Wireshark DNS sniffing : too much junk -> Are there hostname "blacklists" for wireshark?

Question

So I'm sniffing my DNS on wireshark. There's way too much junk because the websites include many advertising tools, web tracking, etc. Is there some blacklist that contains all those pesky hostnames, so that I can purify my wireshark a bit?

Current filter (is growing fast) :

dns && ! dns.qry.name matches "ytimg|apple|skype|google|akamai|yt3|arpa|youtube|microsoft|facebook|amazon|twitter|gravatar|instagram|azure|lastpass|trafficjunky|tumblr|gstatic" && ! ip.src_host matches "google"

Maybe you could parse something like this list into a full blown filter: https://pgl.yoyo.org/as/serverlist.php?showintro=0;hostformat=hosts — Nomad, Jan 09 '19 at 21:14
What are you trying to look at in Wireshark? Perhaps a whitelist would be more appropriate. — , Jan 09 '19 at 22:21

score 1 · Answer 1 · answered Jun 05 '19 at 12:13

The list of advertising tools, web tracking, etc. is infinite and changes daily so you could try to use a list like others have provided but it's not a scaleable or reasonable solution. Instead perhaps use the statistics features in wireshark or export and do some analysis to see abnormalities like the nosiest dns entry or the quiet ones or the largest packets or the hosts with changing ip addresses , etc

Wireshark DNS sniffing : too much junk -> Are there hostname "blacklists" for wireshark?

1 Answers1