Capturing DNS responses with PCap.Net?

1
votes

Q1 - Is it possible to capture DNS request/responses with the library?

Q2 - If yes, once I have the packet does anyone have any sample code that shows how I could extract the fields from the DNS response? In particular the IP address that DNS resolved for the given DNS name provided in particular.

1
.netdnswinpcapsharppcappcap.net
See the discussion in pcapdotnet.codeplex.com/Thread/View.aspx?ThreadId=223803 - brickner
A DNS parser is in development for SharpPcap. Parsing the questions/answers dynamically for all use cases can get pretty hairy but it's on the todo list for the near future. - Evan Plaice
Evan - sorry for the revival of an ancient thread, but was the DNS parser for SharpPcap ever completed? I'm looking to parse DNS request and response packets using SharpPcap / Packet.Net but haven't found this in the latest downloads (or on the web). Thanks! - Omri Gazitt

1 Answers

3
votes

Yes, it's possible.

Sample code would be a bit on the long side, though...

In essence, you need to:

  1. extract the ethernet header
  2. extract the IP header
  3. extract the UDP header [assuming the packet isn't fragmented, or using TCP]
  4. extract the DNS payload

then handle the rest of the packet according to the very thorough description given in RFC 1035.

In practise that means:

  1. ignore requests - all the info you need is in responses (QR == 1)
  2. check for RCODE == 0 and ANCOUNT > 0
  3. look in the Question section to find the name that was queried
  4. look for answers in the Answer (duh!) section

To further complicate matters you have to handle DNS labels (series of <count><data...> fields) and potentially handle compressed labels too!

This sounds nasty, but none of it is actually that hard. I have C++ code that does all this and it's not that long, but I can't release it.