Wireshark-users: Re: [Wireshark-users] Question regardingcapturing DNSpackets withtshark
Date Index · Thread Index · Other Months · All Mailing Lists
Date Prev · Date Next · Thread Prev · Thread Next
From: <bbrelin@xxxxxxxxx>
Date: Fri, 6 Jul 2012 02:37:03 +0100
Well, it's kinda complicated.  :-) 

Basically the DNS server that I'm running Wireshark on is forwarding most of the requests to a second DNS server on our site which, in turn is forwarding them off to a third party server on a completely different network 

As far as I can tell, the client sends an A record query to the server that Wireshark is running on, and our server sends a response back. 
The problem is, there's nothing in the packet that indicates *what* the actual response is.  The answer section is completely missing. 
Is this even allowed in the RFC? 

Braun Brelin


-----Original Message-----
From: wireshark-users-bounces@xxxxxxxxxxxxx [mailto:wireshark-users-bounces@xxxxxxxxxxxxx] On Behalf Of Maynard, Chris
Sent: 06 July 2012 02:20
To: Community support list for Wireshark; skendric@xxxxxxxxx
Subject: Re: [Wireshark-users] Question regardingcapturing DNSpackets withtshark

Can you verify that the queries are being sent to and the responses are being received from the correct IP address(es) of the DNS server(s) on the machine that Wireshark is running on?
- Chris
________________________________________
From: wireshark-users-bounces@xxxxxxxxxxxxx [wireshark-users-bounces@xxxxxxxxxxxxx] On Behalf Of bbrelin@xxxxxxxxx [bbrelin@xxxxxxxxx]
Sent: Thursday, July 05, 2012 8:47 PM
To: wireshark-users@xxxxxxxxxxxxx; skendric@xxxxxxxxx
Subject: Re: [Wireshark-users] Question regarding capturing     DNSpackets      withtshark

All I get is data that looks like this:

40     eseye.com.mnc058.mcc234.gprs    <Root>,<Root>,<Root>,<Root>,<Root>,<Root>,<Root>,<Root>,<Root>,<Root>,<Root>,<Root>,<Root>,<Root>
441     eseye.com.mnc058.mcc234.gprs    <Root>
442     eseye.com.mnc058.mcc234.gprs    <Root>,<Root>,<Root>,<Root>,<Root>,<Root>,<Root>,<Root>,<Root>,<Root>,<Root>,<Root>,<Root>,<Root>

Basically, the problem seems to be that there is no "answer" section in the DNS response packet.  I don't get how that's possible, given
that my DNS server can manually resolve the IP addresses if I do an nslookup on the server itself.  For example:

# nslookup eseye.com.mnc058.mcc234.gprs
Server:         127.0.0.1
Address:        127.0.0.1#53

Non-authoritative answer:
Name:   eseye.com.mnc058.mcc234.gprs
Address: 195.10.99.228

This is totally confusing.

Braun Brelin


-----Original Message-----
From: wireshark-users-bounces@xxxxxxxxxxxxx [mailto:wireshark-users-bounces@xxxxxxxxxxxxx] On Behalf Of Maynard, Chris
Sent: 06 July 2012 01:39
To: Community support list for Wireshark; skendric@xxxxxxxxx
Subject: Re: [Wireshark-users] Question regarding capturing DNSpackets withtshark

Maybe something like this helps?
tshark -f "udp port 53" -T fields -e frame.number -e dns.qry.name -e dns.resp.name -e dns.resp.addr
- Chris


________________________________
From: wireshark-users-bounces@xxxxxxxxxxxxx [wireshark-users-bounces@xxxxxxxxxxxxx] On Behalf Of bbrelin@xxxxxxxxx [bbrelin@xxxxxxxxx]
Sent: Thursday, July 05, 2012 8:02 PM
To: wireshark-users@xxxxxxxxxxxxx; skendric@xxxxxxxxx
Subject: Re: [Wireshark-users] Question regarding capturing DNS packets withtshark

Also, if I do this:

tshark -f "udp port 53"

I get output like:

14.419251  10.180.2.81 -> 10.141.1.160 DNS Standard query response
 14.427052 10.141.1.160 -> 10.180.2.81  DNS Standard query A wap.cingular.mnc410.mcc310.gprs
 14.427236  10.180.2.81 -> 10.141.1.160 DNS Standard query response
 14.427842 10.141.1.160 -> 10.180.2.81  DNS Standard query A m2mdata.mnc033.mcc234.gprs
 14.428024  10.180.2.81 -> 10.141.1.160 DNS Standard query response
 14.435468 10.141.1.160 -> 10.180.2.81  DNS Standard query A wap.cingular.mnc410.mcc310.gprs
 14.435667  10.180.2.81 -> 10.141.1.160 DNS Standard query response
 14.436354 10.141.1.160 -> 10.180.2.81  DNS Standard query A m2mdata.mnc033.mcc234.gprs
 14.436536  10.180.2.81 -> 10.141.1.160 DNS Standard query response
 14.445096 10.141.1.160 -> 10.180.2.81  DNS Standard query A m2mdata.mnc033.mcc234.gprs
 14.445281  10.180.2.81 -> 10.141.1.160 DNS Standard query response
 14.452264 10.141.1.160 -> 10.180.2.81  DNS Standard query A m2mdata.mnc033.mcc234.gprs

Question:  Why doesn't the line containing the "Standard query response" actually print out the response?

Braun Brelin

From: wireshark-users-bounces@xxxxxxxxxxxxx [mailto:wireshark-users-bounces@xxxxxxxxxxxxx] On Behalf Of bbrelin@xxxxxxxxx
Sent: 06 July 2012 00:57
To: skendric@xxxxxxxxx; wireshark-users@xxxxxxxxxxxxx
Subject: Re: [Wireshark-users] Question regarding capturing DNS packets withtshark

Stuart,

Thanks for the response.  I changed it to tshark -s 512 -V port 53 udp.  I'm still not getting what I want here... Here's some sample output...

Domain Name System (response)
    [Request In: 12]
    [Time: 0.000264000 seconds]
    Transaction ID: 0xc837
    Flags: 0x8080 (Standard query response, No error)
        1... .... .... .... = Response: Message is a response
        .000 0... .... .... = Opcode: Standard query (0)
        .... .0.. .... .... = Authoritative: Server is not an authority for domain
        .... ..0. .... .... = Truncated: Message is not truncated
        .... ...0 .... .... = Recursion desired: Don't do query recursively
        .... .... 1... .... = Recursion available: Server can do recursive queries
        .... .... .0.. .... = Z: reserved (0)
        .... .... ..0. .... = Answer authenticated: Answer/authority portion was not authenticated by the server
        .... .... ...0 .... = Non-authenticated data: Unacceptable
        .... .... .... 0000 = Reply code: No error (0)
    Questions: 1
    Answer RRs: 0
    Authority RRs: 13
Queries
        kindleatt1.amazon.com.mnc410.mcc310.gprs: type A, class IN
            Name: kindleatt1.amazon.com.mnc410.mcc310.gprs
            Type: A (Host address)
            Class: IN (0x0001)
Authoritative nameservers
        <Root>: type NS, class IN, ns B.ROOT-SERVERS.NET
            Name: <Root>
            Type: NS (Authoritative name server)
            Class: IN (0x0001)
            Time to live: 41 days, 16 hours
            Data length: 20
            Name server: B.ROOT-SERVERS.NET

<Lots more of the Authoritative nameserver records follow>
Finally, I get an "Additional records" section.

Nothing that shows me the actual resolved IP address...There doesn't seem to be an "answer" section.

Thanks,

Braun Brelin



From: Stuart Kendrick [mailto:skendric@xxxxxxxxx]
Sent: 06 July 2012 00:48
To: Community support list for Wireshark
Cc: Brelin, Braun
Subject: Re: [Wireshark-users] Question regarding capturing DNS packets with tshark

Hi Braun,

I'm guessing that the frame you posted got truncated ... in the DNS frame I'm examining right now, directly after the 'Queries' section, is an 'Answers' section, which contains the IP address

I don't have a story as to how that would happen though ... had you captured with 'tshark -s 64 -V port 53 udp', then we'd have a story ... but I see no sign of 'slicking' on your tshark command line.

hope this scoots you closer to an answer to your question,

--sk
On 7/5/2012 4:08 PM, bbrelin@xxxxxxxxx<mailto:bbrelin@xxxxxxxxx> wrote:
Hi all,

I'm have a question regarding capturing DNS traffic with tshark.   I do a fairly simple command:

Tshark -V port 53 udp


I'm getting output like so:


Domain Name System (response)
    [Request In: 1]
    [Time: 0.000380000 seconds]
    Transaction ID: 0x0954
    Flags: 0x8080 (Standard query response, No error)
        1... .... .... .... = Response: Message is a response
        .000 0... .... .... = Opcode: Standard query (0)
        .... .0.. .... .... = Authoritative: Server is not an authority for domain
        .... ..0. .... .... = Truncated: Message is not truncated
        .... ...0 .... .... = Recursion desired: Don't do query recursively
        .... .... 1... .... = Recursion available: Server can do recursive queries
        .... .... .0.. .... = Z: reserved (0)
        .... .... ..0. .... = Answer authenticated: Answer/authority portion was not authenticated by the server
        .... .... .... 0000 = Reply code: No error (0)
    Questions: 1
    Answer RRs: 0
    Authority RRs: 13
    Additional RRs: 1
    Queries
        blackberry.net.mnc002.mcc505.gprs: type A, class IN
            Name: blackberry.net.mnc002.mcc505.gprs
            Type: A (Host address)
            Class: IN (0x0001)



This is in response to a query about an A record.

My question is:  Where is the actual IP address that gets returned in the DNS response?

Basically, all I want to do is capture DNS queries their responses and find out exactly what IP address is getting sent back to the client from the server.

Any help appreciated.


Braun Brelin

p.s. if  Guy Harris is still on this mailing list, Hi there Guy!  :)


--

CONFIDENTIALITY NOTICE: The information contained in this email message is intended only for use of the intended recipient. If the reader of this message is not the intended recipient, you are hereby notified that any dissemination, distribution or copying of this communication is strictly prohibited. If you have received this communication in error, please immediately delete it from your system and notify the sender by replying to this email.  Thank you.

___________________________________________________________________________
Sent via:    Wireshark-users mailing list <wireshark-users@xxxxxxxxxxxxx>
Archives:    http://www.wireshark.org/lists/wireshark-users
Unsubscribe: https://wireshark.org/mailman/options/wireshark-users
             mailto:wireshark-users-request@xxxxxxxxxxxxx?subject=unsubscribe
CONFIDENTIALITY NOTICE: The information contained in this email message is intended only for use of the intended recipient. If the reader of this message is not the intended recipient, you are hereby notified that any dissemination, distribution or copying of this communication is strictly prohibited. If you have received this communication in error, please immediately delete it from your system and notify the sender by replying to this email.  Thank you.
___________________________________________________________________________
Sent via:    Wireshark-users mailing list <wireshark-users@xxxxxxxxxxxxx>
Archives:    http://www.wireshark.org/lists/wireshark-users
Unsubscribe: https://wireshark.org/mailman/options/wireshark-users
             mailto:wireshark-users-request@xxxxxxxxxxxxx?subject=unsubscribe


***************************************************************
The information contained in this e-mail and any files transmitted 
with it is confidential and may be subject to legal professional 
privilege. It is intended solely for the use of the addressee(s). 
If you are not the intended recipient of this e-mail, please note 
that any review, dissemination, disclosure, alteration, printing, 
copying or transmission of this e-mail and/or any file transmitted 
with it, is prohibited and may be unlawful. 
If you have received this e-mail by mistake, please promptly 
inform the sender by reply e-mail and delete the material. 
Whilst this e-mail message has been swept for the presence of 
computer viruses, eircom does not, except as required by law, 
represent, warrant and/or guarantee that the integrity 
of this communication has been maintained nor that 
the communication is free of errors, viruses, interception or 
interference. 

eircom Limited. Private Company Limited by Shares. 
Registered in Dublin. Registration Number 98789.
Registered Office - 1 Heuston South Quarter, St. John’s Road, Dublin 8.

***************************************************************