Top 5 Wireshark Filters for DNS

 

Domain Name System or DNS is one of the most important protocols in your network and out on the Internet. Why is that? Because you can't route a packet through a network using a word. It's just like when you are driving, and your GPS tells you to turn right, or go straight based on your current position. It uses your latitude and longitude, not the name of your current street. In the same way, routers use the numerical address to check their routing tables for the best path to send packets onto their destination. Computers are simply faster when using numbers instead of words.

DNS is the protocol that converts the easy-to-remember words we want to use, into the numbers that routers and hosts need. It's the connection between the names and the actual addresses where the services reside.

When you're troubleshooting DNS you need to have filters ready to go. There's no time to create them once you're on that bridge call. You know the one, "It's SLOW!". DNS is the beginning of most conversations, so best practice is to check DNS first. There is even a haiku for this philosophy written by SSBroski.

It's not DNS

There's no way it's DNS

It was DNS

Here are 5 Wireshark filters to make your DNS troubleshooting faster and easier. Add them to your profiles and spend that extra time on something fun.

1. Slow Responses

Usually this is what we are looking for. IMHO DNS servers should respond within a few milliseconds if they have the data in cache. Capture closest to the server to check server response time - no network roundtrip time to subtract. DNS errors will usually take longer to send, so they are excluded from the filter. We'll look at errors later in this post. Why greater than 100 milliseconds? Back in 2009, Amazon found that 100 milliseconds cost them 1% in sales revenue. https://www.gigaspaces.com/blog/amazon-found-every-100ms-of-latency-cost-them-1-in-sales I have always used it as the point where a user notices "it is slow".

dns.flags.rcode eq 0 and dns.time gt .1

2. Transaction ID

When the world is perfect, there is one DNS request and one reply. However in real life, things don't always work out that way. Filtering for a transaction ID lets you focus on a single transaction, no matter how many packets or servers are involved. If the client times out without an answer they will either:

1. Retransmit the query with the same transaction ID to their primary server

2. Retransmit the query with the same transaction ID to their secondary (or ternary) server

If they have to retransmit the query to either their secondary or ternary servers, the UDP stream number will change. However, the transaction ID will not.

Your goal is to filter for the transaction id - here is the important part - for the packet you already have selected. This syntax of fieldname eq ${fieldname} works for any field. It's pretty powerful.

dns.id eq ${dns.id}

3. UDP or TCP Stream

When you are looking at a pcap and notice something interesting, you often want to filter for that conversation. Maybe the server is an unexpected IP address, or a zone transfer is refused. The key with context sensitive filters is to save them as a button on your toolbar for easy access.

udp.stream eq ${udp.stream}
tcp.stream eq ${tcp.stream}

A word of warning, if you try to create the UDP filter and you are on a TCP packet, or vice versa, the syntax check will be red. If you are creating this filter, be sure to select the packet of interest first.

4. Zone Transfers

Secondary servers should request all records (type 252) when they are first set up. After that, the primary should send a Notify (op code 4) after any changes. Then the secondaries send an incremental records (type 251) request to get the new records. If something goes awry, this filter will get you the whole picture.

dns.qry.type in {251 252} or dns.flags.opcode eq 4
 

5. DNS Errors

Finally, you'll need a filter for DNS errors. Anytime a server responds with anything besides yes, it's a bad thing. In DNS, a positive reply still isn't necessarily a positive reply. This happens with queries for an IPv6 address. Instead of sending a "no such name" error, the server replies with no error code and no IPv6 address! Seems a bit passive aggressive to me, but the clients understand the response and move to the next step. Yet there is still no IPv6 address.

dns.flags.rcode != 0 or (dns.flags.response eq 1 and dns.qry.type eq 28 and !dns.aaaa)

Be aware, this filter will turn the syntax check yellow due to the not equal, !=. But it's ok, the yellow is just a reminder that not equal only works as expected if the field is a single direction field. For example, ip.addr is bi-directional and http.response.code is single.

Are these all the filters you need for DNS? Of course not, but these should get you started. If you want my entire DNS profile, reach out to me on Twitter with the hashtag #ProfilesArePower. My handle is @PacketDetective.

Photo by Peter Palmer on Unsplash

 

Betty DuBois is the Chief Detective for Packet Detectives, an application and network performance consulting and training firm based in Atlanta, GA. She has been solving mysteries since 1997.

Experienced with a range of hardware and software packet capture solutions, she captures the right data, in the right place, and at the right time to find the real culprit.

Betty presents each year at SharkFest, the Wireshark Developer and User Conference, and is active in the Wireshark community.

Using packets to solve crimes against the network and applications is her passion. Teaching others to do the same is her calling.

Do you have a Packet mystery that you'd like Betty to solve? How about a team who needs training on how to catch the culprit themselves? Contact her at bettydubois.com information. Your mystery will be solved in no time.

Tool Behavior Exercise - Netscout Optiview XG

 I’ve been preaching, “pick the right tool for the job” for years. The other day someone had an excellent question and asked me, “How do you know what the right tool is?”.

I explained that many times it can be pretty obvious. For example, reach for the RJ45 crimper when an end is damaged and needs to be replaced, or when you make your own patch cable.

Other times, it gets tricky since many of your tools may overlap with the functionality of your other tools. For example, an Optiview XG can capture packets, generate traffic, test cables, perform device discovery, use SNMP to monitor, etc.

Just want to change gears for a moment. I replied that many times the more important question, is, “do you know how your tool behaves?”. I mentioned that because the answer to that question plays into which tool you reach for.

I noticed that most analysts always reach for their trusty tool or software that they’ve been using for X years because they understand how it behaves, can interpret the data returned, and are very familiar navigating around the tool.

In this video, I reach for my Optiview to show you how easy it is to perform very quick basic tasks and pay attention to how the tool reacts. In this example, an analyst was telling me that he didn’t use the Optiview for auto-negotiation related issues because he thought you have to restart the software every time. I didn’t correct him but asked how do you know, and he replied, “that's what Joe told me”. I then told him to get the Optiview XG and we’ll see for ourselves.

The moral of the story is don’t just blindly take someone else’s word when you can quickly figure it out yourself. Don’t forget that software upgrades might affect your tool’s behavior.

Change is Necessary

 I applaud entrepreneurs for what they have achieved, through hours of dedicated, hard work, extreme commitment and at times ‘brute force’ to make success happen; however, as the old adage states ‘if you always do what you have always done, you will always get what you have always got’! So the question I often ask myself is “do entrepreneurial owners, presidents, CEO’s, etc. of small-to-medium enterprises (SME’s) readily accept that change is inevitable and necessary”?

I have come to recognize that entrepreneurs (typically) struggle to plan for, adapt to, and implement change. Couple this with (typically) lacking business fundamentals only leads to a continuing levels of inefficiency, waste and ‘missed opportunities’. I have recently been engaged with 2 SME’s that did not have business or strategic plans as they were ‘too busy’, another General Manager did not have time to talk due to pressing commitments (which had been planned months ago). What we are really talking about here is not having an ‘operating rhythm’, the culture is not allowing it to happen; culture can be made to change for the better – it takes perseverance and courage but if you do not start to change then one will have to accept what one has become used to!

It is critically important to have a strategic plan, develop business plans, employee accountabilities and communication plans – understanding and planning these aspects is not easy at any time, let alone the first time of developing. Further how can technology be used to optimize efficiencies, how can innovation and an innovative culture be harvested for the health of the business. And it doesn’t stop there – what about metrics , how to collect data?, what does the data mean?, what story does the data tell?, how to communicate these messages to the employee population? As globalization, technology and other macroeconomic factors put more pressure on businesses, leaders are searching for deeper statistical intelligence. For cash-strapped small or medium-sized businesses (SMEs), determining what those metrics might be, then collecting and analyzing them, can prove challenging.

Change is inevitable in business and you need to build your business model around it. Hire people who are comfortable in a world of change. Great businesses are able to grow in good times and bad, largely because they’re prepared for the unpredictable. Change is the only constant that you will face.

On the other hand, failed businesses and entrepreneurs often struggle to plan for, adapt to, and implement change — and this happens all too frequently in growing companies.

Whether Strategic Planning, Change Management or Culture Change is the next step in your journey it is critical to have expert advice and support - do not be ‘penny wise and pound foolish’!

This ‘posting’ is not meant to be provocative, merely reflective. If your intention is to grow your business for longevity through process and people transformation then there has to be an investment somewhere down the line – the benefits will be readily visible, your employees will welcome it and your shareholders will thank you!

M.O’Sullivan P.Eng, MBA, ICD.D

http://www.venturivision.com

The Highlighted Route

 

It is in our nature as humans to plan. Some of us do it formally, writing down step by step instructions with a well-defined goal in mind. Others plan at a smaller scale, often thinking about step 2 after step 1 is underway. If you are out doing errands, advanced planning can save time with a more efficient route. If you are doing a project, planning can help avoid painting yourself into a corner (literally). When it comes to travel, planning might include packing things you will need or putting a hold on the mail, but it most definitely will involve some sort of pre-determined route. Airline pilots do this sort of route planning routinely to conserve fuel, avoid bad weather, and arrive at their destination on time. They submit a formal flight plan to document their intentions.

Pilots have their own lingo, helping to ensure clear radio communications. A typical flight will likely involve VFR, IFR and VOR and most certainly will be highly dependent on ATC. One acronym to be avoided at all costs is CFIT (controlled flight into terrain), which is just as bad as it sounds. If you know your precise location and altitude, CFIT is unlikely, even if IFR conditions are making it impossible to see anything out the window. This is where GPS comes in. 

Beginning with the DoD NAVSTAR satellite-based system in 1993, GPS developed into a sophisticated positioning system that is highly accurate, easily accessed and substantially free of charge. It is operated by the Air Force for the US Government to meet the needs of military, civil, commercial, and scientific users. Coarse position codes are open to everyone, while the more accurate ones are restricted to the US Armed Forces and Federal Agencies. That GPS in your car can get you to within about 10 feet of your destination and if you can’t recognize it by then there’s not much more technology can do for you. As for the military version, let’s just say it is much more accurate and leave it at that.

In a peculiar bit of irony, the U.S. Military occasionally jams its own GPS signals in order to research ways to keep them from being jammed. Imagine piloting a modern jetliner with a hundred or more people on board when a warning suddenly pops up in the cockpit – “GPS Position Lost.” Although pilots have altimeters and VOR beacons for navigation, GPS made the entire point-to-point flying experience much more efficient. Most planes carry transponders which use the GPS for broadcasting altitude, heading and speed to controllers on the ground. While GPS works flawlessly 99.9% of the time, it’s a challenge to stay ready to respond to that other 0.1%.

Perhaps even more concerning is the case where GPS doesn’t just go away but starts returning erroneous data. GPS signals are so faint by the time they reach us that it is relatively easy to disrupt them, and illegal jamming devices are widely available on the black market. A delivery driver who doesn’t want his boss to know where he is can easily avoid being tracked. Intermittent GPS could be due to natural factors, jamming, or a government test – there is often no way to know. 

It's hard to miss the similarities between GPS's highlighted route, and the paths we lay out for other parts of our lives. We like to believe that we know where we are relative to our goal at any given moment.  Some of us believe there is a Master Plan for our life that will guide us to fulfilling a divine purpose. Some are intimidated by the unknown and take comfort in staying on a highlighted route, at times provided by others, with frequent detailed guidance and no surprises. Weak signals, jamming, and system failure are an inevitable part of life.

I realize in retrospect that my parents had planned a route for me when I was in High School. I weathered a few detours and course corrections along the way, but I did ultimately arrive at my destination. In some of those moments of “position lost”, I felt a potent mix of fear and infinite possibility. From time to time, friends and family stepped in and reminded me to return to the highlighted route. 

And unlike a few of my less fortunate peers, I managed to avoid CFIT.

Author Profile - Paul W. Smith - leader, educator, technologist, writer - has a lifelong interest in the countless ways that technology changes the course of our journey through life.  In addition to being a regular contributor to NetworkDataPedia, he maintains the website Technology for the Journey and occasionally writes for Blogcritics.  Paul has over 40 years of experience in research and advanced development for companies ranging from small startups to industry leaders.  His other passion is teaching - he is a former Adjunct Professor of Mechanical Engineering at the Colorado School of Mines.  Paul holds a doctorate in Applied Mechanics from the California Institute of Technology, as well as Bachelor’s and Master’s Degrees in Mechanical Engineering from the University of California, Santa Barbara.

Automating Packet Analysis with Sharkd and Python

 Have you ever had one of those days when your packet analysis seems doomed?  We start looking and quickly realise that there are duplicates of all the packets in one direction.  So we process the file with your favourite de-dup tool and try again.  Next we find some packets were dropped during capture.   Hopefully, we have enough.  Hang on, where's the traffic to the server?  Things are going from bad to worse and we are already 2 hours in.

If only we could check the data before breaking out Wireshark.

This video explains how to use Sharkd and its API to automate the analysis of network packet data. I go on to demonstrate the capability using an experimental Python program to check the quality of a packet capture file. We close the video with details about Sharkd installation and documentation.

The modified sharkd_session.c code I used is here - https://gitlab.com/credible58/wireshark/-/tree/issue17235

The Python program used in the video is here - https://github.com/credible58/papr/tree/main