Chapter 7 What domain is the user looking up in packet 15174?

7.1 Objects in memory/packages loaded from preceding chapters

Objects available:

  • read_zeek_log() — helper function to read Zeek log files (Chapter 3)
  • packets — data frame of PCAP packet data (Chapter 4)
  • conn — Zeek conn.log data (Chapter 5)


  • {tidyverse}

7.2 Question Setup

We’re finally getting into some interesting areas with our latest quest to discover what domain the user is looking up in packet 15174. PCAPs hold the entire conversation between a source and destination, including the contents of the data being exchanged. If encryption is not in the way it is possible to reconstruct that data (if the formats are known) and see what was being exchanged. Unencrypted DNS queries have a longstanding format that tshark, Zeek, and many other tools know how to decode.

This is a good quest to work through to see how to select specific packets and look at their contents.

7.3 Solving the quest with tshark

We learned about frame.number in the previous chapter and can use that knowledge to quickly arrive at the answer:

system("tshark -r maze/maze.pcapng frame.number == 15174", intern=TRUE)
## [1] "15174 126.315295572 fe80::b011:ed39:8665:3b0a → fe80::c80b:adff:feaa:1db7 DNS 104 Standard query 0x1ad5 A OPT"

7.4 Solving the quest with R and packets

We can perform nearly the same thing with the packets data frame in many ways. First with {dplyr}:

packets %>% 
    packet_num == 15174
  ) %>% 
## # A tibble: 1 x 1
##   info                                     
##   <chr>                                    
## 1 Standard query 0x1ad5 A OPT

We also rely on the fact that packet_num is sequential starting with 1, so we can just index the data frame directly:

packets[15174, "info", drop=TRUE] 
## [1] "Standard query 0x1ad5 A OPT"
## [1] "Standard query 0x1ad5 A OPT"