Re: Display filter help need. how to do these filters? DNS /L2 overhead

[Guy Harris <guy () alum mit edu>]

On Feb 20, 2014, at 2:28 PM, Jim Aragon <Jim () agdatasystems com> wrote:

> On 2/20/2014 2:10 PM, false wrote:
>
> > Can someone provide an example please on how to do these filters
> > (display and/or capture)?
> >
> > 1) DNS filter to see how all UNANSWERED queries. ??
>
> Display filter: (dns.flags.response == 0) && !(dns.response_in)

Note that this requires that TShark be run in two-pass mode; in one-pass mode, it doesn't know, at the time the request 
is dissected, whether there's a response or not.

> Capture filter: I don't think you can do this with a capture filter.

You can't.  Capture filters maintain no state that persists from packet to packet, and the only way to match request 
packets that have no replies is to keep state of that sort (and it'd be even harder for capture filters, as you would 
have to delay the check for "unanswered" until a sufficient timeout to conclude that no answer is forthcoming).
___________________________________________________________________________
Sent via:    Wireshark-users mailing list <wireshark-users () wireshark org>
Archives:    http://www.wireshark.org/lists/wireshark-users
Unsubscribe: https://wireshark.org/mailman/options/wireshark-users
             mailto:wireshark-users-request () wireshark org?subject=unsubscribe