Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

  • Congratulations Mike Lewis on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

Analysis of TCP/UDP port 53(DNS) traffic in captured PCAP files.

Status
Not open for further replies.

Cybex1

Technical User
Sep 3, 2011
33
US
I am trying to search through raw pcap files for IP addresses that are returned in the DNS lookup process. The IP addresses in question are not the SRC or DST they are the IP addreses of the domain name that was looked up. The IP is stored in the response content, as such:

Wireshark summary:
"22 2012-08-11 13:07:00.078667 8.8.8.8 10.128.33.101 DNS 275 Standard query response CNAME plus.l.google.com A 74.125.228.36 A 74.125.228.37 A 74.125.228.38 A 74.125.228.32 A 74.125.228.40 A 74.125.228.35 A 74.125.228.46 A 74.125.228.33 A 74.125.228.39 A 74.125.228.34 A 74.125.228.41"

Wireshark said:
0000 00 21 5d 26 fd 76 c0 c1 c0 7b 46 8d 08 00 45 00 .!]&.v.. .{F...E.
0010 01 05 48 dd 00 00 fa 11 3b 16 08 08 08 08 0a 80 ..H..... ;.......
0020 21 65 00 35 d2 6c 00 f1 ef ee 33 8f 81 80 00 01 !e.5.l.. ..3.....
0030 00 0c 00 00 00 00 07 70 6c 75 73 6f 6e 65 06 67 .......p lusone.g
0040 6f 6f 67 6c 65 03 63 6f 6d 00 00 01 00 01 c0 0c oogle.co m.......
0050 00 05 00 01 00 00 77 e4 00 09 04 70 6c 75 73 01 ......w. ...plus.
0060 6c c0 14 c0 30 00 01 00 01 00 00 01 2c 00 04 4a l...0... ....,..J
0070 7d e4 24 c0 30 00 01 00 01 00 00 01 2c 00 04 4a }.$.0... ....,..J
0080 7d e4 25 c0 30 00 01 00 01 00 00 01 2c 00 04 4a }.%.0... ....,..J
0090 7d e4 26 c0 30 00 01 00 01 00 00 01 2c 00 04 4a }.&.0... ....,..J
00a0 7d e4 27 c0 30 00 01 00 01 00 00 01 2c 00 04 4a }. .0... ....,..J
00b0 7d e4 28 c0 30 00 01 00 01 00 00 01 2c 00 04 4a }.(.0... ....,..J
00c0 7d e4 23 c0 30 00 01 00 01 00 00 01 2c 00 04 4a }.#.0... ....,..J
00d0 7d e4 2e c0 30 00 01 00 01 00 00 01 2c 00 04 4a }...0... ....,..J
00e0 7d e4 21 c0 30 00 01 00 01 00 00 01 2c 00 04 4a }.!.0... ....,..J
00f0 7d e4 27 c0 30 00 01 00 01 00 00 01 2c 00 04 4a }.'.0... ....,..J
0100 7d e4 22 c0 30 00 01 00 01 00 00 01 2c 00 04 4a }.".0... ....,..J
0110 7d e4 29 }.)

The IP's are stored as hexadecimal and always proceeded by the "Data length: 4" field and value (in the hex view it is "00 04" and then the next 4 bits are the IP Address. I want to try and find a way to search the raw pcap files for specific IP addresses as needed without converting the pcap to ASCII via tcpdump or tshark. I typically use ngrep to search through the pcap files for items such as SRC or DST IP's but they can be found using "src host 10.128.33.101" which is typical BPF syntax. However, I have been unsuccessful in getting the syntax correct in order to search the raw pcap for the hex representation of the IP address I am looking for, "74.125.228.38". If I convert it to ASCII I can grep for the IP no problem but there are issues like time and space associated with converting large amounts of raw pcap in order to search for certain IP addresses. Can anyone help with this issue?

Thanks,
Cybex
 
Disregard, I figured it out... I was apparently sleep deprived (that's my story) and completely screwed up the syntax. In order to search for the returned IP addresses you must search using the hexadecimal representation or that IP address. I.e.: "202.190.87.182" would be "ca be 57 b6".

The ngrep line would look like this:
Bash:
ngrep -I dns-20120811130639.pcap -qt -Xx cabe57b6

Return:
U 2012/08/11 13:07:29.953326 8.8.4.4:53 -> 10.128.33.101:59956
4b ec 81 80 00 01 00 01 00 00 00 00 08 73 65 63 K............sec
75 72 69 74 79 03 6f 72 67 02 6d 79 00 00 01 00 urity.org.my....
01 c0 0c 00 01 00 01 00 00 01 2c 00 04 ca be 57 ..........,....W
b6

The syntax for searching for the associated domain name in the packet is:
Bash:
ngrep -I dns-20120811130639.pcap -qtx security.org

Return:
U 2012/08/11 13:07:29.645500 10.128.33.101:59956 -> 8.8.4.4:53
4b ec 01 00 00 01 00 00 00 00 00 00 08 73 65 63 K............sec
75 72 69 74 79 03 6f 72 67 02 6d 79 00 00 01 00 urity.org.my....
01 .

U 2012/08/11 13:07:29.953326 8.8.4.4:53 -> 10.128.33.101:59956
4b ec 81 80 00 01 00 01 00 00 00 00 08 73 65 63 K............sec
75 72 69 74 79 03 6f 72 67 02 6d 79 00 00 01 00 urity.org.my....
01 c0 0c 00 01 00 01 00 00 01 2c 00 04 ca be 57 ..........,....W
b6​

If you want to ditch the hex data for returns you can drop the "-x" and by adding the "-W single" you can force the returns onto a single line return.
Bash:
ngrep -I dns-20120811130639.pcap -qtW single security.org

Return:
U 2012/08/11 13:07:29.645500 10.128.33.101:59956 -> 8.8.4.4:53 K............security.org.my.....

U 2012/08/11 13:07:29.953326 8.8.4.4:53 -> 10.128.33.101:59956 K............security.org.my..............,....W.


I am not sure why ngrep can convert the domain names but not the IP addresses. It seems as thought if Wireshark can do it ngrep should be able to as well or at least have an option for it in the syntax fro easier querying for IP addresses.
 
Status
Not open for further replies.

Part and Inventory Search

Sponsor

Back
Top