scapy: get DNSQR / DNSRR field values in symbolic/string form

Question

I'm trying to decode DNS traffic and print query/response data and I'm using python/scapy to decode the packets.

A code snippet:

def dns_sniff_v2(pkt):
    if IP in pkt:
        if pkt.haslayer(DNS):
            dns = pkt.getlayer(DNS)
            pkt_time = pkt.sprintf('%sent.time%')

            if pkt.haslayer(DNSQR):
                qr = pkt.getlayer(DNSQR) # DNS query
                values = [ pkt_time, str(ip_src), str(ip_dst), str(dns.id), str(qr.qname), str(qr.qtype), str(qr.qclass) ]

            print "|".join(values)

sniff(iface="eth0", filter="port 53", prn=dns_sniff_v2, store=0)

The problem is that qr.qtype or qr.qclass is getting me the enum's internal int representation (1) instead of the symbolic string value ("A", or "IN"). The same applies to the DNSRR section of response packets.

How can I get a DNSQR or DNSRR field in the symbolic form?

Answer 1

You can get the symbolic string value of qr.qtype and of qr.qclass by invoking the following:

qr.get_field('qtype').i2repr(qr, qr.qtype)
qr.get_field('qclass').i2repr(qr, qr.qclass)

---

Note that rather than invoking qr.get_field('qtype') and qr.get_field('qclass') over and over again, you can invoke it once in advance:

qtype_field = qr.get_field('qtype')
qclass_field = qr.get_field('qclass')
...
qtype_field.i2repr(qr, qr.qtype)
qclass_field.i2repr(qr, qr.qclass)