Hello everyone, so I'm getting this tcpdump, and it looks like..quite a mess... Can anyone decipher this? I can tell that one IP is requesting DNS info? but I'm having trouble finding out what some of the fields actually mean..
19:44:50.707637 IP 66.81.1.252.53 > 64.147.113.139.28638: 52313 243/2/7 SOA, A 204.46.43.46, A 204.46.43.47, A 204.46.43.48, A 204.46.43.49, A 204.46.43.50, A 204.46.43.51, A 204.46.43.52, A 204.46.43.53, A 204.46.43.54, A 204.46.43.55, A 204.46.43.56, A 204.46.43.57, A 204.46.43.58, A 204.46.43.59, A 204.46.43.60, A 204.46.43.61, A 204.46.43.62, A 204.46.43.63, A 204.46.43.64, A 204.46.43.65
I know the first set of numbers if the time stamp...the 2nd is the IP address..and the next is the destination IP...with the port number after the semicolon. What comes next the '243/2/7 is what confuses me... I know SOA is the start of authority but what does it all mean together? I have a huuuge flood of traffic with these type of output..Can some one break this down for me?
The port number is not after a semicolon. The ports are in red below:
66.81.1.252.53 > 64.147.113.139.28638
The rest I have to look at the tcpdump source for. I didn't see much explained in documentation.
The next number, 52313 is the DNS query ID which is used to differentiate queries. During the request this can be followed by a + or % to mean Recursion Disabled and Check Disabled bits are set, respectively. There are a few symbols that can be sent with the reply as well: AA*, RA-, TC|, AD$. Will have to look at the DNS RFC for those meanings.
What I was really curious of is that #/#/#. That seems to be the reply counts. AN/NS/AR (Answer, Nameserver, Additional Records).
The SOA record isn't really printed, just that it was in there, as "SOA", then all the A records which you see are the IPs associated.
Lastly you should have seen a (#) which would be the total length.
Thanks for the reply! So what is this query asking for? Is it asking for a complete list of A records for a certain domain? Are all those A record IP's actually pointing to something?
You lookup a tool called netwitness - you can import your packet captures and really drill down into them - it's readable and actually rebuild text, images, emails etc so you don't have a lot of cryptic data to sort through.