capturing DNS responses

Aug 17, 2010 at 11:11 AM

Hi,

Q1 - Is it possible to capture DNS request/responses with the library?  

Q2 - If yes, once I have the packet does anyone have any sample code that shows how I could extract the fields from the DNS response?  In particular the IP address that DNS resolved for the given DNS name provided in particular.  

 

 

Aug 19, 2010 at 3:28 AM

I'm managing to pick up the UDP packets, however I'm not too sure how to break it down from the PcapDotNet.Packets.Transport.UdpDatagram object level further? Here's a snapshot I what I can see in VS2010 postimage.org/image.php?v=aV7un3J . Am I suppose to parse manually the "((packet.Ethernet.IpV4.Udp).Payload).Buffer" value for example? Also I'm not sure whether I'm picking up the outgoing request and not the incoming

Coordinator
Aug 22, 2010 at 9:14 AM

1. DNS parsing is one of the features to be added to Pcap.Net in the future. You can vote for it in the Issue Tracker.

2. Once you have the UDP payload, you can manipulate it in different ways:

a. Use the indexer - [] operator - to read each byte.

b. Enumerate the bytes (using foreach).

c. Use the ToMemoryStream() method to read the bytes in the payload from as a stream.

3. Incoming or outgoing is dependent on the IPv4 layer (source and destination). Request or response can be assumed using the ports from the UDP layer (source and destination, DNS server port is 53). You can also parse the DNS fields and see if it looks like a request or response.

Aug 22, 2010 at 11:03 AM

Thanks - I've actually got it working roughly using the Code Project post and source code here:http://www.codeproject.com/KB/IP/dnslookupdotnet.aspx.   The Response.cs source file in particular.  I did have to troubleshoot this weekend one issue with the source.

In the ResourceRecord constructor, in the switch statement, in it's default area there is a line that says "pointer += recordLength;", however this wasn't correctly increased the "point" object's internal position indicator, such that it would carried back outside the method to the calling class.  Had to change it so it called a new method I used in "Pointer" class to allow it's position indicator to be updated.