[dns-operations] A quick question for my peers re: 'dnscap'

Robert Edmonds edmonds at mycre.ws
Fri Feb 2 20:08:17 UTC 2018


Jake Zack wrote:
> However, when I attempt to verify that I'm not leaking customer data, I see:
> [root at col01 scripts]# tcpdump -nr /tmp/col01.lhr.ca-servers.ca.20180202.185721.945211 not host 199.4.144.2 and not host 2001:500:A7::2 |grep 185.159.197.1 |head -5
> reading from file /tmp/col01.lhr.ca-servers.ca.20180202.185721.945211, link-type RAW (Raw IP)
> 13:57:22.020123 IP 185.159.197.100 > 188.166.18.244: udp
> 13:57:22.058056 IP 185.159.197.100 > 138.68.93.203: udp
> 13:57:22.192434 IP 185.159.197.100 > 207.154.216.38: udp
> 13:57:22.281961 IP 185.159.197.100 > 138.68.180.5: udp
> 13:57:22.317448 IP 185.159.197.100 > 138.68.180.5: udp
> 
> If anyone can spot what I'm doing wrong, offer advice, and/or replicate my findings...please let me know.

Hi, Jake:

Why isn't tcpdump decoding those UDP packets with its DNS dissector? Are
those non-initial fragments?

-- 
Robert Edmonds



More information about the dns-operations mailing list