Wireshark-users: Re: [Wireshark-users] Question about MDNS
From: "Terry Martin" <tmartin@xxxxxxxxxxxxxxxx>
Date: Mon, 24 May 2010 14:29:53 -0400
Thanks for the response that answers the question for me. It probable is some lower level communication that is being used and Wireshark cant dissector is interpreting it differently and the system is using this port for something else. This is a wireless service communicating from MSC to a cell site. Thanks again' Terry Martin -----Original Message----- From: wireshark-users-bounces@xxxxxxxxxxxxx [mailto:wireshark-users-bounces@xxxxxxxxxxxxx] On Behalf Of Guy Harris Sent: Monday, May 24, 2010 11:14 AM To: Community support list for Wireshark Cc: Jeff Parrott Subject: Re: [Wireshark-users] Question about MDNS On May 24, 2010, at 10:24 AM, Terry Martin wrote: > I am sniffing wireless traffic and getting malformed MDNS packets. More correctly, you are getting packets that Wireshark thinks should be dissected as MDNS packets, but where the Wireshark dissector is finding an error. Unfortunately, TCP and UDP ports are, unlike, for example, Ethernet type values and IP protocol numbers, not all assigned *solely* for the use of a particular protocol. As such, although port 5353 is assigned to Multicast DNS (MDNS), there is no *guarantee* that a packet sent to or from port 5353 is a MDNS packet. (Well, technically, there's no guarantee that a packet with an Ethernet type of 0x0800 is an IPv4 packet, but machines that use 0x0800 for anything other than IPv4 will have a lot of difficulty working with any other equipment on an Ethernet, so that's a lot less likely.) > Here is an example ( I have changed the addresses to protect the innocent) : > > No. Time Source Destination Protocol Info > 5 5.735756 10.1.17.32 178.27.05.50 MDNS Standard query[Malformed Packet] > > Frame 5 (114 bytes on wire, 114 bytes captured) > Ethernet II, Src: Dell_70:41:da (00:24:e8:27:41:da), Dst: AxiomTec_43:f9:0b (00:82:e0:43:f9:0b) > Internet Protocol, Src: 10.1.17.32 (10.1.17.32), Dst: 178.27.05.50 (178.27.05.50) > User Datagram Protocol, Src Port: mdns (5353), Dst Port: movaz-ssc (5252) > Domain Name System (query) > [Malformed Packet: DNS] The error occurred so early in the dissection that I suspect that this is not, in fact, an MDNS packet. The name of one of the biggest users of MDNS doesn't appear in the dissection of the Ethernet source or destination address, but Mac OS X and iPhone OS aren't the *only* OSes using it, so that doesn't inherently prove that it's not MDNS - for example, Apple has "Bonjour for Windows" software, so Windows can use MDNS as well (I don't know whether any other software for Windows, or newer versions of Windows itself, uses it), there exist MDNS implementations for UN*Xes other than OS X and iPhone OS, and I think, for example, some printers use it. Axiomtek - the AxiomTec in the dissection of the destination address - is a maker of industrial PCs, so they might be using some industrial control protocol. Port 5252 is apparently assigned to "Movaz SSC"; I'm not sure what "Movaz SSC" is, although there was a company "Movaz Networks" that made wavelength-division multiplexing equipment (i.e., frequency-division multiplexing at *extremely* high frequencies :-)), who were bought by ADVA Optical Networking. What sort of traffic are you running on your network - especially any industrial control or specialized low-level network monitoring traffic? ("Low-level" in the sense of "well below the IP or other network-layer protocols", i.e. protocols that might deal with particular physical networking technologies.) That might be the protocol being used here. ________________________________________________________________________ ___ Sent via: Wireshark-users mailing list <wireshark-users@xxxxxxxxxxxxx> Archives: http://www.wireshark.org/lists/wireshark-users Unsubscribe: https://wireshark.org/mailman/options/wireshark-users mailto:wireshark-users-request@xxxxxxxxxxxxx?subject=unsubscribe
- References:
- [Wireshark-users] Question about MDNS
- From: Terry Martin
- Re: [Wireshark-users] Question about MDNS
- From: Guy Harris
- [Wireshark-users] Question about MDNS
- Prev by Date: Re: [Wireshark-users] Problem with permissions in ChmodBPF
- Next by Date: Re: [Wireshark-users] Vanishing interface
- Previous by thread: Re: [Wireshark-users] Question about MDNS
- Next by thread: [Wireshark-users] Problem with permissions in ChmodBPF
- Index(es):