下面是wireshark捕获的一次dns报文:
| A | B | C | D | E | F | G | H | I | J | K | L | M | N | O | P |
1 | 5e | e9 | d3 | af | 3d | 4c | b0 | 10 | 41 | b9 | a0 | b7 | 08 | 00 | 45 | 00 |
2 | 00 | 38 | 12 | 40 | 00 | 00 | 40 | 11 | 32 | 38 | ac | 1e | bb | 02 | ac | 1b |
3 | 23 | 01 | ef | 82 | 00 | 35 | 00 | 24 | 1c | 0e | 05 | db | 01 | 00 | 00 | 01 |
4 | 00 | 00 | 00 | 00 | 00 | 00 | 03 | 70 | 6f | 70 | 02 | 71 | 71 | 03 | 63 | 6f |
5 | 6d | 00 | 00 | 01 | 00 | 01 |
|
首先来分析一下UDP包:
其中源端口是:0xef82,即:61314,目的端口号是:0x 00 35,即:53
长度字段:0x00 24,即:36B,正好是3C~5F的数据部分
正式分析DNS报文:
05 | db |
TransactionID:0x05 db,即:1499,不知道这个是什么意思
01 | 00 |
Flags:
00 | 01 |
Questions
00 | 00 |
Answers:
00 | 00 |
AuthorityRRS:
00 | 00 |
AdditionalRRS:
从4G~5F共16B的数据部分都是queries部分:
其中:
03 | 70 | 6f | 70 | 02 | 71 | 71 | 03 | 63 | 6f | 6d | 00 |
[ETX] | p | o | p | . | q | q | . | c | o | m | [null] |
Name:表示pop.qq.com
00 | 01 |
Type:A(host address),推测这个应该是在向服务器说明要的是A记录
00 | 01 |
Class:IN,依然不知道是什么意思