I'm looking for a way to filter a packet capture in wireshark for instances where our server responds with "Refused" to a recursive DNS query.
dns.resp.type== doesn't seem to offer anything that I see as a match to my request, do I need to look somewhere other than under dns.resp altogether?
Based on https://www.wireshark.org/docs/dfref/d/dns.html you need to use dns.flags.rcode defined as:
dns.flags.rcode Reply code Unsigned integer, 2 bytes 1.0.0 to 3.4.9
"Reply code" is defined in §4.1.1. of RFC 1035 as "response code" with "Refused" being value 5:
5 Refused - The name server refuses to perform the specified operation for policy reasons. For example, a name server may not wish to provide the information to the particular requester, or a name server may not wish to perform a particular operation (e.g., zone transfer) for particular data.
As Wireshark defines it as 2 bytes, maybe it is the whole structure depicted in the RFC:
1 1 1 1 1 1
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5
+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+
| ID |
+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+
|QR| Opcode |AA|TC|RD|RA| Z | RCODE |
+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+
So to compare RCODE to value 5 you may have to mask other bits.
