Hi, That filter will get you udp traffic on port 53 destined for 123.123.123.12. This would be fine if 123.123.123.12 was your DNS server. However, it sounds like you want to match queries for a external host from your client to your DNS server. If this is correct you need to inspect the payload of the packet to match the query. If you aren't familiar with writing complex filters, you have a few alternatives: use ngrep, something like: ngrep -qitd eth0 'www.google.com' udp dst port 53 would do the trick buy Network Intrusion Detection: An Analyst's Handbook, 2nd Edition http://www.informit.com/bookstore/product.asp?isbn=0735710082&redir=1&rl=1 which will teach you how to write complex pcap filters. I would do this anyway! It's a great book. use ethereal/tethereal and use the Query Name filter, dns.qry.name, so somthing like: tethereal -i eth0 -s 1500 -R "dns.qry.name == www.google.com" udp dst port 53 Hope this helps. Cheers, Harry Ali Hamad wrote: > Hello , > > I'm looking for help to write a tcpdump filter that only dumps dns queries > that are looking for the hostname corresponding to the IP 123.123.123.12 > ... > > I'm thinking about something like : > tcpdump udp dst 123.123.123.12 port 53 , > but I'm not sure if it is correct .. any ideas and/or assistance are highly > appreciated, > > Thanks, -- redhat-list mailing list unsubscribe mailto:redhat-list-request@xxxxxxxxxx?subject=unsubscribe https://www.redhat.com/mailman/listinfo/redhat-list