One of the challenges with DNS is that it is a variable length binary protocol. For example: you ask for the ip address of www.mudynamics.com in your pcap. In the response when you create a assertion for the IP address Mu Studio will want to use a Range and offset to extract it. This works great until you feed in the requested name via an option and the length changes. For example you feed in "www.pcapr.net" to the request and want to get its IP in the response. Now, the offset is different because in the response it includes the name. "www.pcapr.net" has fewer characters then "www.mudynamics.net". Great! how do we fix it? In this case it is possible to use a regex instead of a range/offset but the default created regex will need some tweaking to make it more reliable. In a DNS answer you have a few parts. There is a type which indicates what the query was A, AAAA, NS, SRV etc. There is a class, a time to live, a length for the answer,and the actual answer. In our case we will use the following regex to capture the first IP address response in the answer of a type A query. \x00\x01\x00\x01. \x00\x04(. ) the first 4 represented bytes "\x00\x01\x00\x01" represent the Type and Class in the answer The ". " means to take anything in the next 4 bytes as that is the time to live and will change frequently. The next part, "\x00\x04" if teh length designator for the answer. The last part, "(. )" indicates that this is a selectable group and is made up of teh next 4 bytes regardless of what they are. Don't forget to decode as an ip_address of the appropriate type. Here is an example in msl of the assertion comparing it to the option $answer: # Standard query response A DNS_Standard_query_response_A_Client_Receive = DNS_Standard_query_response_A_Server_Send.client_receive { assertions { uint(0:16) == @DNS.src_port # Answer| ipv4_address(/\x00\x01\x00\x01. \x00\x04(. )/:1) == $answer } } Here is a screen shot from the Mu User Interface: