Sometimes you want to see exactly what a computer or application is trying to communicate with. Obviously you can take full a network packet capture and filter the results and correlate the behavior with the DNS traffic, but sometimes it is easier to watch these results live as they happen. One quick way to do this is use Wireshark, however not the full client but the command line version tshark. Tshark allows you to filter on specific facets of DNS giving you a cleaner output especially when you are only interested in domains that an application is talking to.

I needed to do some packet capturing in windows, so I added a USB network interface to an ultra-book. Upon running wireshark the USB network adapter was conspicuous by its absence from the interface list. After a bit of mulling over I wondered if WinPCap was not aware of the adapter; as these days WinPCap runs as a service. The service is called NPF (NetGroup Packet Filter). So: net stop npf and

You can use this wireshark filter to restrict results to the network you are interested in: ip.addr == 10.10.0.0/16 Since we are not specifying a source or destination (i.e. ip.src or ip.dst), the filter will match both. If you want to reverse it then: !(ip.addr == 10.10.0.0/16) I’ll often use the same method to filter the results on a specific IP address, preserving both ends of the conversation: ip.addr == 10.