Find the max value of TTL in DNS Wireshark

Asked 14/6, 2018 at 12:56 Answered 15/6, 2018 at 14:18

I have pcap file which contains many DNS request and responses and i want to find the max value of ttl field from all of these packets for example:

If my pcap packets are the following:

DNS response ttl 1045
DNS response ttl 202
DNS response ttl 45
DNS response ttl 162
DNS response ttl 398

I want to find out how to recieve the value 1045 or even the packet itself. It's all new to me so please try to explain carefully.

thanks for the helpers

Lindly answered 14/6, 2018 at 12:56 Comment(4)

Are you referring to the TTL field of the IP layer? That field is on 8 bits, so its value can never exceed 255... – Fadge 14/6, 2018 at 13:51

No, I know it's a little confusing but there's a field named Time To Live on DNS response – Lindly 15/6, 2018 at 7:29

Oh, right! I though I checked, but I didn't look in the Authoritative nameservers records. Sorry about that! I'll update my answer. – Fadge 15/6, 2018 at 8:7

Updated. Same principle, different field. – Fadge 15/6, 2018 at 8:10

To find the maximum TTL among packets from your pcap file, you could add a new TTL column and sort by this column.

To do this, you can right click on one of the column's name (e.g., Source), go to Column Preferences..., click the + sign at the bottom of the new window, and complete the new row that appeared with a title and dns.resp.ttl as the Fields option.

If you go back to the main Wireshark window, you should have a new column, which you can use to sort packets.

Fadge answered 14/6, 2018 at 13:57 Comment(0)

You can also accomplish this by using command-line tools, which I find to be faster and simpler, and depending on your needs, can also be scripted. For example:

tshark -r file.pcap -Y dns.resp.ttl -T fields -e dns.resp.ttl -E aggregator=/s | sort -nr | head -1

This command:

Utilizes the Wireshark command-line companion capture tool tshark to read the given file, filtering only for those packets containing a dns.resp.ttl field and then writing only that field to stdout, which is then piped to sort
sort is then instructed to conduct a reverse numeric sort (so highest-to-lowest value instead of the default lowest-to-highest) and pipe that output to head
head -1 will then display only the 1st line of output (instead of the default 10 lines), which will be the largest value ... probably*.

Refer to the tshark man page for more details about the options I used, such as -Y and -e, and to the sort and head man pages for more details about those commands.

*You should know that it's possible for some DNS packets to contain more than one occurrence of the dns.resp.ttl field, so this command may not always give you the largest overall value if the largest value happens to be contained within a packet with multiple occurrences of that field and where it isn't the first occurrence. This is also true for the Wireshark solution though. In other words, when you sort the column from high-to-low, the largest value may not necessarily be the first one if a packet contains multiple occurrences of the field because the sort only takes into account the value of the first occurrence.

Arid answered 15/6, 2018 at 14:18 Comment(1)

Thank you, But after running youre command I found out that the largest number is achived by: tshark -r file.pcap -Y dns.resp.ttl -T fields -e dns.resp.ttl -E aggregator=/s | sort -n | head -1 (no reverse usage) – Lindly 16/6, 2018 at 8:22

Recommended topics

Hot tags