tcpdump mailing list archives

Re: is tcpdump supposed to behave like this?

From: Michael Tuexen <Michael.Tuexen () lurchi franken de>
Date: Mon, 1 Jul 2013 16:11:00 +0200

On Jul 1, 2013, at 3:32 PM, Téssio Fechine <tessiof () gmail com> wrote:

Hello,
I was trying to analyze the traffic generated by this command:

root@atena:~# dig  rt-dq.quimica.ufpb.br @150.165.145.1

But I noticed that when the option '-w file' was not used, the tcpdump
capture changed:

** WITH -w (2 packets captured):
root@atena:~# tcpdump -pi eth0 port 53 -w dns.dump
tcpdump: WARNING: eth0: no IPv4 address assigned
tcpdump: listening on eth0, link-type EN10MB (Ethernet), capture size 65535
bytes
^C2 packets captured
4 packets received by filter
0 packets dropped by kernel
root@atena:~# tcpdump -r dns.dump
reading from file dns.dump, link-type EN10MB (Ethernet)
09:27:36.961325 IP atena.nti.ufpb.br.53124 > rt-dq.quimica.ufpb.br.domain:
47498+ A? rt-dq.quimica.ufpb.br. (39)
09:27:36.964252 IP rt-dq.quimica.ufpb.br.domain > atena.nti.ufpb.br.53124:
47498*- 1/3/0 A 150.165.145.1 (107)

** WITHOUT -w (8 packets captured):
root@atena:~# tcpdump -pi eth0 port 53
tcpdump: WARNING: eth0: no IPv4 address assigned
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth0, link-type EN10MB (Ethernet), capture size 65535 bytes
09:28:46.192113 IP atena.nti.ufpb.br.44510 > rt-dq.quimica.ufpb.br.domain:
43490+ A? rt-dq.quimica.ufpb.br. (39)
09:28:46.193493 IP atena.nti.ufpb.br.48548 >
dns-cache-2.bbn.ufpb.br.domain: 13528+ PTR? 1.145.165.150.in-addr.arpa. (44)
09:28:46.193851 IP rt-dq.quimica.ufpb.br.domain > atena.nti.ufpb.br.44510:
43490*- 1/3/0 A 150.165.145.1 (107)
09:28:46.194279 IP dns-cache-2.bbn.ufpb.br.domain >
atena.nti.ufpb.br.48548: 13528 1/2/3 PTR rt-dq.quimica.ufpb.br. (198)
09:28:46.194540 IP atena.nti.ufpb.br.41682 >
dns-cache-2.bbn.ufpb.br.domain: 33671+ PTR? 13.250.165.150.in-addr.arpa.
(45)
09:28:46.195187 IP dns-cache-2.bbn.ufpb.br.domain >
atena.nti.ufpb.br.41682: 33671 1/2/3 PTR atena.nti.ufpb.br. (195)
09:28:46.195462 IP atena.nti.ufpb.br.51372 >
dns-cache-2.bbn.ufpb.br.domain: 36444+ PTR? 3.255.165.150.in-addr.arpa. (44)
09:28:46.196094 IP dns-cache-2.bbn.ufpb.br.domain >
atena.nti.ufpb.br.51372: 36444 1/2/3 PTR dns-cache-2.bbn.ufpb.br. (200)
^C
8 packets captured
10 packets received by filter
0 packets dropped by kernel

I also tried with tshark, and got the same 2 packets as when using tcpdum
with -w:

root@atena:~# tshark -pf "port 53" -i eth0
tshark: Lua: Error during loading:
[string "/usr/share/wireshark/init.lua"]:45: dofile has been disabled
Running as user "root" and group "root". This could be dangerous.
Capturing on eth0
 0.000000 150.165.250.13 -> 150.165.145.1 DNS 85 Standard query A
rt-dq.quimica.ufpb.br
 0.002514 150.165.145.1 -> 150.165.250.13 DNS 153 Standard query response
A 150.165.145.1
^C2 packets captured


I tried this MANY times, and always got the same results. Is tcpdump
supposed to work like this?

If you run
tcpdump -n -pi eth0 port 53
then tcpdump will not do DNS lookups for its output...

Best regards
Michael

_______________________________________________
tcpdump-workers mailing list
tcpdump-workers () lists tcpdump org
https://lists.sandelman.ca/mailman/listinfo/tcpdump-workers


_______________________________________________
tcpdump-workers mailing list
tcpdump-workers () lists tcpdump org
https://lists.sandelman.ca/mailman/listinfo/tcpdump-workers

Current thread:

is tcpdump supposed to behave like this? Téssio Fechine (Jul 01)
- Re: is tcpdump supposed to behave like this? Michael Tuexen (Jul 01)
- Re: is tcpdump supposed to behave like this? Guy Harris (Jul 01)
  - Re: is tcpdump supposed to behave like this? Téssio Fechine (Jul 01)