On Thu, Sep 6, 2018 at 5:56 PM John W. Blue <john.b...@rrcic.com> wrote: > > So that file is full of nothing but queries and no responses which, sadly, is > useless. > > Run: > > tcpdump -s0 -n -i eth0 port domain -w /tmp/domaincapture.pcap > > You don't need all of the extra stuff because -s0 captures the full packet.
This is the command I ran to produce the pcap file I sent: # tcpdump -s0 -vv -i eth0 -nn -w domain-capture-eth0-090518.pcap udp dst port domain I have a few other pcap files here. Can you tell me the query you ran in wireshark to search for the SERVFAIL packets? Perhaps I can find them here. I have another that I just realized was running for quite a while and has grown to 1.5GB until I just stopped it. I also have another that was run with "-i any", but it's also quite large. I'd otherwise probably have to wait until tomorrow to run it again, as it appears to happen during periods of high traffic. I should also mention that, while eth0 is the physical device, there is a bridge set up to support virtual machines (none of which were active). Hopefully that's not the reason! (real IP obscured). br0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500 inet 68.195.XXX.45 netmask 255.255.255.248 broadcast 68.195.XXX.47 inet6 fe80::16da:e9ff:fe97:ab71 prefixlen 64 scopeid 0x20<link> inet6 ::16da:e9ff:fe97:ab71 prefixlen 64 scopeid 0x0<global> ether 14:da:e9:97:ab:71 txqueuelen 1000 (Ethernet) RX packets 54953236 bytes 45182800578 (42.0 GiB) RX errors 0 dropped 231612 overruns 0 frame 0 TX packets 68345276 bytes 33687959055 (31.3 GiB) TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0 eth0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500 inet6 fe80::16da:e9ff:fe97:ab71 prefixlen 64 scopeid 0x20<link> ether 14:da:e9:97:ab:71 txqueuelen 1000 (Ethernet) RX packets 61078845 bytes 46596159121 (43.3 GiB) RX errors 0 dropped 0 overruns 0 frame 0 TX packets 68733541 bytes 34028363069 (31.6 GiB) TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0 device interrupt 16 memory 0xdf200000-df220000 Thanks, Alex > > John > > -----Original Message----- > From: bind-users [mailto:bind-users-boun...@lists.isc.org] On Behalf Of Alex > Sent: Thursday, September 06, 2018 2:54 PM > To: bind-users@lists.isc.org > Subject: Re: Frequent timeout > > On Thu, Sep 6, 2018 at 3:05 PM John W. Blue <john.b...@rrcic.com> wrote: > > > > Alex, > > > > Have you uploaded this pcap with the SERVFAIL's? I didn't have time to > > look at your first upload but can review this one. > > Thanks very much. I've uploaded the pcap file here. It's about ~100MB > compressed, and represents about 4hrs of data, I believe. > https://drive.google.com/file/d/1KUpDoQ2zuz5ITeKuO0BhlK7JvWSUAG3B/view?usp=sharing > > Thanks, > Alex > _______________________________________________ > Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe > from this list > > bind-users mailing list > bind-users@lists.isc.org > https://lists.isc.org/mailman/listinfo/bind-users _______________________________________________ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users