command line ID vs Wireshark transaction ID (dns.id)
Mark Andrews
marka at isc.org
Fri Aug 11 05:22:53 UTC 2017
Mark Andrews writes:
>
> What nameserver addresses are listed in /etc/resolv.conf?
> What interfaces are used to talk to those addresses?
> Is wireshark/tcpdump using all those interfaces?
>
>
> In message <42febb6a7bd44bd0a86a742eec39eca6 at mail.rrcic.com>, "John W. Blue" writes:
> > Mark,
> >
> > If only it was that easy!
> >
> > Because I have went through heaps and heaps of test configurations, I
> > can say with some confidence, that you have not actually tried to
> > correlate the values yourself in a similar fashion.
>
> I can say I've been debugging DNS for over 20 years and looked at
> hundreds of packet traces and never once had a the tools display
> the wrong id. And yes, I have needed to correlate packet with
> presentation in the past.
>
> > (insane is defined as doing the same thing over and expecting a different result, correct?)
> >
> > Before I composed this email I did one last tcpdump where I tested via the command:
> >
> > # rndc flush
> > # tcpdump -n -i bge1 -s0 -w airnav.pcap port domain
>
> Which shows the traffic from named to/from the world with a freshly
> started server. The server is forwarding to another server based
> on the contents of the responses.
Ignore the forwarding part. I misread the referral.
> What it isn't showing is the traffic to the nameserver from dig
> because that traffic isn't being captured by that dump.
>
> > The query command in another shell was:
> >
> > $ dig www.airnav.com.
> >
> > With a result of:
> >
> > ; <<>> DiG <<>> www.airnav.com.
> > ;; global options: +cmd
> > ;; Got answer:
> > ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 64934
> > ;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 3, ADDITIONAL: 6
> >
> > ;; QUESTION SECTION:
> > ;www.airnav.com. IN A
> >
> > ;; ANSWER SECTION:
> > www.airnav.com. 300 IN A 206.125.168.131
>
> Which isn't the complete response. I'm guessing that the complete
> response would show that the server that answered was 127.0.0.1 or
> ::1. Even if it isn't those addresses but is a local address on
> the server the requests will be going over the loopback interface.
>
> e.g.
> % tcpdump -n -i lo0 not host ::1 and not host 127.0.0.1
> tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
> listening on lo0, link-type NULL (BSD loopback), capture size 262144 bytes
> 15:09:46.836099 IP 172.30.42.89.50389 > 172.30.42.89.53: 64151+ [1au] NS? . (40)
> 15:09:46.836144 IP 172.30.42.89 > 172.30.42.89: ICMP 172.30.42.89 udp port 53 unreachable, length 36
> 15:09:51.840127 IP 172.30.42.89.50389 > 172.30.42.89.53: 64151+ [1au] NS? . (40)
> 15:09:51.840192 IP 172.30.42.89 > 172.30.42.89: ICMP 172.30.42.89 udp port 53 unreachable, length 36
>
> > The screenshot of the resulting pcap is here:
> >
> > http://www.rfmapping.com/airnav.png
> >
> > Although I would expect transaction 0xc905 to be the one that produced the above dig results, for grins, none of the he
> > x transaction id's can be converted to match the id "64934".
> >
> > John
> >
> > -----Original Message-----
> > From: Mark Andrews [mailto:marka at isc.org]
> > Sent: Thursday, August 10, 2017 7:26 PM
> > To: John W. Blue
> > Cc: bind-users at lists.isc.org
> > Subject: Re: command line ID vs Wireshark transaction ID (dns.id)
> >
> >
> > Apply Occam's razor.
> >
> > The packet in wireshark is not the packet DiG displayed.
> >
> > --
> > Mark Andrews, ISC
> > 1 Seymour St., Dundas Valley, NSW 2117, Australia
> > PHONE: +61 2 9871 4742 INTERNET: marka at isc.org
> > _______________________________________________
> > Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list
> >
> > bind-users mailing list
> > bind-users at lists.isc.org
> > https://lists.isc.org/mailman/listinfo/bind-users
> --
> Mark Andrews, ISC
> 1 Seymour St., Dundas Valley, NSW 2117, Australia
> PHONE: +61 2 9871 4742 INTERNET: marka at isc.org
--
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742 INTERNET: marka at isc.org
More information about the bind-users
mailing list