今年CISCN的Tough DNS 的前戏就是DNS协议分析
直接可以查找到flag的base64形式Zmxh


发现就是请求的dnslog 携带的数据

过滤器就是 dns
tshark -r dns.pcapng -T json -Y "dns" >1.json

字段选择 dns.qry.name
tshark -r dns.pcapng -T json -Y "dns" -e dns.qry.name >2.json
像往常一样提数据即可

import json
with open ("2.json","rb") as f:
    data=json.load(f)
    a=[]
for i in data:
    try:
        a.append(i['_source']['layers']['dns.qry.name'][0])
    except:
        continue
import re
re1=re.compile(r"(.*?)\.i6ov08\.dnslog\.cn")
output=[]
for i in a:
    try:
        dns=re1.search(i)[1]
        if dns not in output:
            output.append(dns)
    except:
        continue
for i in output:
    print(i)

做了简单的去重

ZmxhZ3tlNjYyYWMxNTRjYTM3NmUxYzAwMWVlOGJiZTgxMzE4Yn0K

flag{e662ac154ca376e1c001ee8bbe81318b}