dns-time.sh.html

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"

"http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html xmlns="http://www.w3.org/1999/xhtml">

<head>
<meta http-equiv="content-type" content="text/html; charset=windows-1252" />
<title>dns-time.sh Information</title>
</head>

<body background="concret.jpg">
<center>
<h1>dns-time.sh Information</h1>
<img src="bluebar.gif" width="576" height="14" alt="Blue Bar separator">
</center>
<p>
This macro uses tshark to find DNS (port 53) queries and calculate the time between query and response. It differs from the dns.time value calculated by wireshark in that it calculates the time between the first response for transaction ID X and the first query for transaction X not the first response and last query for transaction X.
<p>
Three tables are output
<p>
The first shows the response time of a server to a query, the columns are<br>
&nbsp&nbsp&nbsp&nbspServer ID Type Name Rcode Response-time - Query-time = Delta-time<p>
The second is a list of unanswered queries, the columns are<br>
&nbsp&nbsp&nbsp&nbspServer ID Type Name Query-time<p>
Table 3 takes into account that the client may be using multiple name servers. If a query to the first name server times out and the query to the second name server gets a response the timing listed in table 1 is misleading from the perspective of the application making the query. Table 3 takes this into account, the columns are<br>
&nbsp&nbsp&nbsp&nbspClient ID Type Name Rcode Response-time - Query-time = Delta-time<br>
<br>
<br>
Where:
<ul>
<li>server
<br>&nbsp&nbsp&nbsp&nbsp&nbspIP address of the server the request is sent to</li>
<li>client
<br>&nbsp&nbsp&nbsp&nbsp&nbspIP address of the client sending the request</li>
<li>ID
<br>&nbsp&nbsp&nbsp&nbsp&nbspThis is the DNS ID of the query</li>
<li>Type
<br>&nbsp&nbsp&nbsp&nbsp&nbspThe type of query. The common ones are
<ul>
<li>1&nbsp&nbsp&nbsp&nbsp&nbsp&nbsp&nbspIPv4 Name query</li>
<li>28&nbsp&nbsp&nbsp&nbsp&nbspIPv6 Name query</li>
<li>12&nbsp&nbsp&nbsp&nbsp&nbspReverse IPv4 Name query (map an IP address back to a name)</li>
</ul>
</li>
<li>Name
<br>&nbsp&nbsp&nbsp&nbsp&nbspName being queried</li>
<li>Rcode
<br>&nbsp&nbsp&nbsp&nbsp&nbspThe response return code. The common ones are
<ul>
<li>0&nbsp&nbsp&nbsp&nbsp&nbsp&nbspNo error</li>
<li>2&nbsp&nbsp&nbsp&nbsp&nbsp&nbspServer failure</li>
<li>3&nbsp&nbsp&nbsp&nbsp&nbsp&nbspNo such name</li>
</ul>
</li>
<li>Response-time
<br>&nbsp&nbsp&nbsp&nbsp&nbspPacket arrival time of the first response</li>
<li>Query-time
<br>&nbsp&nbsp&nbsp&nbsp&nbspPacket arrival time of the first query (when the query was sent)</li>
<li>Delta-time
<br>&nbsp&nbsp&nbsp&nbsp&nbspThe time between Response-time  and Query-time</li>
</ul>
<p>


<b><h3>Usage</h3></b>
dns-time.sh FILE-NAME
<br><br>
<b>FILE-NAME</b>
<br>
The file name (or path to the file), This file must be readable by tshark.
<br><br>

<b><h3>Examples</h3></b>
Example 1 - Execute dns-time.sh
<center>
<table border=5>
<tr><td align=left>
<pre>                                                                   
$ ./dns-time.sh dns-5.pcap
dns-time.sh dns-5.pcap
Server       ID          Type  Name                          Rode  Respose-time        -  Query-time          =  Delta-time
192.168.1.1  0x0000525b  1     www.google.com                0     07:05:56.232112682  -  07:05:56.200239463  =  0.0318732
192.168.1.1  0x000055ea  1     www.yahoo.com                 0     07:07:03.773782319  -  07:07:03.750152377  =  0.0236299
192.168.1.1  0x0000782e  28    shavar.services.mozilla.com   0     07:06:46.897537139  -  07:06:46.867333311  =  0.0302038
192.168.1.1  0x00008fae  12    68.14.217.172.in-addr.arpa    0     07:06:01.293080000  -  07:06:01.268887445  =  0.0241926
192.168.1.1  0x0000ad3e  12    105.183.132.209.in-addr.arpa  0     07:06:31.359399184  -  07:06:31.330053050  =  0.029346
192.168.1.1  0x0000b138  1     shavar.services.mozilla.com   0     07:06:46.890625342  -  07:06:46.867178884  =  0.0234463
192.168.1.1  0x0000c88e  12    7.246.137.98.in-addr.arpa     0     07:07:08.854469819  -  07:07:08.831062646  =  0.0234072
192.168.1.1  0x0000d716  1     shavar.services.mozilla.com   0     07:06:46.893694560  -  07:06:46.867324151  =  0.0263705
192.168.1.1  0x0000f75d  1     redhat.com                    0     07:06:26.290750842  -  07:06:26.261252426  =  0.0294983


Unanswered queries

Server         ID          Type  Name                          Query-time
192.168.1.200  0x0000525b  1     www.google.com                07:05:51.194929081
192.168.1.200  0x00008fae  12    68.14.217.172.in-addr.arpa    07:05:56.263587445
192.168.1.200  0x0000f75d  1     redhat.com                    07:06:21.255980379
192.168.1.200  0x0000ad3e  12    105.183.132.209.in-addr.arpa  07:06:26.324725277
192.168.1.200  0x0000d716  1     shavar.services.mozilla.com   07:06:41.860566608
192.168.1.200  0x0000782e  28    shavar.services.mozilla.com   07:06:41.860675267
192.168.1.200  0x0000b138  1     shavar.services.mozilla.com   07:06:41.860713529
192.168.1.200  0x000055ea  1     www.yahoo.com                 07:06:58.744870465
192.168.1.200  0x0000c88e  12    7.246.137.98.in-addr.arpa     07:07:03.825721570


Applilcation observered delay for answered queries

Client         ID          Type  Name                          Rode  Respose-time        -  Query-time          =  Delta-time
192.168.1.152  0x0000525b  1     www.google.com                0     07:05:56.232112682  -  07:05:51.194929081  =  5.03718
192.168.1.152  0x000055ea  1     www.yahoo.com                 0     07:07:03.773782319  -  07:06:58.744870465  =  5.02891
192.168.1.152  0x0000782e  28    shavar.services.mozilla.com   0     07:06:46.897537139  -  07:06:41.860675267  =  5.03686
192.168.1.152  0x00008fae  12    68.14.217.172.in-addr.arpa    0     07:06:01.293080000  -  07:05:56.263587445  =  5.02949
192.168.1.152  0x0000ad3e  12    105.183.132.209.in-addr.arpa  0     07:06:31.359399184  -  07:06:26.324725277  =  5.03467
192.168.1.152  0x0000b138  1     shavar.services.mozilla.com   0     07:06:46.890625342  -  07:06:41.860713529  =  5.02991
192.168.1.152  0x0000c88e  12    7.246.137.98.in-addr.arpa     0     07:07:08.854469819  -  07:07:03.825721570  =  5.02875
192.168.1.152  0x0000d716  1     shavar.services.mozilla.com   0     07:06:46.893694560  -  07:06:41.860566608  =  5.03313
192.168.1.152  0x0000f75d  1     redhat.com                    0     07:06:26.290750842  -  07:06:21.255980379  =  5.03477
</pre>
</td></tr>
</table>
Figure 1
</center>
<p>

You can find this script at <a href="https://github.com/noahdavids/packet-analysis/blob/master/dns-time.sh">dns-time.sh</a>

<br /><br />
<h5><center>
<img src="bluebar.gif" width="576" height="14" alt="Blue Bar separator">
<br />
This page was last modified on 2019-10-20</h5>
</center>
<a href="mailto:noah@noahdavids.org"><img src="mailbox.gif" width="32" height="32" alt="mailbox" align="left" hspace=3>
Send comments and suggestions
<br />
to noah@noahdavids.org
</a>
</body>

</html>