Re: tcpdump question

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Hi,

That filter will get you udp traffic on port 53 destined for
123.123.123.12.

This would be fine if 123.123.123.12 was your DNS server. However, it
sounds like you want to match queries for a external host from your
client to your DNS server.

If this is correct you need to inspect the payload of the packet to
match the query.

If you aren't familiar with writing complex filters, you have a few
alternatives:

use ngrep, something like:

ngrep -qitd eth0 'www.google.com' udp dst port 53

would do the trick

buy Network Intrusion Detection: An Analyst's Handbook, 2nd Edition
http://www.informit.com/bookstore/product.asp?isbn=0735710082&redir=1&rl=1

which will teach you how to write complex pcap filters. I would do this
anyway! It's a great book.

use ethereal/tethereal and use the Query Name filter, dns.qry.name, so
somthing like:
tethereal -i eth0 -s 1500 -R "dns.qry.name == www.google.com" udp dst
port 53

Hope this helps.

Cheers,
Harry

Ali Hamad wrote:
> Hello ,
> 
> I'm looking for help to write a tcpdump filter that only dumps dns queries
> that are looking for the hostname corresponding to the IP 123.123.123.12
> ...
> 
> I'm thinking about something like :
> tcpdump udp dst 123.123.123.12 port 53 ,
> but I'm not sure if it is correct .. any ideas and/or assistance are highly
> appreciated,
> 
> Thanks,

-- 
redhat-list mailing list
unsubscribe mailto:redhat-list-request@xxxxxxxxxx?subject=unsubscribe
https://www.redhat.com/mailman/listinfo/redhat-list

[Index of Archives]     [CentOS]     [Kernel Development]     [PAM]     [Fedora Users]     [Red Hat Development]     [Big List of Linux Books]     [Linux Admin]     [Gimp]     [Asterisk PBX]     [Yosemite News]     [Red Hat Crash Utility]


  Powered by Linux