Re: code seems to support 5353 - but pkts aren't printed as DNS, why?

[Guy Harris <guy () alum mit edu>]

On Wed, Nov 05, 2003 at 12:02:25AM -0500, Sam Roberts wrote:
> Thanks for your suggestion, current is looking good!
>
> These lines look like the normal DNS output, somewhat:
>
> 23:41:13.770526 IP 192.168.123.103.mdns > 224.0.0.251.mdns:  0*- [0q] 2/0/0 PTR[|domain]
> 23:41:13.770773 IP 192.168.123.103.mdns > 224.0.0.251.mdns:  0*- [0q] 1/0/0 PTR[|domain]
> 23:41:14.572078 IP 192.168.123.103.mdns > 224.0.0.251.mdns:  0 PTR? _http._tcp.local. (34)
> 23:41:14.671165 IP 192.168.123.103.mdns > 224.0.0.251.mdns:  0 PTR? _http._tcp.local. (34)
> 23:41:20.889446 IP 192.168.123.103.mdns > 224.0.0.251.mdns:  0 [2a] PTR? _http._tcp.local. (107)
> 23:41:20.889674 IP 192.168.123.103.mdns > 224.0.0.251.mdns:  0*- [0q] 6/0/0[|domain]
> 23:41:21.014389 IP 192.168.123.103.mdns > 224.0.0.251.mdns:  0*- [0q] 3/0/0 (Class 32769) SRV[|domain]
> 23:41:21.890717 IP 192.168.123.103.mdns > 224.0.0.251.mdns:  0 [3a] PTR? _http._tcp.local. (130)
>
> I'm not too sure what the [|domain] and (Class 32769) is.
> The [|domain] string wasn't in the packet, what does it mean?

It means that tcpdump, by default, captures only the first 68 bytes or
so of packet data, so the routine to print the DNS records had to stop
when it ran out of data.

"Class 32769" means that the class of the resource record was 0x8001,
which is 0x0001 (inet), with the "cache flush" bit set:

        http://www.ietf.org/internet-drafts/draft-cheshire-dnsext-multicastdns-02.txt

I've checked in a change to report that as "Cache flush" instead.
-
This is the TCPDUMP workers list. It is archived at
http://www.tcpdump.org/lists/workers/index.html
To unsubscribe use mailto:tcpdump-workers-request () tcpdump org?body=unsubscribe