Menu
I'm trying to decode DNS traffic and print query/response data and I'm using python/scapy to decode the packets.
A code snippet:
def dns_sniff_v2(pkt):
if IP in pkt:
if pkt.haslayer(DNS):
dns = pkt.getlayer(DNS)
pkt_time = pkt.sprintf('%sent.time%')
if pkt.haslayer(DNSQR):
qr = pkt.getlayer(DNSQR) # DNS query
values = [ pkt_time, str(ip_src), str(ip_dst), str(dns.id), str(qr.qname), str(qr.qtype), str(qr.qclass) ]
print "|".join(values)
sniff(iface="eth0", filter="port 53", prn=dns_sniff_v2, store=0)
The problem is that qr.qtype or qr.qclass is getting me the enum's internal int representation (1) instead of the symbolic string value ("A", or "IN"). The same applies to the DNSRR section of response packets.
How can I get a DNSQR or DNSRR field in the symbolic form?
675
You can get the symbolic string value of qr.qtype and of qr.qclass by invoking the following:
qr.get_field('qtype').i2repr(qr, qr.qtype)
qr.get_field('qclass').i2repr(qr, qr.qclass)
Note that rather than invoking qr.get_field('qtype') and qr.get_field('qclass') over and over again, you can invoke it once in advance:
qtype_field = qr.get_field('qtype')
qclass_field = qr.get_field('qclass')
...
qtype_field.i2repr(qr, qr.qtype)
qclass_field.i2repr(qr, qr.qclass)
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
