Packet Analysis

DNS Activity

2 min read

The DNS Activity analysis tool provides a high-level overview of the DNS traffic observed in the capture file. On the top right are links to pre-built bandwidth graphs for queries, responses, and both kinds of traffic.

The tool has 4 tabs providing different pieces of information:

DNS Summary

The Summary tab has pie charts showing the number of Queries, Responses, and the Resource Record (RR) types. Queries are divided into slices for each DNS query type. Responses break out by the response rcode, and RR Types shows all the record types from the DNS Responses.

Clicking on any slice of the pie will apply a display filter to your capture file for just those packets.

Response Stats

The Response Stats tab contains information about DNS responses such as response time, a breakdown of responses by server, and a chart showing DNS errors by server. This view is very useful if you are troubleshooting an environment with multiple DNS servers.

The DNS Server Response Time line chart indicates the round-trip time calculated from when the DNS query was sent until the corresponding DNS response was received. Issues with long DNS response times are very easy to identify with this view. Each server is displayed as a separate series and can be toggled on and off by clicking on the legend.

Clicking on a data-point will popup the response frame.

Query List

The Query List is a detailed listing of every DNS request and response that was found in the capture file. Each column can be used to sort the entire table. They include:

  • Frame (request)
  • Client (source address of the request)
  • Type
  • Full Query
  • Domain
  • DNS Server (source address of the response)
  • Response (frame number)
  • Response Types
  • # of answers
  • Response Time (in seconds)
  • Error

Clicking on a row will display the Request packet in a popup. Clicking on the Response column will display the response packet instead.

Resolved Addresses

CloudShark will extract all of the hosts and addresses that were resolved as part of the capture and display them in this tool. This does not do any additional external queries to DNS, but relies on the DNS responses inside the capture file to build up this list.

Clicking on a row will bring you to the traffic from that host, as well as the DNS response and query for that name.