tcpdump dns output codes

Posted by tim on Server Fault See other posts from Server Fault or by tim
Published on 2012-06-18T20:25:34Z Indexed on 2012/06/18 21:18 UTC
Read the original article Hit count: 250

Filed under:

dns

|

tcpdump

Captured on the nameserver:

21:54:35.391126 IP resolver.7538 > server.domain: 57385% [1au] A? www.domain.de. (42)

What das the percent sign in 57385% mean? As far as I can see 57385 is the clients sequence number, a plus would mean RD bit set.

Second question: what does the ARCOUNT do in the query? As I understand the tcpdump man page the [1au] means tcpdump treats this as a protocol anomalie - as would I. I see this in a lot of queries.

© Server Fault or respective owner

Related posts about dns

Master/Slave DNS setup vs. rsync'ed DNS servers

as seen on Server Fault - Search for 'Server Fault'
We currently have primary and secondary DNS servers on our corporate network. They are setup in a master/slave type setup, where the slave gets its DNS information from the master. I'm trying to figure out what the real advantage is for the master/slave setup instead of just setting up an automated… >>> More
Updating Windows DNS records from a remote windows DNS server

as seen on Server Fault - Search for 'Server Fault'
Does anyone know if it is possible for a windows 2003 DNS server to update the records for a domain so that it contains all the records of a domain of of a remotely based DNS server? Im almost certain that doesn't quite explain the problem so I shall illustrate with an example: We have two offices… >>> More
OpenVPN DNS: VPN DNS stomping local VPN

as seen on Super User - Search for 'Super User'
I've finally noodled with OpenVPN enough to get it working. Even better, I can mount samba drives, ping network machines through the TUN device, etc - it's all great. However, I'm noticing that if I have the directive: push "dhcp-option DNS 10.0.1.1" # Push our local DNS to clients Then some of… >>> More
Random DNS Client Issue with BIND9/Windows Server 2003 DNS

as seen on Stack Overflow - Search for 'Stack Overflow'
Within our office, we have a local server running DNS, for internal related "domains", (e.g. .internal, .office, .lan, .vpn, etc.). Randomly, only the hosts configured with those extensions will stop resolving on the Windows-based workstations. Sometimes it'll work for a couple weeks without issue… >>> More
DNS Tools - DNS and Few of its Concerning Terms and Tools

as seen on Article City - Search for 'Article City'
A DNS or Domain Name System lets you locate computers on a network or the Internet TCP/IP network by domain name. The DNS server sustains a database of domain names or host names along with their cor... [Author: Daisy Osbaldo - Computers and Internet - April 02, 2010] >>> More

Related posts about tcpdump

Packet loss rate with iperf and tcpdump

as seen on Server Fault - Search for 'Server Fault'
I tested a line for its link quality with iperf. The measured speed (UDP port 9005) was 96Mbps, which is fine, because both servers are connected with 100Mbps to the internet. On the other hand the datagram loss rate was shown to be 3.3-3.7%, which I found a little too much. Using a high-speed transfer… >>> More
tcpdump filter that excludes private ip traffic

as seen on Server Fault - Search for 'Server Fault'
For a generic filter to exclude all traffic in my dump that is between private IP address, I came up with the following: sudo tcpdump -n ' (not ( (src net 172.16.0.0/20 or src net 10.0.0.0/8 or src net 192.168.0.0/16) and (dst net 172.16.0.0/20 or dst net 10.0.0.0/8 or dst… >>> More
How to Break Up Large tcpdump Files

as seen on Server Fault - Search for 'Server Fault'
Is there something that can break up tcpdump file after the captuure and make sure the breaks are on the border of packet data? Like -C but after the fact. >>> More
tcpdump on dd-wrt router

as seen on Stack Overflow - Search for 'Stack Overflow'
I'm trying to capture packets from two devices on my network. I have tcpdump installed on my dd-wrt router and working correctly. However, the only packets I capture are broadcast packets when using a tcpdump statement that states only those two devices ./tcpdump -w /tmp/capture.pcap dst 192.168… >>> More
How can I log all traffic with its exact length?

as seen on Server Fault - Search for 'Server Fault'
I want to process all packets with their size going through our gateway server (running Debian 4.0). My idea is to use tcpdump, but I have two questions. The command I'm currently thinking of is tcpdump -i iface -n -t -q. Is it guaranteed that tcpdump will process all packets? What happens if… >>> More