[dns-operations] A quick question for my peers re: 'dnscap'

Robert Edmonds edmonds at mycre.ws
Fri Feb 2 20:08:17 UTC 2018

Jake Zack wrote:
> However, when I attempt to verify that I'm not leaking customer data, I see:
> [root at col01 scripts]# tcpdump -nr /tmp/col01.lhr.ca-servers.ca.20180202.185721.945211 not host and not host 2001:500:A7::2 |grep |head -5
> reading from file /tmp/col01.lhr.ca-servers.ca.20180202.185721.945211, link-type RAW (Raw IP)
> 13:57:22.020123 IP > udp
> 13:57:22.058056 IP > udp
> 13:57:22.192434 IP > udp
> 13:57:22.281961 IP > udp
> 13:57:22.317448 IP > udp
> If anyone can spot what I'm doing wrong, offer advice, and/or replicate my findings...please let me know.

Hi, Jake:

Why isn't tcpdump decoding those UDP packets with its DNS dissector? Are
those non-initial fragments?

Robert Edmonds

More information about the dns-operations mailing list