DNS packet analysis.

["larosa, vjay" <larosa_vjay () emc com>]

Hello,

These packets were caught using a shadow IDS sensor. I was hoping that
somebody
in the list could help me understand what is happening below. I am familiar
with snort
and tcpdump, as well as the concept of packet fragmentation. I am mostly
interested in
finding out about the DNS requests being made, and why they come back
fragmented.

TIA.

vjl

12:15:24.020319 DNS.server.com.33795 > outside.guy.com.domain:  56162
[1au][|domain] (DF)
12:15:24.152128 DNS.server.com.33795 > outside.guy.com.domain:  46806
[1au][|domain] (DF)
12:15:24.157454 DNS.server.com.33795 > outside.guy.com.domain:  9239
[1au][|domain] (DF)
12:15:24.158551 DNS.server.com.33795 > outside.guy.com.domain:  46805
[1au][|domain] (DF)
12:15:24.159592 DNS.server.com.33795 > outside.guy.com.domain:  50353
[1au][|domain] (DF)
12:15:24.160626 DNS.server.com.33795 > outside.guy.com.domain:  17807
[1au][|domain] (DF)
12:15:24.161826 DNS.server.com.33795 > outside.guy.com.domain:  19219
[1au][|domain] (DF)
12:15:24.163753 DNS.server.com.33795 > outside.guy.com.domain:  59633
[1au][|domain] (DF)
12:15:24.164545 DNS.server.com.33795 > outside.guy.com.domain:  18273
[1au][|domain] (DF)
12:15:24.165679 DNS.server.com.33795 > outside.guy.com.domain:  48440
[1au][|domain] (DF)
12:15:24.166673 DNS.server.com.33795 > outside.guy.com.domain:  61217
[1au][|domain] (DF)
12:15:24.167800 DNS.server.com.33795 > outside.guy.com.domain:  29311
[1au][|domain] (DF)
12:15:24.170988 outside.guy.com.domain > DNS.server.com.33795:
56162[|domain] (frag 48818:1480@0+)
12:15:24.171040 outside.guy.com > DNS.server.com: (frag 48818:575@1480)
12:15:24.295598 outside.guy.com.domain > DNS.server.com.33795:
46806[|domain] (frag 48819:1480@0+)
12:15:24.295649 outside.guy.com > DNS.server.com: (frag 48819:575@1480)
12:15:24.333422 outside.guy.com.domain > DNS.server.com.33795:
9239[|domain] (frag 48820:1480@0+)
12:15:24.333473 outside.guy.com > DNS.server.com: (frag 48820:575@1480)
12:15:24.360503 outside.guy.com.domain > DNS.server.com.33795:
46805[|domain] (frag 48821:1480@0+)
12:15:24.360554 outside.guy.com > DNS.server.com: (frag 48821:575@1480)
12:15:24.392889 outside.guy.com.domain > DNS.server.com.33795:
50353[|domain] (frag 48822:1480@0+)
12:15:24.392940 outside.guy.com > DNS.server.com: (frag 48822:575@1480)
12:15:24.428942 outside.guy.com.domain > DNS.server.com.33795:
17807[|domain] (frag 48823:1480@0+)
12:15:24.428994 outside.guy.com > DNS.server.com: (frag 48823:575@1480)
12:15:24.459730 outside.guy.com.domain > DNS.server.com.33795:
19219[|domain] (frag 48824:1480@0+)
12:15:24.459781 outside.guy.com > DNS.server.com: (frag 48824:575@1480)
12:15:24.494179 outside.guy.com.domain > DNS.server.com.33795:
59633[|domain] (frag 48825:1480@0+)
12:15:24.494232 outside.guy.com > DNS.server.com: (frag 48825:575@1480)
12:15:24.525783 outside.guy.com.domain > DNS.server.com.33795:
18273[|domain] (frag 48826:1480@0+)
12:15:24.525841 outside.guy.com > DNS.server.com: (frag 48826:575@1480)
12:15:24.559128 outside.guy.com.domain > DNS.server.com.33795:
48440[|domain] (frag 48827:1480@0+)
12:15:24.559176 outside.guy.com > DNS.server.com: (frag 48827:575@1480)
12:15:24.594751 outside.guy.com.domain > DNS.server.com.33795:
61217[|domain] (frag 48828:1480@0+)
12:15:24.594801 outside.guy.com > DNS.server.com: (frag 48828:575@1480)
12:15:24.624849 outside.guy.com.domain > DNS.server.com.33795:
29311[|domain] (frag 48829:1480@0+)
12:15:24.624903 outside.guy.com > DNS.server.com: (frag 48829:575@1480)
12:23:55.499215 DNS.server.com.33795 > outside.guy.com.domain:  4322
[1au][|domain] (DF)
12:23:55.641310 outside.guy.com.domain > DNS.server.com.33795:
4322[|domain] (frag 48830:1480@0+)
12:23:55.641364 outside.guy.com > DNS.server.com: (frag 48830:575@1480)
12:26:55.978869 ns2.lss.emc.com.61962 > outside.guy.com.domain:  40970
[1au][|domain] (DF)
12:26:56.127074 outside.guy.com.domain > ns2.lss.emc.com.61962:
40970[|domain] (frag 6266:1480@0+)
12:26:56.127125 outside.guy.com > ns2.lss.emc.com: (frag 6266:575@1480)


V.Jay LaRosa                           EMC Corporation
Information Security                  171 South Street
(508)249-3355 office                  Hopkinton, MA 01748
(508)498-5575 cell                     www.emc.com
(888-799-9750 pager                  larosa_vjay () emc com
(508)497-8082 fax