Using Wireshark to Analyze DNS Packet Logs

Just a quick note here, mostly as documentation for my future self. While working on the DNS parsing in pyatv, I wanted to run some of the logs reported in issues through Wireshark. The logs had the raw DNS message hex encoded, for example (from issue #919):

2021-01-09 22:15:43 DEBUG: Failed to decode message (Msg=35ff840000030003000000000b5f6170706c6574762d7632045f746370056c6f63616c00000c80010b5f746f7563682d61626c65c018000c8001085f616972706c6179c018000c8001c028000c00010000000a00131032444632453735303736333943323639c028c00c000c00010000000a00131032444632453735303736333943323639c00cc03a000c00010000000a0013104170706c65c2a0545620283431363729c03a)

I already had an idea of what was happening (the full stack trace says that the IDNA encoding can't decode 0xc2, which looks a lot like a pointer for DNS name compression)[1], but I wanted to run the message through Wireshark to get a better overview of the message without decoding it manually myself. Thankfully Wireshark can do this out of the box, but I just needed to format the hex dump a little bit:

# Assuming the hex bytes from the above log (35ff...c03a) are in $DNSMSG
echo "$DNSMSG" | xxd -r -p | od -Ax -tx1 -v > dns.hex

hexdump -r -p converts the hex back into binary data, while od -Ax -tx1 -v re-encodes it to hex, but adds offset numbers and splits it up like Wireshark wants. This could also be done by splitting up the input string without decoding and re-encoding it, but this way also lets me pipe it back into xxd to get a quick look at the ASCII representation as well.

After that, importing is done from within Wireshark, setting the options to add a dummy UDP header (with source and destination ports of both 5353 in my case).


  1. Turns out my hunch was wrong, 0xc0a0 was a non-breaking space in a domain name because DNS-SD allows UTF-8 domain names. ↩︎