1. 技术文章
  2. Extracting domain name from a DNS Response packet using dpkt library

Extracting domain name from a DNS Response packet using dpkt library

僤鯓⒐⒋嵵緔 提交于 2021-01-27 07:41:46

问题


I'm trying to generate a list of all domain names and their corresponding IP addresses from a pcap file, using dpkt library available here

My code is mostly based on this

filename = raw_input('Type filename of pcap file (without extention): ')
path = 'c:/temp/PcapParser/' + filename + '.pcap'
f = open(path, 'rb')
pcap = dpkt.pcap.Reader(f)
for ts, buf in pcap:
    #make sure we are dealing with IP traffic
    try:
        eth = dpkt.ethernet.Ethernet(buf)
    except:
        continue
    if eth.type != 2048:
        continue
    #make sure we are dealing with UDP protocol
    try:
        ip = eth.data
    except:
        continue
    if ip.p != 17:
        continue
    #filter on UDP assigned ports for DNS
    try:
        udp = ip.data
    except:
        continue
    if udp.sport != 53 and udp.dport != 53:
        continue
    #make the dns object out of the udp data and
    #check for it being a RR (answer) and for opcode QUERY
    try:
        dns = dpkt.dns.DNS(udp.data)
    except:
        continue
    if dns.qr != dpkt.dns.DNS_R:
        continue
    if dns.opcode != dpkt.dns.DNS_QUERY:
        continue
    if dns.rcode != dpkt.dns.DNS_RCODE_NOERR:
        continue
    if len(dns.an) < 1:
        continue
    #process and print responses based on record type
    for answer in dns.an:
        if answer.type == 1: #DNS_A
            print 'Domain Name: ', answer.name, '\tIP Address: ', socket.inet_ntoa(answer.rdata)

The problem is that answer.name is not good enough for me, because I need the original domain name requested, and not its' CNAME representation. For example, one of the original DNS requests was for www.paypal.com, but the CNAME representation of it is paypal.112.2o7.net.

I looked closely at the code and realized I'm actually extracting the information from the DNS Response (and not the query). Then I looked at the response packet in wireshark and saw that the original domain is there, under 'queries' and under 'answers', so my question is how can I extract it?

Thanks!


回答1:


In order to acquire the name from the "Questions" section of the DNS response, via the dns.qd object, provided by dpkt.dns, all I needed to do was simply this:

for qname in dns.qd: print qname.name


来源:https://stackoverflow.com/questions/17880931/extracting-domain-name-from-a-dns-response-packet-using-dpkt-library

标签
parsing
python-2.7
pcap
易学教程内所有资源均来自网络或用户发布的内容,如有违反法律规定的内容欢迎反馈
该文章没有解决你所遇到的问题?点击提问,说说你的问题,让更多的人一起探讨吧!