Read IP addresses and TTL from DNS response with dpkt

Question

I'm using dpkt for reading a pcap file.

        try: dns = dpkt.dns.DNS(udp.data)
        except: continue

        if dns.qr != dpkt.dns.DNS_R: continue
        if dns.opcode != dpkt.dns.DNS_QUERY: continue
        if dns.rcode != dpkt.dns.DNS_RCODE_NOERR: continue
        if len(dns.an) < 1: continue

        for answer in dns.an:
            if answer.type == 5:
                print "CNAME request", answer.name, "\tresponse", answer.cname

I'd like to read the ip address and the TTL for every answer. I did dir(answer) but I could not find anything that seems to return the ip addresses/TTL of the response, and I'm not finding anything in the documentation.

Is there a method for that?

score 2 · Answer 1 · edited May 23 '17 at 11:52

2

From this question

I assume you are reading the pcap file with something like this:

import dpkt
import sys

f=file(sys.argv[1],"rb")
pcap=dpkt.pcap.Reader(f)

Parse each layer individually starting with the Ethernet.

for ts, buf in pcap:
  eth=dpkt.ethernet.Ethernet(buf)
  ip=eth.data
  udp=ip.data

Then pull the relevant TTL and IP values from the IP header.

TTL and IP values are in the IP header, not the DNS answer.

edited May 23 '17 at 11:52

Community

1
1

answered May 12 '15 at 21:25

chemdt

138
8

I don't think you will see DNS information in the IP header. the IP layer is below DNS – Bob May 12 '15 at 21:43
That is correct. But you can parse the IP header before processing the DNS data. – chemdt May 12 '15 at 22:56

score 1 · Answer 2 · answered Jun 08 '15 at 20:36

The RR object has a ttl property which is what you are looking for:

try:
    dns = dpkt.dns.DNS(udp.data)
except:
    continue

    if dns.qr != dpkt.dns.DNS_R: continue
    if dns.opcode != dpkt.dns.DNS_QUERY: continue
    if dns.rcode != dpkt.dns.DNS_RCODE_NOERR: continue
    if len(dns.an) < 1: continue

    for answer in dns.an:
        if answer.type == 5:
            print "CNAME request", answer.name, "\tresponse", answer.cname, "\tttl", answer.ttl

chrisinmtown · Answer 3 · 2015-10-05T15:47:08.697

(This is a woefully late answer.) Bob are you asking for the IP address of the server that sent the reply, or the IP address for the name within a CNAME record? The canonical name (CNAME) data in a resource record (RR) portion of a DNS reply has only a domain name and a TTL. The name servers that I have tested against return an IP address for the CNAME answer in a different additional-info RR record.

If you want to read the original chapter and verse: https://www.ietf.org/rfc/rfc1035.txt

Here is a bit of Python code using dpkt that lets you generate and explore the contents of DNS replies.

import dpkt
import random
import socket

# build query
query_id = int(random.random() * 10000)
query = dpkt.dns.DNS(id=query_id)
my_q = dpkt.dns.DNS.Q(name="www.yahoo.com")
query.qd.append(my_q)

sock = socket.socket(socket.AF_INET, socket.SOCK_DGRAM)
sock.connect(("8.8.8.8", 53))
sock.send(str(query))
buf = sock.recv(0xffff)

# parse response
response = dpkt.dns.DNS(buf)
if query_id != response.id:
    print "Expected %d but received id %d" % (query_id, response.id)
elif response.qr != dpkt.dns.DNS_R:
    print "Not a response!"
elif response.opcode != dpkt.dns.DNS_QUERY:
    print "Not a query op!"
elif response.rcode != dpkt.dns.DNS_RCODE_NOERR:
    print "Not a successful response!"
elif len(response.an) == 0:
    print"Response has no answers!"
else:
    print "%d bytes received, id is %d" % (len(buf), response.id)
    for rr in response.an:
        print "AN: class is %d, type is %d, name is %s" % (rr.cls, rr.type, rr.name)
        if hasattr(rr, 'ip'):
            print "\tIP is %s" % socket.inet_ntoa(rr.ip)
    for rr in response.ns:
        print "NS: class is %d, type is %d, name is %s" % (rr.cls, rr.type, rr.name)
    for rr in response.ar:
        print "AR: class is %d, type is %d, name is %s" % (rr.cls, rr.type, rr.name)

The results that I see (sitting on the East coast):

240 bytes received, id is 5848
AN: class is 1, type is 5, name is www.yahoo.com
AN: class is 1, type is 1, name is fd-fp3.wg1.b.yahoo.com
    IP is 98.139.180.149
AN: class is 1, type is 1, name is fd-fp3.wg1.b.yahoo.com
    IP is 98.139.183.24
NS: class is 1, type is 2, name is wg1.b.yahoo.com
NS: class is 1, type is 2, name is wg1.b.yahoo.com
NS: class is 1, type is 2, name is wg1.b.yahoo.com
NS: class is 1, type is 2, name is wg1.b.yahoo.com
AR: class is 1, type is 1, name is yf2.yahoo.com
AR: class is 1, type is 1, name is yf1.yahoo.com
AR: class is 1, type is 1, name is yf3.a1.b.yahoo.net
AR: class is 1, type is 1, name is yf4.a1.b.yahoo.net

Read IP addresses and TTL from DNS response with dpkt

3 Answers3