Decodes the DNS request and response packets.




The output fields are as follows:

  • additionals: Other additional records (array)
  • answers: Answer resource records from the DNS server (array)
  • authorities: Information of authoritative DNS servers (array)
  • bytes: Size (integer) of the DNS payload
  • direction: Direction of the transaction (string)
    • c->s: Request from the client
    • s->c: Response from the server
  • domain: Domain address to be queried (string)
  • dst_ip: Destination IP address of the DNS transaction (IP address)
  • dst_port: Destination port of the DNS transaction (integer)
  • flags: DNS header flag. Refer to:
  • ip: IP address connected to the domain address (IP address)
  • src_ip: Source IP address of the DNS transaction (IP address)
  • src_port: Source port of the DNS transaction (integer)
  • status: Query result. If there is an error, an error message is displayed.
    • FORMAT_ERROR: The DNS server could not interpret the request.
    • NAME_ERROR: The domain name in the request does not exist.
    • NO_ERROR: No error.
    • NOT_IMPLEMENTED: The DNS server does not support the type of request.
    • REFUSED: The DNS server refused the request.
    • SERVER_FAILURE: The DNS server was unable to process the request due to an internal server error.
  • txid: DNS transaction ID (hexadecimal string)
  • type: DNS record type (strings such as A, AAAA, CNAME, MX, NS, PTR, SOA, SRV, TXT). Refer to:


Decode DNS packets from a pcap file.

pcapfile /opt/logpresso/pcap/abnormal_traffic.pcap | decodedns