Databases
StackOverflow2013
Postsdbo
POExtracting domain name from a DNS Response packet using dpkt library
Body
 

Note that there are some explanatory texts on larger screens.

plurals
  1. POExtracting domain name from a DNS Response packet using dpkt library
    text
    copied!<p>I'm trying to generate a list of all domain names and their corresponding IP addresses from a pcap file, using dpkt library available <a href="http://code.google.com/p/dpkt/" rel="nofollow">here</a></p> <p>My code is mostly based on <a href="http://mishou.org/2010/04/13/passive-dns-mining-from-pcap-with-dpkt-python/" rel="nofollow">this</a></p> <pre><code>filename = raw_input('Type filename of pcap file (without extention): ') path = 'c:/temp/PcapParser/' + filename + '.pcap' f = open(path, 'rb') pcap = dpkt.pcap.Reader(f) for ts, buf in pcap: #make sure we are dealing with IP traffic try: eth = dpkt.ethernet.Ethernet(buf) except: continue if eth.type != 2048: continue #make sure we are dealing with UDP protocol try: ip = eth.data except: continue if ip.p != 17: continue #filter on UDP assigned ports for DNS try: udp = ip.data except: continue if udp.sport != 53 and udp.dport != 53: continue #make the dns object out of the udp data and #check for it being a RR (answer) and for opcode QUERY try: dns = dpkt.dns.DNS(udp.data) except: continue if dns.qr != dpkt.dns.DNS_R: continue if dns.opcode != dpkt.dns.DNS_QUERY: continue if dns.rcode != dpkt.dns.DNS_RCODE_NOERR: continue if len(dns.an) &lt; 1: continue #process and print responses based on record type for answer in dns.an: if answer.type == 1: #DNS_A print 'Domain Name: ', answer.name, '\tIP Address: ', socket.inet_ntoa(answer.rdata) </code></pre> <p>The problem is that answer.name is not good enough for me, because I need the original domain name requested, and not its' CNAME representation. For example, one of the original DNS requests was for <code>www.paypal.com</code>, but the CNAME representation of it is <code>paypal.112.2o7.net</code>.</p> <p>I looked closely at the code and realized I'm actually extracting the information from the DNS Response (and not the query). Then I looked at the response packet in wireshark and saw that the original domain is there, under 'queries' and under 'answers', so my question is how can I extract it?</p> <p>Thanks! </p>
 

Querying!

 
Guidance
An individual column

Larger individual text columns get their own page to allow for proper reading.

SQuiL has stopped working due to an internal error.

If you are curious you may find further information in the browser console, which is accessible through the devtools (F12).

Reload