Wireshark-users: Re: [Wireshark-users] Question about MDNS
From: "Terry Martin" <tmartin@xxxxxxxxxxxxxxxx>
Date: Mon, 24 May 2010 14:29:53 -0400
Thanks for the response that answers the question for me.   It probable
is some lower level communication that is being used and Wireshark cant
dissector is interpreting it differently and the system is using this
port for something else.

This is a wireless service communicating from MSC to a cell site.

Thanks again'

Terry Martin

-----Original Message-----
From: wireshark-users-bounces@xxxxxxxxxxxxx
[mailto:wireshark-users-bounces@xxxxxxxxxxxxx] On Behalf Of Guy Harris
Sent: Monday, May 24, 2010 11:14 AM
To: Community support list for Wireshark
Cc: Jeff Parrott
Subject: Re: [Wireshark-users] Question about MDNS


On May 24, 2010, at 10:24 AM, Terry Martin wrote:

> I am sniffing  wireless traffic and getting malformed MDNS packets.

More correctly, you are getting packets that Wireshark thinks should be
dissected as MDNS packets, but where the Wireshark dissector is finding
an error.

Unfortunately, TCP and UDP ports are, unlike, for example, Ethernet type
values and IP protocol numbers, not all assigned *solely* for the use of
a particular protocol.  As such, although port 5353 is assigned to
Multicast DNS (MDNS), there is no *guarantee* that a packet sent to or
from port 5353 is a MDNS packet.  (Well, technically, there's no
guarantee that a packet with an Ethernet type of 0x0800 is an IPv4
packet, but machines that use 0x0800 for anything other than IPv4 will
have a lot of difficulty working with any other equipment on an
Ethernet, so that's a lot less likely.)

> Here is an example ( I have changed the addresses to protect the
innocent) :
>  
> No.     Time        Source                Destination
Protocol Info
>       5 5.735756    10.1.17.32             178.27.05.50          MDNS
Standard query[Malformed Packet]
>  
> Frame 5 (114 bytes on wire, 114 bytes captured)
> Ethernet II, Src: Dell_70:41:da (00:24:e8:27:41:da), Dst:
AxiomTec_43:f9:0b (00:82:e0:43:f9:0b)
> Internet Protocol, Src: 10.1.17.32 (10.1.17.32), Dst: 178.27.05.50
(178.27.05.50)
> User Datagram Protocol, Src Port: mdns (5353), Dst Port: movaz-ssc
(5252)
> Domain Name System (query)
> [Malformed Packet: DNS]

The error occurred so early in the dissection that I suspect that this
is not, in fact, an MDNS packet.

The name of one of the biggest users of MDNS doesn't appear in the
dissection of the Ethernet source or destination address, but Mac OS X
and iPhone OS aren't the *only* OSes using it, so that doesn't
inherently prove that it's not MDNS - for example, Apple has "Bonjour
for Windows" software, so Windows can use MDNS as well (I don't know
whether any other software for Windows, or newer versions of Windows
itself, uses it), there exist MDNS implementations for UN*Xes other than
OS X and iPhone OS, and I think, for example, some printers use it.

Axiomtek - the AxiomTec in the dissection of the destination address -
is a maker of industrial PCs, so they might be using some industrial
control protocol.  Port 5252 is apparently assigned to "Movaz SSC"; I'm
not sure what "Movaz SSC" is, although there was a company "Movaz
Networks" that made wavelength-division multiplexing equipment (i.e.,
frequency-division multiplexing at *extremely* high frequencies :-)),
who were bought by ADVA Optical Networking.

What sort of traffic are you running on your network - especially any
industrial control or specialized low-level network monitoring traffic?
("Low-level" in the sense of "well below the IP or other network-layer
protocols", i.e. protocols that might deal with particular physical
networking technologies.)  That might be the protocol being used here.
________________________________________________________________________
___
Sent via:    Wireshark-users mailing list
<wireshark-users@xxxxxxxxxxxxx>
Archives:    http://www.wireshark.org/lists/wireshark-users
Unsubscribe: https://wireshark.org/mailman/options/wireshark-users
 
mailto:wireshark-users-request@xxxxxxxxxxxxx?subject=unsubscribe