{"id":627,"date":"2014-11-05T14:50:01","date_gmt":"2014-11-05T13:50:01","guid":{"rendered":""},"modified":"2019-11-06T13:54:24","modified_gmt":"2019-11-06T12:54:24","slug":"using-tcpdump-diagnostics-dns-debian","status":"publish","type":"post","link":"https:\/\/nil.uniza.sk\/en\/using-tcpdump-diagnostics-dns-debian\/","title":{"rendered":"Using tcpdump for diagnostics of DNS – debian"},"content":{"rendered":"

TCPdump is a powerful command-line packet analyzer, which may be used for analyzing of DNS question\/answer process. TCPdump is preinstalled on many Linux distributions. For debian it can be installed directly from the debian repository:<\/p>\n

apt-get install tcpdump\n<\/pre>\n
TCPdump allows write a sniff to file or display it realtime. It provides several ways how to use it for DNS analysis. Now I will write a few examples. Deeper description is at the bottom of the page.<\/p>\n
Example 1) Capture DNS on the fly<\/strong>:<\/p>\n
tcpdump -i eth0 udp port 5<\/strong>3\n\n14:42:12.989067 IP 10.0.2.15.11008 > castor.kis.fri.uniza.sk.domain: 17791+ [1au] A? voip.kis.fri.uniza.sk. (50)\n14:42:12.989655 IP castor.kis.fri.uniza.sk.domain > 10.0.2.15.11008: 17791* 1\/1\/2 A 158.193.152.2 (99)<\/pre>\n
where -i is the interface, UDP is the transport protocol and port is the communication port of DNS<\/p>\n
Example 2) Shorter alternative of example 1<\/strong><\/p>\n
tcpdump -nt -i eth0 udp port 53<\/strong>\n\nIP 10.0.2.15.44182 > 158.193.152.2.53: 50466+ [1au] A? voip.kis.fri.uniza.sk. (50)\nIP 158.193.152.2.53 > 10.0.2.15.44182: 50466* 1\/1\/2 A 158.193.152.2 (99)<\/pre>\n
where -n does not convert IP\u00a0address to DNS names and -t does not print timestamps<\/p>\n
Example XY) use tcpdump capture data and write them to a pcap file<\/strong><\/p>\n
then we are able to do post analysis, for example using both previous commands<\/p>\n
tcpdump -i eth0 udp port 53 -w example.cap<\/pre>\n
then we may read back from the file<\/p>\n
tcpdump -v -r example.cap udp port 53<\/pre>\n
Detailed description and additional information<\/h2>\n
Here I’m providing a closer look.<\/p>\n
Be able to observe something we need a DNS lookup tool, which help us generate DNS queries on demand. Debian for example has preinstalled the host<\/strong> and nslookup <\/strong>tool. However, I personally prefer dig<\/strong><\/em>, which is part of dnsutils deb package.<\/p>\n
I will use the same DNS query usually for all examples:<\/p>\n
dig voip.kis.fri.uniza.sk<\/pre>\n
which will ask a question for translating the Address record A<\/span><\/strong> of voip.kis.fri.uniza.sk <\/span>server to its IP address. Answer is 158.193.152.2<\/span><\/p>\n
dig voip.kis.fri.uniza.sk\n\n; <<>> DiG 9.9.3-rpz2+rl.13214.22-P2-Ubuntu-1:9.9.3.dfsg.P2-4ubuntu1 <<>> voip.kis.fri.uniza.sk\n;; global options: +cmd\n;; Got answer:\n;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 46977\n;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 2\n\n;; OPT PSEUDOSECTION:\n; EDNS: version: 0, flags:; udp: 4096\n;; QUESTION SECTION:\n;voip.kis.fri.uniza.sk.        IN    A<\/span>\n\n;; ANSWER SECTION:\nvoip.kis.fri.uniza.sk.    3600    IN    A    158.193.152.2<\/span>\n\n;; AUTHORITY SECTION:\nkis.fri.uniza.sk.    3600    IN    NS    ns.kis.fri.uniza.sk.\n\n;; ADDITIONAL SECTION:\nns.kis.fri.uniza.sk.    3600    IN    A    158.193.152.2\n\n;; Query time: 7 msec\n;; SERVER: 127.0.1.1#53(127.0.1.1)\n;; WHEN: Wed Nov 05 14:54:33 CET 2014\n;; MSG SIZE  rcvd: 99\n<\/pre>\n
Otherwise I will highlight difference.<\/p>\n
Examples of usage<\/h2>\n
TCPdump allows write a sniff to a file or display it realtime. It provides several ways how to use it for DNS analysis.<\/p>\n
1) Detailed description of the example one: capturing DNS on the fly<\/h3>\n
tcpdump -i eth0 udp port 53<\/h4>\n
this example display lines of UDP datagrams exchanged on the UDP port number 53 (dns service) captured on the eth0 interface (-i eth0 specify it)<\/p>\n
root@palo-Xubuntu:~# tcpdump -i eth0 udp port 53\n\ntcpdump: verbose output suppressed, use -v or -vv for full protocol decode\nlistening on eth0, link-type EN10MB (Ethernet), capture size 65535 bytes\n14:42:12.989067 IP 10.0.2.15.11008 > castor.kis.fri.uniza.sk.domain: 17791+ [1au] A? voip.kis.fri.uniza.sk. (50)<\/span>\n14:42:12.989655 IP castor.kis.fri.uniza.sk.domain > 10.0.2.15.11008: 17791* 1\/1\/1 A 158.193.152.2 (99)<\/span>\n<\/pre>\n
A DNS query <\/span>is generally formatted as<\/p>\n
              src > dst: id op? flags qtype qclass name (len)\n<\/pre>\n
where:<\/p>\n
    \n
  • src <\/u>is a host with IP address 10.0.2.15,<\/li>\n
  • dst <\/u>is a destination, i.e. an IP address or a dns name of your preconfigured DNS server, here castor.kis.fri.uniza.sk, this resolving can be turned of using the -n swtich. Then we would see an IP addres there, here\u00a0 158.193.152.2.<\/li>\n
  • id<\/u> is the query ID, 17991 here<\/li>\n
  • op<\/u> is ommited here<\/li>\n
  • qtype <\/u>means the type of DNS query here A?<\/em> means the Address Resoruce Record<\/li>\n
  • (len)<\/em><\/u> is the query length not including transport headers, 50B here<\/li>\n<\/ul>\n
    DNS server responses <\/span>are formatted as<\/p>\n
    src > dst:  id op rcode flags a\/n\/au type class data (len)<\/pre>\n
    where in our example we can see<\/p>\n
    castor.kis.fri.uniza.sk.domain > 10.0.2.15.11008: 17791* 1\/1\/1 A 158.193.152.2 (99)<\/span><\/pre>\n
      \n
    • src <\/u>is a dns server name or an IP address, here castor.kis.fri.uniza.sk, this resolving can be turned of using the -n switch. Then we would see an IP address there, here\u00a0 158.193.152.2.<\/li>\n
    • dst <\/u>is a destination, i.e. asking node\u00a0 IP address or a dns name, here 10.0.2.15,.<\/li>\n
    • id<\/u> is the answer on a query with number, here 17991\n
        \n
      • a\/ the number of answer records<\/li>\n
      • \/n the number of name server records<\/li>\n
      • au the number of additional records<\/li>\n<\/ul>\n<\/li>\n
      • here we have 1 answer 1 name server and 2 additional records<\/li>\n
      • type <\/u>means the type of DNS query. HEre it was A<\/em><\/li>\n
      • (len)<\/em> is the query length not including transport headers, 99B here<\/li>\n<\/ul>","protected":false},"excerpt":{"rendered":"
        \n\tTCPdump is a powerful command-line packet analyzer, which may be used for analyzing of DNS question\/answer process. TCPdump is preinstalled on many linux distributions. For debian it can be installed directly from the debian repository:<\/p>\n
        \r\napt-get install tcpdump\r\n<\/pre>\n
        \n\tTCPdump allows write a sniff to file or display it realtime. It provides several ways how to use it for DNS analysis. Now I will write a few examples. Deeper description is at the bottom of the page.<\/p>\n
        \n\t <\/p>\n
        \n\tExample 1) Capture DNS on the fly<\/strong>:<\/p>","protected":false},"author":7,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"_seopress_robots_primary_cat":"","_seopress_titles_title":"","_seopress_titles_desc":"","_seopress_robots_index":"","_kad_blocks_custom_css":"","_kad_blocks_head_custom_js":"","_kad_blocks_body_custom_js":"","_kad_blocks_footer_custom_js":"","_kad_post_transparent":"","_kad_post_title":"","_kad_post_layout":"","_kad_post_sidebar_id":"","_kad_post_content_style":"","_kad_post_vertical_padding":"","_kad_post_feature":"","_kad_post_feature_position":"","_kad_post_header":false,"_kad_post_footer":false,"footnotes":""},"categories":[685],"tags":[],"class_list":["post-627","post","type-post","status-publish","format-standard","hentry","category-linux_-_howto-en"],"taxonomy_info":{"category":[{"value":685,"label":"Linux - HOWTO"}]},"featured_image_src_large":false,"author_info":{"display_name":"admin","author_link":"https:\/\/nil.uniza.sk\/en\/author\/admin\/"},"comment_info":3,"category_info":[{"term_id":685,"name":"Linux - HOWTO","slug":"linux_-_howto-en","term_group":0,"term_taxonomy_id":683,"taxonomy":"category","description":"","parent":0,"count":71,"filter":"raw","cat_ID":685,"category_count":71,"category_description":"","cat_name":"Linux - HOWTO","category_nicename":"linux_-_howto-en","category_parent":0}],"tag_info":false,"_links":{"self":[{"href":"https:\/\/nil.uniza.sk\/en\/wp-json\/wp\/v2\/posts\/627","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/nil.uniza.sk\/en\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/nil.uniza.sk\/en\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/nil.uniza.sk\/en\/wp-json\/wp\/v2\/users\/7"}],"replies":[{"embeddable":true,"href":"https:\/\/nil.uniza.sk\/en\/wp-json\/wp\/v2\/comments?post=627"}],"version-history":[{"count":0,"href":"https:\/\/nil.uniza.sk\/en\/wp-json\/wp\/v2\/posts\/627\/revisions"}],"wp:attachment":[{"href":"https:\/\/nil.uniza.sk\/en\/wp-json\/wp\/v2\/media?parent=627"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/nil.uniza.sk\/en\/wp-json\/wp\/v2\/categories?post=627"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/nil.uniza.sk\/en\/wp-json\/wp\/v2\/tags?post=627"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}