[cs615asa] [CS615] About monitor DNS packets.

[Tejas]

Hi,

Make sure you are running the tcpdump like this...

tcpdump -n -r filename udp port 53

This leaves IP addresses in and filters for only DNS traffic. You can do 
the same for tcp port 80 for HTTP.


Tejas


On 03/24/2012 04:48 PM, byu1 wrote:
> Hi All,
>
> For the first tcpdump exercise: Track down the packets in your tcpdump 
> referring to the DNS query from your DNS server to one of the root 
> servers, then to the various DNS servers before the DNS information is 
> returned to your server by one of Yahoo!'s authoritative DNS servers.
>
> I captured relevant packets are shown below, I am not sure the output 
> is right or not since there are not too much obvious information. Can 
> anyone give me some advice?
>
> 16:33:40.126136 IP ip-10-28-31-11.ec2.internal.filenet-rmi > 
> ip-172-16-0-23.ec2.internal.domain: 17203+ AAAA? www.yahoo.com. (31)
> 16:33:40.126501 IP ip-10-28-31-11.ec2.internal.filenet-pa > 
> ip-172-16-0-23.ec2.internal.domain: 37454+ PTR? 
> 23.0.16.172.in-addr.arpa. (42)
> 16:33:40.126752 IP ip-172-16-0-23.ec2.internal.domain > 
> ip-10-28-31-11.ec2.internal.filenet-pa: 37454 1/13/4 PTR[|domain]
> 16:33:40.126865 IP ip-10-28-31-11.ec2.internal.filenet-pa > 
> ip-172-16-0-23.ec2.internal.domain: 29232+ PTR? 
> 11.31.28.10.in-addr.arpa. (42)
> 16:33:40.127064 IP ip-172-16-0-23.ec2.internal.domain > 
> ip-10-28-31-11.ec2.internal.filenet-pa: 29232 1/13/4 PTR[|domain]
> 16:33:40.432554 IP ip-172-16-0-23.ec2.internal.domain > 
> ip-10-28-31-11.ec2.internal.filenet-rmi: 17203 3/1/0 CNAME[|domain]
> 16:33:40.432733 IP ip-10-28-31-11.ec2.internal.filenet-pa > 
> ip-172-16-0-23.ec2.internal.domain: 42946+ A? www.yahoo.com. (31)
> 16:33:40.435703 IP ip-172-16-0-23.ec2.internal.domain > 
> ip-10-28-31-11.ec2.internal.filenet-pa: 42946 4/13/4 CNAME[|domain]
>
>
> Thanks,
> Bo
> _______________________________________________
> cs615asa mailing list
> cs615asa at lists.stevens.edu
> https://lists.stevens.edu/cgi-bin/mailman/listinfo/cs615asa