1

I'm beginning with Python. I have a .pcap file captured by Wireshark, that contains a DNS query and response. I need to open this file and extract the requested hostname and returned record types and IP addresses. I've found several libraries capable of reading a pcap files, but i have no idea, which one will be most suitable for this. Can you please recommend something?

Youda008
  • 1,788
  • 1
  • 17
  • 35

1 Answers1

3

Scapy is a good one.

from scapy.all import *
from scapy.layers.dns import DNS, DNSQR

types = {0: 'ANY', 255: 'ALL',1: 'A', 2: 'NS', 3: 'MD', 4: 'MD', 5: 'CNAME',
         6: 'SOA', 7:  'MB',8: 'MG',9: 'MR',10: 'NULL',11: 'WKS',12: 'PTR',
         13: 'HINFO',14: 'MINFO',15: 'MX',16: 'TXT',17: 'RP',18: 'AFSDB',
         28: 'AAAA', 33: 'SRV',38: 'A6',39: 'DNAME'}

dns_packets = rdpcap('file.pcap')
for packet in dns_packets:
    if packet.haslayer(DNS):
        print(packet.show())
        dst = packet[IP].dst
        rec_type = packet[DNSQR].qtype
        print(dst, types[rec_type])

Example of output:

###[ Ethernet ]###
  dst       = 00:16:e3:19:27:15
  src       = 00:04:76:96:7b:da
  type      = 0x800
###[ IP ]###
     version   = 4L
     ihl       = 5L
     tos       = 0x0
     len       = 70
     id        = 0
     flags     = DF
     frag      = 0L
     ttl       = 64
     proto     = udp
     chksum    = 0xb753
     src       = 192.168.1.2
     dst       = 192.168.1.1
     \options   \
###[ UDP ]###
        sport     = 2128
        dport     = domain
        len       = 50
        chksum    = 0x8397
###[ DNS ]###
           id        = 12575
           qr        = 0L
           opcode    = QUERY
           aa        = 0L
           tc        = 0L
           rd        = 1L
           ra        = 0L
           z         = 0L
           ad        = 0L
           cd        = 0L
           rcode     = ok
           qdcount   = 1
           ancount   = 0
           nscount   = 0
           arcount   = 0
           \qd        \
            |###[ DNS Question Record ]###
            |  qname     = '2.1.168.192.in-addr.arpa.'
            |  qtype     = PTR
            |  qclass    = IN
           an        = None
           ns        = None
           ar        = None

('192.168.1.1', 'PTR')

The last line is the outgoing IP address and the record type. There is a bunch of data, just select what you need.

Tiger-222
  • 6,677
  • 3
  • 47
  • 60
  • 1
    Thank you. Even example :O that's awesome – Youda008 Sep 05 '16 at 18:38
  • I was unable to find a any kind of documentation on the scapy's functions and classes. For example i have no idea, what attributes the packet object has. On official website, there are only examples how to solve some tasks, but no real documentation. Is there a better documented library? – Youda008 Sep 06 '16 at 08:30
  • I'm going to use dpkt, it has API reference, although not complete, but at least something. I don't want to be realiable on stackoverflow, and ask question about every function or object or specific task. – Youda008 Sep 06 '16 at 10:31