TCP, UDP, ICMPv4/6, IGMP and Raw, across a wide variety of interface types, and understands BPF filter logic in the same fashion as more common packet sniffing tools, such as tcpdump and snoop.

https://github.com/jpr5/ngrep

Other

882 stars 99 forks source link

Filtering for DNS queries does not yield an answer? #18

Open rbjorklin opened 5 years ago

rbjorklin commented 5 years ago

I've tried filtering for DNS queries and can't see an IP in the response, what am I doing wrong?

sudo ngrep -W single -l -q -d any -i "" udp and port 53
interface: any
filter: ( udp and port 53 ) and (ip || ip6)

U 10.0.0.2:53278 -> 10.0.0.1:53 "k...........duckduckgo.com.....

U 10.0.0.2:53278 -> 10.0.0.1:53 .............duckduckgo.com.....

U 10.0.0.1:53 -> 10.0.0.2:53278 .............duckduckgo.com..............<.B.ns-175.awsdns-21...awsdns-hostmaster.amazon......... ......u...Q.                                                                                  

U 10.0.0.1:53 -> 10.0.0.2:53278 "k...........duckduckgo.com..............<..2..j.........<..6...

buxel commented 1 year ago

I'm in the same boat. It is possible to see the answers in tcpdump but not in ngrep. I would like to use ngrep to filter out all the DNS responses which resolve to a certain IP (192.167.178.4 in the example below).

tcpdump for reference

# tcpdump -nnlvi any "udp src port 53 and udp[10] & 0x80 = 128"
13:39:22.189673 eth0  Out IP (tos 0x0, ttl 64, id 35371, offset 0, flags [DF], proto UDP (17), length 71)
    192.168.178.2.53 > 192.168.178.21.60634: 2 1/0/0 server.lan. A 192.168.178.4 (43)