Unix/Linux Go Back    


Security Discuss UNIX and Linux computer and network security, cyber security, cyber attacks, IT security, and more.

Need Help with this TCPDUMP output...

Security


Closed    
 
Thread Tools Search this Thread Display Modes
    #1  
Old Unix and Linux 01-24-2014
Lost in Cyberia Lost in Cyberia is offline
Registered User
 
Join Date: Jun 2013
Last Activity: 14 September 2016, 6:27 PM EDT
Posts: 58
Thanks: 5
Thanked 0 Times in 0 Posts
Need Help with this TCPDUMP output...

Hello everyone, so I'm getting this tcpdump, and it looks like..quite a mess... Can anyone decipher this? I can tell that one IP is requesting DNS info? but I'm having trouble finding out what some of the fields actually mean..


Code:
19:44:50.707637 IP 66.81.1.252.53 > 64.147.113.139.28638: 52313 243/2/7 SOA, A 204.46.43.46, A 204.46.43.47, A 204.46.43.48, A 204.46.43.49, A 204.46.43.50, A 204.46.43.51, A 204.46.43.52, A 204.46.43.53, A 204.46.43.54, A 204.46.43.55, A 204.46.43.56, A 204.46.43.57, A 204.46.43.58, A 204.46.43.59, A 204.46.43.60, A 204.46.43.61, A 204.46.43.62, A 204.46.43.63, A 204.46.43.64, A 204.46.43.65

I know the first set of numbers if the time stamp...the 2nd is the IP address..and the next is the destination IP...with the port number after the semicolon. What comes next the '243/2/7 is what confuses me... I know SOA is the start of authority but what does it all mean together? I have a huuuge flood of traffic with these type of output..Can some one break this down for me?
Sponsored Links
    #2  
Old Unix and Linux 01-25-2014
neutronscott's Unix or Linux Image
neutronscott neutronscott is offline Forum Advisor  
script kiddie
 
Join Date: Jun 2011
Last Activity: 14 March 2017, 1:41 PM EDT
Location: South Carolina, USA
Posts: 939
Thanks: 31
Thanked 301 Times in 280 Posts
The port number is not after a semicolon. The ports are in red below:


Code:
66.81.1.252.53 > 64.147.113.139.28638

The rest I have to look at the tcpdump source for. I didn't see much explained in documentation.

The next number, 52313 is the DNS query ID which is used to differentiate queries. During the request this can be followed by a + or % to mean Recursion Disabled and Check Disabled bits are set, respectively. There are a few symbols that can be sent with the reply as well: AA*, RA-, TC|, AD$. Will have to look at the DNS RFC for those meanings.

What I was really curious of is that #/#/#. That seems to be the reply counts. AN/NS/AR (Answer, Nameserver, Additional Records).

The SOA record isn't really printed, just that it was in there, as "SOA", then all the A records which you see are the IPs associated.

Lastly you should have seen a (#) which would be the total length.
Sponsored Links
    #3  
Old Unix and Linux 01-25-2014
Lost in Cyberia Lost in Cyberia is offline
Registered User
 
Join Date: Jun 2013
Last Activity: 14 September 2016, 6:27 PM EDT
Posts: 58
Thanks: 5
Thanked 0 Times in 0 Posts
Thanks for the reply! So what is this query asking for? Is it asking for a complete list of A records for a certain domain? Are all those A record IP's actually pointing to something?
    #4  
Old Unix and Linux 07-02-2014
1to1riskcontrol 1to1riskcontrol is offline
Registered User
 
Join Date: Jul 2014
Last Activity: 2 July 2014, 11:14 PM EDT
Location: Oklahoma City
Posts: 1
Thanks: 0
Thanked 0 Times in 0 Posts
You lookup a tool called netwitness - you can import your packet captures and really drill down into them - it's readable and actually rebuild text, images, emails etc so you don't have a lot of cryptic data to sort through.
Sponsored Links
    #5  
Old Unix and Linux 07-03-2014
RudiC RudiC is offline Forum Staff  
Moderator
 
Join Date: Jul 2012
Last Activity: 29 March 2017, 3:55 PM EDT
Location: Aachen, Germany
Posts: 10,558
Thanks: 257
Thanked 3,234 Times in 2,981 Posts
I'd say it's not a query but the answer from a DNS server holding all the A records for a domain that has been queried.
Sponsored Links
Closed

Thread Tools Search this Thread
Search this Thread:

Advanced Search
Display Modes

Linux More UNIX and Linux Forum Topics You Might Find Helpful
Thread Thread Starter Forum Replies Last Post
write a script to parse some tcpdump output fedora Shell Programming and Scripting 4 02-05-2009 12:57 PM
i would like to know about tcpdump chamnanpol IP Networking 2 07-17-2008 11:26 AM
i would like to know about tcpdump chamnanpol Security 0 07-03-2008 05:17 AM
analyzing tcpdump output slumpia Shell Programming and Scripting 0 06-06-2008 01:41 PM
How To Use tcpdump chenhao_no1 Programming 2 04-01-2003 07:15 AM



All times are GMT -4. The time now is 02:54 AM.