RE: command line ID vs Wireshark transaction ID (dns.id)
> What nameserver addresses are listed in /etc/resolv.conf? So. resolv.conf has the non-RFC1918 ip addresses commented out *and* loopback is the only one enabled. Lovely. I decided to leave it as is and retested with: # tcpdump -n -i lo0 -s0 port domain tcpdump: verbose output suppressed, use -v or -vv for full protocol decode listening on lo0, link-type NULL (BSD loopback), capture size 65535 bytes 08:50:55.837412 IP 127.0.0.1.17709 > 127.0.0.1.53: 59248+ A? www.airnav.com. (32) 08:50:56.019525 IP 127.0.0.1.53 > 127.0.0.1.17709: 59248 1/3/6 A 206.125.168.131 (247) Wireshark hex transaction id converts to decimal for a successful match. Thanks for the help Mark! John ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
RE: command line ID vs Wireshark transaction ID (dns.id)
strange : by me it looks like ... : 43350 = 0xa956 >/usr/bin/dig www.google.ch ; <<>> DiG 9.10.3-P4-Debian <<>> www.google.ch ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 43350 ;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1 >tshark -V -f 'port 53' ... Domain Name System (response) [Request In: 1] [Time: 0.001247378 seconds] Transaction ID: 0xa956 Flags: 0x8180 Standard query response, No error 1... = Response: Me . -Original Message- From: bind-users [mailto:bind-users-boun...@lists.isc.org] On Behalf Of Mark Andrews Sent: vendredi, 11 août 2017 02:26 To: John W. Blue <john.b...@rrcic.com> Cc: bind-users@lists.isc.org <bind-us...@isc.org> Subject: Re: command line ID vs Wireshark transaction ID (dns.id) In message <af76af2d3ad8445cbc54a01357791...@mail.rrcic.com>, "John W. Blue" wr ites: > I have been trying to correlate the ID value returned via a command > line query here: > > ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 60796 > > to a "transaction ID" found in wireshark when it dissects the packet > found here: > > Transaction ID: 0x1aa6 > > without any success because 0x1aa6 does not hex > dec convert to 60796. > > > I am clearly missing something here because wireshark can tie the > query and response together into a stream. > > Thoughts? Apply Occam's razor. The packet in wireshark is not the packet DiG displayed. > John -- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: ma...@isc.org ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: command line ID vs Wireshark transaction ID (dns.id)
In message, "John W. Blue" wr ites: > I have been trying to correlate the ID value returned via a command line > query here: > > ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 60796 > > to a "transaction ID" found in wireshark when it dissects the packet > found here: > > Transaction ID: 0x1aa6 > > without any success because 0x1aa6 does not hex > dec convert to 60796. > > > I am clearly missing something here because wireshark can tie the query > and response together into a stream. > > Thoughts? Apply Occam's razor. The packet in wireshark is not the packet DiG displayed. > John -- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: ma...@isc.org ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
RE: command line ID vs Wireshark transaction ID (dns.id)
Forgot to add a screenshot: http://www.rfmapping.com/transactionid.png Thanks! John From: bind-users [mailto:bind-users-boun...@lists.isc.org] On Behalf Of John W. Blue Sent: Thursday, August 10, 2017 6:07 PM To: bind-users@lists.isc.org Subject: command line ID vs Wireshark transaction ID (dns.id) I have been trying to correlate the ID value returned via a command line query here: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 60796 to a "transaction ID" found in wireshark when it dissects the packet found here: Transaction ID: 0x1aa6 without any success because 0x1aa6 does not hex > dec convert to 60796. I am clearly missing something here because wireshark can tie the query and response together into a stream. Thoughts? John ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users