I was noticing TONS of DNS traffic going out to external DNS servers with the Wireshark DNS filter in place. (!ip.dst=192.168.0.0/16) and (!ip.dst=172.0.0.0/8) and (!ip.dst=10.0.0.0/8) It’s always a good idea to create capture filters instead of display filters with Wireshark and, in hindsight, I probably should have added some additional subnet rules to the capture filter. I don’t care about any internal DNS activity just to external DNS servers. This display filter removes out all of the internal IPs I was seeing. I start the capture and then created a display filter. I then exclude my forwarders because I know DNS traffic will be going to those. This capture filter narrows down the capture on UDP/53. With Wireshark now installed on this DNS server I opened it up and soon created a Wireshark DNS filter to narrow down interesting DNS activity as much as possible with this capture filter: udp port 53 and not host 8.8.8.8 and not host 4.2.2.2 and not host 4.2.2.3. Related: Making Sense of the Microsoft DNS Debug Log Build a Wireshark DNS Filter I didn’t think so but I thought I’d investigate. He needed me to figure out if this traffic was necessary to further open up DNS.
The network administrator had locked down outgoing DNS traffic only to the forwarders and was seeing a lot of hits on an ACL that was denying other DNS traffic to other public IPs. All of these DNS servers/domain controllers all have forwarders enabled on them using the typical 8.8.8.8, 4.2.2.2, and 4.2.2.3.Ī problem cropped up that unknown DNS traffic was being initiated from a DNS server out to the Internet. The "Filter Expression" dialog box can help you build display filters.Not seeing the video? Make sure your ad blocker is disabled.Īt my client, they have an Active Directory domain with a few domain controllers which are also DNS servers. For display filters, try the display filters page on the Wireshark wiki. For example, to capture only packets sent to port 80, use: dst tcp port 80Ĭouple that with an http display filter, or use: tcp.dstport = 80 & httpįor more on capture filters, read " Filtering while capturing" from the Wireshark user guide, the capture filters page on the Wireshark wiki, or pcap-filter (7) man page. If you want to measure the number of connections rather than the amount of data, you can limit the capture or display filters to one side of the communication. Note that a filter of http is not equivalent to the other two, which will include handshake and termination packets.
Ping packets should use an ICMP type of 8 (echo) or 0 (echo reply), so you could use a capture filter of: icmpĪnd a display filter of: icmp.type = 8 || icmp.type = 0įor HTTP, you can use a capture filter of: tcp port 80
0 kommentar(er)
