subject:"Re\: command line ID vs Wireshark transaction ID \(dns.id\)"

RE: command line ID vs Wireshark transaction ID (dns.id)

2017-08-11 Thread John W. Blue



> What nameserver addresses are listed in /etc/resolv.conf?

So. 

resolv.conf has the non-RFC1918 ip addresses commented out *and* loopback is 
the only one enabled.

Lovely.  

I decided to leave it as is and retested with:

# tcpdump -n -i lo0 -s0 port domain
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on lo0, link-type NULL (BSD loopback), capture size 65535 bytes
08:50:55.837412 IP 127.0.0.1.17709 > 127.0.0.1.53: 59248+ A? www.airnav.com. 
(32)
08:50:56.019525 IP 127.0.0.1.53 > 127.0.0.1.17709: 59248 1/3/6 A 
206.125.168.131 (247)

Wireshark hex transaction id converts to decimal for a successful match.

Thanks for the help Mark!

John
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

RE: command line ID vs Wireshark transaction ID (dns.id)

2017-08-11 Thread Philippe.Simonet

strange :  by me it looks like ... : 43350 = 0xa956


>/usr/bin/dig www.google.ch
; <<>> DiG 9.10.3-P4-Debian <<>> www.google.ch
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 43350
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1

>tshark -V -f  'port 53'
...
Domain Name System (response)
[Request In: 1]
[Time: 0.001247378 seconds]
Transaction ID: 0xa956
Flags: 0x8180 Standard query response, No error
1...    = Response: Me
.



-Original Message-
From: bind-users [mailto:bind-users-boun...@lists.isc.org] On Behalf Of Mark 
Andrews
Sent: vendredi, 11 août 2017 02:26
To: John W. Blue <john.b...@rrcic.com>
Cc: bind-users@lists.isc.org <bind-us...@isc.org>
Subject: Re: command line ID vs Wireshark transaction ID (dns.id)


In message <af76af2d3ad8445cbc54a01357791...@mail.rrcic.com>, "John W. Blue" wr
ites:
> I have been trying to correlate the ID value returned via a command 
> line query here:
>
> ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 60796
>
> to a "transaction ID" found in wireshark when it dissects the packet 
> found here:
>
> Transaction ID: 0x1aa6
>
> without any success because 0x1aa6 does not hex > dec convert to 60796.
>
>
> I am clearly missing something here because wireshark can tie the 
> query and response together into a stream.
>
> Thoughts?

Apply Occam's razor.

The packet in wireshark is not the packet DiG displayed.

> John

--
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742 INTERNET: ma...@isc.org
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: command line ID vs Wireshark transaction ID (dns.id)

2017-08-10 Thread Mark Andrews


In message , "John W. Blue" wr
ites:
> I have been trying to correlate the ID value returned via a command line
> query here:
>
> ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 60796
>
> to a "transaction ID" found in wireshark when it dissects the packet
> found here:
>
> Transaction ID: 0x1aa6
>
> without any success because 0x1aa6 does not hex > dec convert to 60796.
>
>
> I am clearly missing something here because wireshark can tie the query
> and response together into a stream.
>
> Thoughts?

Apply Occam's razor.

The packet in wireshark is not the packet DiG displayed.

> John

-- 
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742 INTERNET: ma...@isc.org
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

RE: command line ID vs Wireshark transaction ID (dns.id)

2017-08-10 Thread John W. Blue

Forgot to add a screenshot:

http://www.rfmapping.com/transactionid.png

Thanks!

John

From: bind-users [mailto:bind-users-boun...@lists.isc.org] On Behalf Of John W. 
Blue
Sent: Thursday, August 10, 2017 6:07 PM
To: bind-users@lists.isc.org
Subject: command line ID vs Wireshark transaction ID (dns.id)

I have been trying to correlate the ID value returned via a command line query 
here:

;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 60796

to a "transaction ID" found in wireshark when it dissects the packet found here:

Transaction ID: 0x1aa6

without any success because 0x1aa6 does not hex > dec convert to 60796.


I am clearly missing something here because wireshark can tie the query and 
response together into a stream.

Thoughts?

John



___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

RE: command line ID vs Wireshark transaction ID (dns.id)

RE: command line ID vs Wireshark transaction ID (dns.id)

Re: command line ID vs Wireshark transaction ID (dns.id)

RE: command line ID vs Wireshark transaction ID (dns.id)

4 matches

Site Navigation

Mail list logo

Footer information