How to get domain address and A-records from pcap file?

Question

I have a problem with pcap file. I created my pcap file with tcpdump using filters:

-v -i lo

Here is an example of my pcap file records in in txt format:

11:15:47.746058 IP (tos 0x0, ttl 64, id 56805, offset 0, flags [DF], proto UDP (17), length 69) 127.0.0.1.56698 > 127.0.1.1.53: 445+ A? ess.makedreamprofits.ru. (41) 11:15:47.803647 IP (tos 0x0, ttl 64, id 45262, offset 0, flags [DF], proto UDP (17), length 132) 127.0.1.1.53 > 127.0.0.1.56698: 445 2/0/0 ess.makedreamprofits.ru. CNAME protimer-env.elasticbeanstalk.com., protimer-env.elasticbeanstalk.com. A 54.229.216.199 (104) 11:15:51.655797 IP (tos 0x0, ttl 64, id 57575, offset 0, flags [DF], proto UDP (17), length 80) 127.0.0.1.49602 > 127.0.1.1.53: 1585+ A? easylist-downloads.adblockplus.org. (52) 11:15:51.670853 IP (tos 0x0, ttl 64, id 46128, offset 0, flags [DF], proto UDP (17), length 112) 127.0.1.1.53 > 127.0.0.1.49602: 1585 2/0/0 easylist-downloads.adblockplus.org. A 144.76.137.80, easylist-downloads.adblockplus.org. A 78.46.93.235 (84) 11:15:51.738424 IP (tos 0x0, ttl 64, id 57591, offset 0, flags [DF], proto UDP (17), length 80) 127.0.0.1.30048 > 127.0.1.1.53: 4997+ A? easylist-downloads.adblockplus.org. (52)

I need to get from here: time, size of packet, src and dst ips, ttl, domain and A-records. And Im not able to get domain and A-records :( Here is my code (it works):

#include <iostream>
#include <pcap.h>
#include <string>

using namespace std;

#define SIZE_ETHERNET 14
#define ETHER_ADDR_LEN 6

/* 4 bytes IP address */
typedef struct ip_address{
    u_char byte1;
    u_char byte2;
    u_char byte3;
    u_char byte4;
} ip_address;

/* IPv4 header */
typedef struct ip_header{
    u_char  ver_ihl;        // Version (4 bits) + Internet header length (4 bits)
    u_char  tos;            // Type of service 
    u_short tlen;           // Total length 
    u_short identification; // Identification
    u_short flags_fo;       // Flags (3 bits) + Fragment offset (13 bits)
    u_char  ttl;            // Time to live
    u_char  proto;          // Protocol
    u_short crc;            // Header checksum
    ip_address  saddr;      // Source address
    ip_address  daddr;      // Destination address
    u_int op_pad;         // Option + Padding
} ip_header;

/*
//UDP header
typedef struct udp_header{
    u_short sport;          // Source port
    u_short dport;          // Destination port
    u_short len;            // Datagram length
    u_short crc;            // Checksum
} udp_header;
*/

int main()
{
    string file = "log.pcap";
    char errbuff[PCAP_ERRBUF_SIZE];

    //file
    pcap_t *pcap = pcap_open_offline(file.c_str(), errbuff);

    //packet header
    struct pcap_pkthdr *header;

    //packet data
    const u_char *data;

    u_int packetCount = 0;
    ip_header* ip;
    //main loop
    while (pcap_next_ex(pcap, &header, &data) >= 0)
    {
        cout << ++packetCount << ") ";

        cout << "Packet size: " << header->len << " bytes\n";

        if (header->len != header->caplen)
            cout << "Warning! Capture size different than packet size: " << header->len << " bytes\n";

        cout << "Epoch Time: " << header->ts.tv_sec << ":" << header->ts.tv_usec << " seconds\n";

        //ip
        ip = (ip_header*) (data + SIZE_ETHERNET);
        //print ip address
        printf("%d.%d.%d.%d -> %d.%d.%d.%d\n",
            ip->saddr.byte1, ip->saddr.byte2, ip->saddr.byte3, ip->saddr.byte4,
            ip->daddr.byte1, ip->daddr.byte2, ip->daddr.byte3, ip->daddr.byte4
        );

        //ttl
        cout << "TTL: " << (unsigned int) ip->ttl << endl;

        cout << endl;
    }

    system("pause");
    return 0;
}

I use winpcap, but actually dont think that there is a big difference between winpcap and libpcap. For me its the same. So can u help me to get domain and A-records?

Answer 1

You would need to look only at the DNS UDP packets, and then decode according to RFC 1035.

Which seems like a lot of work when you could just look at the file with Wireshark