tcpdump question
Harry Hoffman
hhoffman at ip-solutions.net
Thu Sep 7 03:27:31 UTC 2006
Hi,
That filter will get you udp traffic on port 53 destined for
123.123.123.12.
This would be fine if 123.123.123.12 was your DNS server. However, it
sounds like you want to match queries for a external host from your
client to your DNS server.
If this is correct you need to inspect the payload of the packet to
match the query.
If you aren't familiar with writing complex filters, you have a few
alternatives:
use ngrep, something like:
ngrep -qitd eth0 'www.google.com' udp dst port 53
would do the trick
buy Network Intrusion Detection: An Analyst's Handbook, 2nd Edition
http://www.informit.com/bookstore/product.asp?isbn=0735710082&redir=1&rl=1
which will teach you how to write complex pcap filters. I would do this
anyway! It's a great book.
use ethereal/tethereal and use the Query Name filter, dns.qry.name, so
somthing like:
tethereal -i eth0 -s 1500 -R "dns.qry.name == www.google.com" udp dst
port 53
Hope this helps.
Cheers,
Harry
Ali Hamad wrote:
> Hello ,
>
> I'm looking for help to write a tcpdump filter that only dumps dns queries
> that are looking for the hostname corresponding to the IP 123.123.123.12
> ...
>
> I'm thinking about something like :
> tcpdump udp dst 123.123.123.12 port 53 ,
> but I'm not sure if it is correct .. any ideas and/or assistance are highly
> appreciated,
>
> Thanks,
More information about the redhat-list
mailing list