Scapy: get DNSQR / DNSRR field values in character / string form

Question

Scapy: get DNSQR / DNSRR field values in character / string form

I am trying to decode DNS traffic and print request / response data, and I am using python / scapy to decode packets.

Code snippet:

def dns_sniff_v2(pkt):
    if IP in pkt:
        if pkt.haslayer(DNS):
            dns = pkt.getlayer(DNS)
            pkt_time = pkt.sprintf('%sent.time%')

            if pkt.haslayer(DNSQR):
                qr = pkt.getlayer(DNSQR) # DNS query
                values = [ pkt_time, str(ip_src), str(ip_dst), str(dns.id), str(qr.qname), str(qr.qtype), str(qr.qclass) ]

            print "|".join(values)

sniff(iface="eth0", filter="port 53", prn=dns_sniff_v2, store=0)

The problem is that qr.qtypeeither qr.qclassreturns me the internal internal representation of enum (1) instead of a symbolic string value ("A" or "IN"). The same applies to the response section of the DNSRR response packets.

How can I get the DNSQR or DNSRR field in symbolic form?

+4

python dns scapy

André fernandes Jan 05 '17 at 17:13

source share

1 answer

Yoel · Accepted Answer · 2017-01-08T10:22:52+0000

You can get a symbolic string value qr.qtypeand qr.qclassby calling the following:

qr.get_field('qtype').i2repr(qr, qr.qtype)
qr.get_field('qclass').i2repr(qr, qr.qclass)

, qr.get_field('qtype') qr.get_field('qclass') , :

qtype_field = qr.get_field('qtype')
qclass_field = qr.get_field('qclass')
...
qtype_field.i2repr(qr, qr.qtype)
qclass_field.i2repr(qr, qr.qclass)

Scapy: get DNSQR / DNSRR field values ​​in character / string form

More articles:

Scapy: get DNSQR / DNSRR field values in character / string form