felixgr · January 15, 2018 14:23
diff --git a/dissect_dns.sh b/dissect_dns.sh
 ~ $ curl -s 'https://dns.google.com/resolve?name=google.com&type=1&encoding=raw' | \
    od -Ax -tx1 -v | text2pcap -q -u53,53 - /dev/stdout | tshark -nr /dev/stdin -V -O dns
 Frame 1: 86 bytes on wire (688 bits), 86 bytes captured (688 bits)
 Ethernet II, Src: 0a:01:01:01:01:01 (0a:01:01:01:01:01), Dst: 0a:02:02:02:02:02 (0a:02:02:02:02:02)
 Internet Protocol Version 4, Src: 10.1.1.1 (10.1.1.1), Dst: 10.2.2.2 (10.2.2.2)
 User Datagram Protocol, Src Port: 53 (53), Dst Port: 53 (53)
 Domain Name System (response)
    Transaction ID: 0x0000
    Flags: 0x8180 Standard query response, No error
        1... .... .... .... = Response: Message is a response
        .000 0... .... .... = Opcode: Standard query (0)
        .... .0.. .... .... = Authoritative: Server is not an authority for domain
        .... ..0. .... .... = Truncated: Message is not truncated
        .... ...1 .... .... = Recursion desired: Do query recursively
        .... .... 1... .... = Recursion available: Server can do recursive queries
        .... .... .0.. .... = Z: reserved (0)
        .... .... ..0. .... = Answer authenticated: Answer/authority portion was not authenticated by the server
        .... .... ...0 .... = Non-authenticated data: Unacceptable
        .... .... .... 0000 = Reply code: No error (0)
    Questions: 1
    Answer RRs: 1
    Authority RRs: 0
    Additional RRs: 0
    Queries
        google.com: type A, class IN
            Name: google.com
            [Name Length: 10]
            [Label Count: 2]
            Type: A (Host Address) (1)
            Class: IN (0x0001)
    Answers
        google.com: type A, class IN, addr 172.217.16.174
            Name: google.com
            Type: A (Host Address) (1)
            Class: IN (0x0001)
            Time to live: 299
            Data length: 4
            Address: 172.217.16.174 (172.217.16.174)
	~ $ curl -s 'https://dns.google.com/resolve?name=google.com&type=1&encoding=raw' \| \
	od -Ax -tx1 -v \| text2pcap -q -u53,53 - /dev/stdout \| tshark -nr /dev/stdin -V -O dns
	Frame 1: 86 bytes on wire (688 bits), 86 bytes captured (688 bits)
	Ethernet II, Src: 0a:01:01:01:01:01 (0a:01:01:01:01:01), Dst: 0a:02:02:02:02:02 (0a:02:02:02:02:02)
	Internet Protocol Version 4, Src: 10.1.1.1 (10.1.1.1), Dst: 10.2.2.2 (10.2.2.2)
	User Datagram Protocol, Src Port: 53 (53), Dst Port: 53 (53)
	Domain Name System (response)
	Transaction ID: 0x0000
	Flags: 0x8180 Standard query response, No error
	1... .... .... .... = Response: Message is a response
	.000 0... .... .... = Opcode: Standard query (0)
	.... .0.. .... .... = Authoritative: Server is not an authority for domain
	.... ..0. .... .... = Truncated: Message is not truncated
	.... ...1 .... .... = Recursion desired: Do query recursively
	.... .... 1... .... = Recursion available: Server can do recursive queries
	.... .... .0.. .... = Z: reserved (0)
	.... .... ..0. .... = Answer authenticated: Answer/authority portion was not authenticated by the server
	.... .... ...0 .... = Non-authenticated data: Unacceptable
	.... .... .... 0000 = Reply code: No error (0)
	Questions: 1
	Answer RRs: 1
	Authority RRs: 0
	Additional RRs: 0
	Queries
	google.com: type A, class IN
	Name: google.com
	[Name Length: 10]
	[Label Count: 2]
	Type: A (Host Address) (1)
	Class: IN (0x0001)
	Answers
	google.com: type A, class IN, addr 172.217.16.174
	Name: google.com
	Type: A (Host Address) (1)
	Class: IN (0x0001)
	Time to live: 299
	Data length: 4
	Address: 172.217.16.174 (172.217.16.174)