This will print the host names of DNS queries:
tshark -n -T fields -e dns.qry.name src port 53
How can I filter by the value of dns.qry.name (or get some reasonable proxy of that)? I've tried variations of tshark -n -T fields -e dns.qry.name src port 53 and dns query name contains '"foo"', but they are all invalid.
It's more easily done with a display (wireshark) filter than with a capture (pcap) filter.
tshark -n -T fields -e dns.qry.name -f 'src port 53' -Y 'dns.qry.name contains "foo"'
See the pcap-filter man page for what you can do with capture filters. It's quite limited, you'd have to dissect the protocol by hand. Here, as an approximation, assuming the query name is always 0x20 bytes within the udp packet (for DNS over UDP) and knowing that a query name shouldn't be greater than 253 bytes:
$ printf foo | xxd -p
666f6f
$ tshark -n -T fields -e dns.qry.name -f "src port 53 and $(awk '
BEGIN{
for(i=0;i<250;i++) {
printf sep "(udp[%d]!=0&&((udp[%d:4]&0xffffff00)==0x666f6f00", i+20, i+20
c = c "))"; sep = "||"
}
print c
}')"
