INTELLIGENT WORK FORUMS
FOR COMPUTER PROFESSIONALS

Log In

Come Join Us!

Are you a
Computer / IT professional?
Join Tek-Tips Forums!
  • Talk With Other Members
  • Be Notified Of Responses
    To Your Posts
  • Keyword Search
  • One-Click Access To Your
    Favorite Forums
  • Automated Signatures
    On Your Posts
  • Best Of All, It's Free!

*Tek-Tips's functionality depends on members receiving e-mail. By joining you are opting in to receive e-mail.

Posting Guidelines

Promoting, selling, recruiting, coursework and thesis posting is forbidden.

Jobs

Analysis of TCP/UDP port 53(DNS) traffic in captured PCAP files.

Analysis of TCP/UDP port 53(DNS) traffic in captured PCAP files.

Analysis of TCP/UDP port 53(DNS) traffic in captured PCAP files.

(OP)
I am trying to search through raw pcap files for IP addresses that are returned in the DNS lookup process. The IP addresses in question are not the SRC or DST they are the IP addreses of the domain name that was looked up. The IP is stored in the response content, as such:

Wireshark summary:
"22 2012-08-11 13:07:00.078667 8.8.8.8 10.128.33.101 DNS 275 Standard query response CNAME plus.l.google.com A 74.125.228.36 A 74.125.228.37 A 74.125.228.38 A 74.125.228.32 A 74.125.228.40 A 74.125.228.35 A 74.125.228.46 A 74.125.228.33 A 74.125.228.39 A 74.125.228.34 A 74.125.228.41"

Quote (Wireshark)

0000 00 21 5d 26 fd 76 c0 c1 c0 7b 46 8d 08 00 45 00 .!]&.v.. .{F...E.
0010 01 05 48 dd 00 00 fa 11 3b 16 08 08 08 08 0a 80 ..H..... ;.......
0020 21 65 00 35 d2 6c 00 f1 ef ee 33 8f 81 80 00 01 !e.5.l.. ..3.....
0030 00 0c 00 00 00 00 07 70 6c 75 73 6f 6e 65 06 67 .......p lusone.g
0040 6f 6f 67 6c 65 03 63 6f 6d 00 00 01 00 01 c0 0c oogle.co m.......
0050 00 05 00 01 00 00 77 e4 00 09 04 70 6c 75 73 01 ......w. ...plus.
0060 6c c0 14 c0 30 00 01 00 01 00 00 01 2c 00 04 4a l...0... ....,..J
0070 7d e4 24 c0 30 00 01 00 01 00 00 01 2c 00 04 4a }.$.0... ....,..J
0080 7d e4 25 c0 30 00 01 00 01 00 00 01 2c 00 04 4a }.%.0... ....,..J
0090 7d e4 26 c0 30 00 01 00 01 00 00 01 2c 00 04 4a }.&.0... ....,..J
00a0 7d e4 27 c0 30 00 01 00 01 00 00 01 2c 00 04 4a }. .0... ....,..J
00b0 7d e4 28 c0 30 00 01 00 01 00 00 01 2c 00 04 4a }.(.0... ....,..J
00c0 7d e4 23 c0 30 00 01 00 01 00 00 01 2c 00 04 4a }.#.0... ....,..J
00d0 7d e4 2e c0 30 00 01 00 01 00 00 01 2c 00 04 4a }...0... ....,..J
00e0 7d e4 21 c0 30 00 01 00 01 00 00 01 2c 00 04 4a }.!.0... ....,..J
00f0 7d e4 27 c0 30 00 01 00 01 00 00 01 2c 00 04 4a }.'.0... ....,..J
0100 7d e4 22 c0 30 00 01 00 01 00 00 01 2c 00 04 4a }.".0... ....,..J
0110 7d e4 29 }.)

The IP's are stored as hexadecimal and always proceeded by the "Data length: 4" field and value (in the hex view it is "00 04" and then the next 4 bits are the IP Address. I want to try and find a way to search the raw pcap files for specific IP addresses as needed without converting the pcap to ASCII via tcpdump or tshark. I typically use ngrep to search through the pcap files for items such as SRC or DST IP's but they can be found using "src host 10.128.33.101" which is typical BPF syntax. However, I have been unsuccessful in getting the syntax correct in order to search the raw pcap for the hex representation of the IP address I am looking for, "74.125.228.38". If I convert it to ASCII I can grep for the IP no problem but there are issues like time and space associated with converting large amounts of raw pcap in order to search for certain IP addresses. Can anyone help with this issue?

Thanks,
Cybex

RE: Analysis of TCP/UDP port 53(DNS) traffic in captured PCAP files.

(OP)
Disregard, I figured it out... I was apparently sleep deprived (that's my story) and completely screwed up the syntax. In order to search for the returned IP addresses you must search using the hexadecimal representation or that IP address. I.e.: "202.190.87.182" would be "ca be 57 b6".

The ngrep line would look like this:

CODE --> Bash

ngrep -I dns-20120811130639.pcap -qt -Xx cabe57b6 

Return:
U 2012/08/11 13:07:29.953326 8.8.4.4:53 -> 10.128.33.101:59956
4b ec 81 80 00 01 00 01 00 00 00 00 08 73 65 63 K............sec
75 72 69 74 79 03 6f 72 67 02 6d 79 00 00 01 00 urity.org.my....
01 c0 0c 00 01 00 01 00 00 01 2c 00 04 ca be 57 ..........,....W
b6

The syntax for searching for the associated domain name in the packet is:

CODE --> Bash

ngrep -I dns-20120811130639.pcap -qtx security.org 

Return:
U 2012/08/11 13:07:29.645500 10.128.33.101:59956 -> 8.8.4.4:53
4b ec 01 00 00 01 00 00 00 00 00 00 08 73 65 63 K............sec
75 72 69 74 79 03 6f 72 67 02 6d 79 00 00 01 00 urity.org.my....
01 .

U 2012/08/11 13:07:29.953326 8.8.4.4:53 -> 10.128.33.101:59956
4b ec 81 80 00 01 00 01 00 00 00 00 08 73 65 63 K............sec
75 72 69 74 79 03 6f 72 67 02 6d 79 00 00 01 00 urity.org.my....
01 c0 0c 00 01 00 01 00 00 01 2c 00 04 ca be 57 ..........,....W
b6

If you want to ditch the hex data for returns you can drop the "-x" and by adding the "-W single" you can force the returns onto a single line return.

CODE --> Bash

ngrep -I dns-20120811130639.pcap -qtW single security.org 

Return:
U 2012/08/11 13:07:29.645500 10.128.33.101:59956 -> 8.8.4.4:53 K............security.org.my.....

U 2012/08/11 13:07:29.953326 8.8.4.4:53 -> 10.128.33.101:59956 K............security.org.my..............,....W.


I am not sure why ngrep can convert the domain names but not the IP addresses. It seems as thought if Wireshark can do it ngrep should be able to as well or at least have an option for it in the syntax fro easier querying for IP addresses.

Red Flag This Post

Please let us know here why this post is inappropriate. Reasons such as off-topic, duplicates, flames, illegal, vulgar, or students posting their homework.

Red Flag Submitted

Thank you for helping keep Tek-Tips Forums free from inappropriate posts.
The Tek-Tips staff will check this out and take appropriate action.

Reply To This Thread

Posting in the Tek-Tips forums is a member-only feature.

Click Here to join Tek-Tips and talk with other members!

Resources

Close Box

Join Tek-Tips® Today!

Join your peers on the Internet's largest technical computer professional community.
It's easy to join and it's free.

Here's Why Members Love Tek-Tips Forums:

Register now while it's still free!

Already a member? Close this window and log in.

Join Us             Close