Thanks, everyone!
I can see it clearly now..

2013/7/1 Guy Harris <g...@alum.mit.edu>

>
> On Jul 1, 2013, at 6:32 AM, Téssio Fechine <tess...@gmail.com> wrote:
>
> > Hello,
> > I was trying to analyze the traffic generated by this command:
> >
> > root@atena:~# dig  rt-dq.quimica.ufpb.br @150.165.145.1
> >
> > But I noticed that when the option '-w file' was not used, the tcpdump
> > capture changed:
> >
> > ** WITH -w (2 packets captured):
> > root@atena:~# tcpdump -pi eth0 port 53 -w dns.dump
> > tcpdump: WARNING: eth0: no IPv4 address assigned
> > tcpdump: listening on eth0, link-type EN10MB (Ethernet), capture size
> 65535
> > bytes
> > ^C2 packets captured
> > 4 packets received by filter
> > 0 packets dropped by kernel
> > root@atena:~# tcpdump -r dns.dump
> > reading from file dns.dump, link-type EN10MB (Ethernet)
> > 09:27:36.961325 IP atena.nti.ufpb.br.53124 >
> rt-dq.quimica.ufpb.br.domain: 47498+ A? rt-dq.quimica.ufpb.br. (39)
> > 09:27:36.964252 IP rt-dq.quimica.ufpb.br.domain >
> atena.nti.ufpb.br.53124: 47498*- 1/3/0 A 150.165.145.1 (107)
> >
> > ** WITHOUT -w (8 packets captured):
> > root@atena:~# tcpdump -pi eth0 port 53
> > tcpdump: WARNING: eth0: no IPv4 address assigned
> > tcpdump: verbose output suppressed, use -v or -vv for full protocol
> decode
> > listening on eth0, link-type EN10MB (Ethernet), capture size 65535 bytes
> > 09:28:46.192113 IP atena.nti.ufpb.br.44510 >
> rt-dq.quimica.ufpb.br.domain: 43490+ A? rt-dq.quimica.ufpb.br. (39)
> > 09:28:46.193493 IP atena.nti.ufpb.br.48548 >
> dns-cache-2.bbn.ufpb.br.domain: 13528+ PTR? 1.145.165.150.in-addr.arpa. (44)
> > 09:28:46.193851 IP rt-dq.quimica.ufpb.br.domain >
> atena.nti.ufpb.br.44510: 43490*- 1/3/0 A 150.165.145.1 (107)
> > 09:28:46.194279 IP dns-cache-2.bbn.ufpb.br.domain >
> atena.nti.ufpb.br.48548: 13528 1/2/3 PTR rt-dq.quimica.ufpb.br. (198)
> > 09:28:46.194540 IP atena.nti.ufpb.br.41682 >
> dns-cache-2.bbn.ufpb.br.domain: 33671+ PTR? 13.250.165.150.in-addr.arpa.
> (45)
> > 09:28:46.195187 IP dns-cache-2.bbn.ufpb.br.domain >
> atena.nti.ufpb.br.41682: 33671 1/2/3 PTR atena.nti.ufpb.br. (195)
> > 09:28:46.195462 IP atena.nti.ufpb.br.51372 >
> dns-cache-2.bbn.ufpb.br.domain: 36444+ PTR? 3.255.165.150.in-addr.arpa. (44)
> > 09:28:46.196094 IP dns-cache-2.bbn.ufpb.br.domain >
> atena.nti.ufpb.br.51372: 36444 1/2/3 PTR dns-cache-2.bbn.ufpb.br. (200)
>
> As Michael Tuexen noted, those PTR queries and replies come from tcpdump
> *itself* trying to look up the source and destination addresses of packets
> it's seen and is trying to print - and, yes, it *is* supposed to behave
> like that, if you're printing packets rather than writing their raw binary
> content to a file, and if you haven't specified the "-n" flag to tell it
> *not* to translate IP addresses to host names before printing packet
> contents.
>
> > I also tried with tshark, and got the same 2 packets as when using tcpdum
> > with -w:
> >
> > root@atena:~# tshark -pf "port 53" -i eth0
> > tshark: Lua: Error during loading:
> > [string "/usr/share/wireshark/init.lua"]:45: dofile has been disabled
> > Running as user "root" and group "root". This could be dangerous.
> > Capturing on eth0
> >  0.000000 150.165.250.13 -> 150.165.145.1 DNS 85 Standard query A
> rt-dq.quimica.ufpb.br
> >  0.002514 150.165.145.1 -> 150.165.250.13 DNS 153 Standard query
> response A 150.165.145.1
> > ^C2 packets captured
>
> You may have configured Wireshark not to do name resolution for
> network-layer addresses; if so, that configuration also applies to TShark.
>  With that option, TShark will behave like "tcpdump -n" rather than like
> "tcpdump" without "-n".  (And, in fact, you can run TShark with a "-n" flag
> to suppress name resolution even if your Wireshark configuration hasn't
> disabled it.)
>
>
_______________________________________________
tcpdump-workers mailing list
tcpdump-workers@lists.tcpdump.org
https://lists.sandelman.ca/mailman/listinfo/tcpdump-workers

Reply via email to