Thanks, everyone! I can see it clearly now..
2013/7/1 Guy Harris <g...@alum.mit.edu> > > On Jul 1, 2013, at 6:32 AM, Téssio Fechine <tess...@gmail.com> wrote: > > > Hello, > > I was trying to analyze the traffic generated by this command: > > > > root@atena:~# dig rt-dq.quimica.ufpb.br @150.165.145.1 > > > > But I noticed that when the option '-w file' was not used, the tcpdump > > capture changed: > > > > ** WITH -w (2 packets captured): > > root@atena:~# tcpdump -pi eth0 port 53 -w dns.dump > > tcpdump: WARNING: eth0: no IPv4 address assigned > > tcpdump: listening on eth0, link-type EN10MB (Ethernet), capture size > 65535 > > bytes > > ^C2 packets captured > > 4 packets received by filter > > 0 packets dropped by kernel > > root@atena:~# tcpdump -r dns.dump > > reading from file dns.dump, link-type EN10MB (Ethernet) > > 09:27:36.961325 IP atena.nti.ufpb.br.53124 > > rt-dq.quimica.ufpb.br.domain: 47498+ A? rt-dq.quimica.ufpb.br. (39) > > 09:27:36.964252 IP rt-dq.quimica.ufpb.br.domain > > atena.nti.ufpb.br.53124: 47498*- 1/3/0 A 150.165.145.1 (107) > > > > ** WITHOUT -w (8 packets captured): > > root@atena:~# tcpdump -pi eth0 port 53 > > tcpdump: WARNING: eth0: no IPv4 address assigned > > tcpdump: verbose output suppressed, use -v or -vv for full protocol > decode > > listening on eth0, link-type EN10MB (Ethernet), capture size 65535 bytes > > 09:28:46.192113 IP atena.nti.ufpb.br.44510 > > rt-dq.quimica.ufpb.br.domain: 43490+ A? rt-dq.quimica.ufpb.br. (39) > > 09:28:46.193493 IP atena.nti.ufpb.br.48548 > > dns-cache-2.bbn.ufpb.br.domain: 13528+ PTR? 1.145.165.150.in-addr.arpa. (44) > > 09:28:46.193851 IP rt-dq.quimica.ufpb.br.domain > > atena.nti.ufpb.br.44510: 43490*- 1/3/0 A 150.165.145.1 (107) > > 09:28:46.194279 IP dns-cache-2.bbn.ufpb.br.domain > > atena.nti.ufpb.br.48548: 13528 1/2/3 PTR rt-dq.quimica.ufpb.br. (198) > > 09:28:46.194540 IP atena.nti.ufpb.br.41682 > > dns-cache-2.bbn.ufpb.br.domain: 33671+ PTR? 13.250.165.150.in-addr.arpa. > (45) > > 09:28:46.195187 IP dns-cache-2.bbn.ufpb.br.domain > > atena.nti.ufpb.br.41682: 33671 1/2/3 PTR atena.nti.ufpb.br. (195) > > 09:28:46.195462 IP atena.nti.ufpb.br.51372 > > dns-cache-2.bbn.ufpb.br.domain: 36444+ PTR? 3.255.165.150.in-addr.arpa. (44) > > 09:28:46.196094 IP dns-cache-2.bbn.ufpb.br.domain > > atena.nti.ufpb.br.51372: 36444 1/2/3 PTR dns-cache-2.bbn.ufpb.br. (200) > > As Michael Tuexen noted, those PTR queries and replies come from tcpdump > *itself* trying to look up the source and destination addresses of packets > it's seen and is trying to print - and, yes, it *is* supposed to behave > like that, if you're printing packets rather than writing their raw binary > content to a file, and if you haven't specified the "-n" flag to tell it > *not* to translate IP addresses to host names before printing packet > contents. > > > I also tried with tshark, and got the same 2 packets as when using tcpdum > > with -w: > > > > root@atena:~# tshark -pf "port 53" -i eth0 > > tshark: Lua: Error during loading: > > [string "/usr/share/wireshark/init.lua"]:45: dofile has been disabled > > Running as user "root" and group "root". This could be dangerous. > > Capturing on eth0 > > 0.000000 150.165.250.13 -> 150.165.145.1 DNS 85 Standard query A > rt-dq.quimica.ufpb.br > > 0.002514 150.165.145.1 -> 150.165.250.13 DNS 153 Standard query > response A 150.165.145.1 > > ^C2 packets captured > > You may have configured Wireshark not to do name resolution for > network-layer addresses; if so, that configuration also applies to TShark. > With that option, TShark will behave like "tcpdump -n" rather than like > "tcpdump" without "-n". (And, in fact, you can run TShark with a "-n" flag > to suppress name resolution even if your Wireshark configuration hasn't > disabled it.) > > _______________________________________________ tcpdump-workers mailing list tcpdump-workers@lists.tcpdump.org https://lists.sandelman.ca/mailman/listinfo/tcpdump-workers