tcpdump question
Ali Hamad
ali.hamad34 at gmail.com
Thu Sep 7 04:22:17 UTC 2006
Anth and Harry,
your assistance and suggestion are highly appreciated ..
I can say now , the question has been answered very well ^_^ .
Thank you once again,
Ali
On 9/6/06, Harry Hoffman <hhoffman at ip-solutions.net> wrote:
>
> Hi,
>
> That filter will get you udp traffic on port 53 destined for
> 123.123.123.12.
>
> This would be fine if 123.123.123.12 was your DNS server. However, it
> sounds like you want to match queries for a external host from your
> client to your DNS server.
>
> If this is correct you need to inspect the payload of the packet to
> match the query.
>
> If you aren't familiar with writing complex filters, you have a few
> alternatives:
>
> use ngrep, something like:
>
> ngrep -qitd eth0 'www.google.com' udp dst port 53
>
> would do the trick
>
> buy Network Intrusion Detection: An Analyst's Handbook, 2nd Edition
> http://www.informit.com/bookstore/product.asp?isbn=0735710082&redir=1&rl=1
>
> which will teach you how to write complex pcap filters. I would do this
> anyway! It's a great book.
>
> use ethereal/tethereal and use the Query Name filter, dns.qry.name, so
> somthing like:
> tethereal -i eth0 -s 1500 -R "dns.qry.name == www.google.com" udp dst
> port 53
>
> Hope this helps.
>
> Cheers,
> Harry
>
> Ali Hamad wrote:
> > Hello ,
> >
> > I'm looking for help to write a tcpdump filter that only dumps dns
> queries
> > that are looking for the hostname corresponding to the IP 123.123.123.12
> > ...
> >
> > I'm thinking about something like :
> > tcpdump udp dst 123.123.123.12 port 53 ,
> > but I'm not sure if it is correct .. any ideas and/or assistance are
> highly
> > appreciated,
> >
> > Thanks,
>
> --
> redhat-list mailing list
> unsubscribe mailto:redhat-list-request at redhat.com?subject=unsubscribe
> https://www.redhat.com/mailman/listinfo/redhat-list
>
More information about the redhat-list
mailing list