jim3725
asked on
wireshark setup a filter on a dns server
I have wireshark installed on my dns/dc 2008 r2 server, and I don't know how to setup a filter for a dns query to a host.
The reason is that the host I am querying are part of a conditional forwarded, which has been having difficulty with dns resolutions for the past four days. The dns connections does go through a vpn tunnel , which is working. and I can get to the site via ip address but sporadically I can't use dns to get to the site. Thus I wanted to setup a wireshark capture to validate dns from the dns/dc server to the destintation hosts
The reason is that the host I am querying are part of a conditional forwarded, which has been having difficulty with dns resolutions for the past four days. The dns connections does go through a vpn tunnel , which is working. and I can get to the site via ip address but sporadically I can't use dns to get to the site. Thus I wanted to setup a wireshark capture to validate dns from the dns/dc server to the destintation hosts
gheist
udp.port == 53
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
usually DNS request log tells something. if cache was too slow, or upstream DNS etc.
ASKER
bbao this works but how can I narrow down to a specific destination
There is autocomplete filter builder in wireshark
> how can I narrow down to a specific destination
i think you want to narrow down to the DNS traffic between the DNS server and a specifoc computer only. am i correct?
if so, try the following filter.
(ip.src == 1.2.3.4 && ip.dst == 5.6.7.8 && udp.port == 53) || (ip.src == 5.6.7.8 && ip.dst == 1.2.3.4 && udp.port == 53)
where 1.2.3.4 is the DNS server and 5.6.7.8 is the DNS client computer.
i think you want to narrow down to the DNS traffic between the DNS server and a specifoc computer only. am i correct?
if so, try the following filter.
(ip.src == 1.2.3.4 && ip.dst == 5.6.7.8 && udp.port == 53) || (ip.src == 5.6.7.8 && ip.dst == 1.2.3.4 && udp.port == 53)
where 1.2.3.4 is the DNS server and 5.6.7.8 is the DNS client computer.
ASKER
thanks a lot bbao, this is very helpfull