Running this for 23s and doing a google ping gave the following output:Ī bit boring but we can see the expected domain list including google domain, also we can see some activity from some other background applications.
To start the capture use the following: tshark -i 3 -T fields -e ip.src -e -Y " eq 0" In this case it is 3 which you need to pass with the -i flag. Make a note from the above output the number of the interface. The above output has a selection of vmnet* (VMware Fusion) interfaces and gpd0 (Palo Alto GlobalProtect) The interface I’m using in this example is my main wired interface en1. The same method described here is equally effective at monitoring DNS traffic for virtual machines or even VPN tun interfaces like GlobalProtect or Cisco An圜onnect. Other interesting options are virtual interfaces or remote interfaces. It is worth noting that you are not limited to physical interfaces. This will return a list of your current network interfaces/capture options. list the current interfaces from the OS from a command prompt or terminal using: tshark -D Before we start we need to work out which interface to capture on. To get a list of domains we will be filtering DNS queries and responses.
Tshark allows you to filter on specific facets of DNS giving you a cleaner output especially when you are only interested in domains that an application is talking to. One quick way to do this is use Wireshark, however not the full client but the command line version tshark. Obviously you can take full a network packet capture and filter the results and correlate the behavior with the DNS traffic, but sometimes it is easier to watch these results live as they happen. Sometimes you want to see exactly what a computer or application is trying to communicate with.
0 kommentar(er)
