tcpdump mailing list archives

Re: code seems to support 5353 - but pkts aren't printed as DNS, why?

From: Sam Roberts <sroberts () uniserve com>
Date: Wed, 5 Nov 2003 00:02:25 -0500

Thanks for your suggestion, current is looking good!

These lines look like the normal DNS output, somewhat:

23:41:13.770526 IP 192.168.123.103.mdns > 224.0.0.251.mdns:  0*- [0q] 2/0/0 PTR[|domain]
23:41:13.770773 IP 192.168.123.103.mdns > 224.0.0.251.mdns:  0*- [0q] 1/0/0 PTR[|domain]
23:41:14.572078 IP 192.168.123.103.mdns > 224.0.0.251.mdns:  0 PTR? _http._tcp.local. (34)
23:41:14.671165 IP 192.168.123.103.mdns > 224.0.0.251.mdns:  0 PTR? _http._tcp.local. (34)
23:41:20.889446 IP 192.168.123.103.mdns > 224.0.0.251.mdns:  0 [2a] PTR? _http._tcp.local. (107)
23:41:20.889674 IP 192.168.123.103.mdns > 224.0.0.251.mdns:  0*- [0q] 6/0/0[|domain]
23:41:21.014389 IP 192.168.123.103.mdns > 224.0.0.251.mdns:  0*- [0q] 3/0/0 (Class 32769) SRV[|domain]
23:41:21.890717 IP 192.168.123.103.mdns > 224.0.0.251.mdns:  0 [3a] PTR? _http._tcp.local. (130)

I'm not too sure what the [|domain] and (Class 32769) is. The [|domain] string wasn't in the
packet, what does it mean?

Thanks,
Sam

Btw:

3.7.2 built with no configure options, but -2003.11.04 needed --without-crypto
to avoid errors. If this is unexpected I can give more details.

gcc -O -DHAVE_CONFIG_H -I.  -I./missing -I/usr/include -c ./print-esp.c
./print-esp.c:79: undefined type, found `EVP_CIPHER'
./print-esp.c:231: undefined type, found `EVP_CIPHER'
./print-esp.c:361: undefined type, found `EVP_CIPHER_CTX'
cpp-precomp: warning: errors during smart preprocessing, retrying in basic mode
./print-esp.c:79: warning: no semicolon at end of struct or union
./print-esp.c:79: parse error before '*' token
./print-esp.c:84: parse error before '}' token
./print-esp.c: In function `esp_print_addsa':
./print-esp.c:95: sizeof applied to an incomplete type
./print-esp.c:99: dereferencing pointer to incomplete type
./print-esp.c:99: dereferencing pointer to incomplete type
./print-esp.c:104: dereferencing pointer to incomplete type
./print-esp.c: In function `esp_print_decode_onesecret':
./print-esp.c:140: storage size of `sa1' isn't known
./print-esp.c:148: sizeof applied to an incomplete type
./print-esp.c:231: syntax error before '*' token
./print-esp.c:259: `evp' undeclared (first use in this function)
./print-esp.c:259: (Each undeclared identifier is reported only once
./print-esp.c:259: for each function it appears in.)
./print-esp.c: In function `esp_init':
./print-esp.c:330: `SN_des_ede3_cbc' undeclared (first use in this function)
./print-esp.c: In function `esp_print':
./print-esp.c:361: `EVP_CIPHER_CTX' undeclared (first use in this function)
./print-esp.c:361: parse error before "ctx"
./print-esp.c:420: dereferencing pointer to incomplete type
./print-esp.c:421: dereferencing pointer to incomplete type
./print-esp.c:422: dereferencing pointer to incomplete type
./print-esp.c:438: dereferencing pointer to incomplete type
./print-esp.c:439: dereferencing pointer to incomplete type
./print-esp.c:440: dereferencing pointer to incomplete type
./print-esp.c:470: dereferencing pointer to incomplete type
./print-esp.c:471: dereferencing pointer to incomplete type
./print-esp.c:472: dereferencing pointer to incomplete type
./print-esp.c:474: dereferencing pointer to incomplete type
./print-esp.c:475: `ctx' undeclared (first use in this function)
./print-esp.c:476: dereferencing pointer to incomplete type
./print-esp.c:488: dereferencing pointer to incomplete type
make: *** [print-esp.o] Error 1


Quoteing guy () alum mit edu, on Tue, Nov 04, 2003 at 08:20:46PM -0800:

On Tue, Nov 04, 2003 at 10:58:57PM -0500, Sam Roberts wrote:

A quick look through the tcpdump code base makes it look like both 53
and 5353 are recognized as DNS ports, but when I dump the traffic on my
network, I don't see the pretty-printing of the contents of mDNS packets
as I do DNS packets.

Any suggestions as to why?


Because tcpdump 3.7.2 doesn't decode 5353 as DNS.

Can I get this to work like I want?


Yes, by:

I am using tcpdump 3.7.2 on OS X, built from a .tgz I just downloaded.


downloading a different tarball:

      http://www.tcpdump.org/#current

Get the "tcpdump-current.tar.gz" tarball and build that.

(Or try upgrading to Panther - it has a tcpdump based on a post-3.7 CVS
snapshot, and might decode 5353 as DNS.)

-
This is the TCPDUMP workers list. It is archived at
http://www.tcpdump.org/lists/workers/index.html
To unsubscribe use mailto:tcpdump-workers-request () tcpdump org?body=unsubscribe

Current thread:

code seems to support 5353 - but pkts aren't printed as DNS, why? Sam Roberts (Nov 04)
- Re: code seems to support 5353 - but pkts aren't printed as DNS, why? Guy Harris (Nov 04)
  - Re: code seems to support 5353 - but pkts aren't printed as DNS, why? Sam Roberts (Nov 04)
    - Re: code seems to support 5353 - but pkts aren't printed as DNS, why? Guy Harris (Nov 04)
    - Re: code seems to support 5353 - but pkts aren't printed as DNS, why? itojun (Nov 04)