On Thu, Sep 6, 2018 at 5:56 PM John W. Blue <john.b...@rrcic.com> wrote:
So that file is full of nothing but queries and no responses which, sadly, is
useless.
Run:
tcpdump -s0 -n -i eth0 port domain -w /tmp/domaincapture.pcap
You don't need all of the extra stuff because -s0 captures the full packet.
On 06.09.18 18:42, Alex wrote:
This is the command I ran to produce the pcap file I sent:
# tcpdump -s0 -vv -i eth0 -nn -w domain-capture-eth0-090518.pcap udp
dst port domain
and that is the problem. "dst port domain" captures packets going to DNS
servers, not responses coming back.
"-vv" and "-nn" are useless when producing packet capture and "-s0" is
default for some time. I often add "-U" so file is flushed wich each packet.
you can strip incoming queries by using filter
"(src host 68.195.XXX.45 and dst port domain) or (src port domain and dst host
68.195.XXX.45)"
I should also mention that, while eth0 is the physical device, there
is a bridge set up to support virtual machines (none of which were
active). Hopefully that's not the reason! (real IP obscured).
not the reason, but using "-i br0" could be safer then.
Note that the IP was seen in packet capture you have published, not needed
to hide it now.
--
Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
They that can give up essential liberty to obtain a little temporary
safety deserve neither liberty nor safety. -- Benjamin Franklin, 1759
_______________________________________________
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe
from this list
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
