From owner-freebsd-questions@FreeBSD.ORG Mon Jan 3 23:30:03 2005 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 2C07316A4CE for ; Mon, 3 Jan 2005 23:30:03 +0000 (GMT) Received: from kane.otenet.gr (kane.otenet.gr [195.170.0.27]) by mx1.FreeBSD.org (Postfix) with ESMTP id 53E5343D49 for ; Mon, 3 Jan 2005 23:30:02 +0000 (GMT) (envelope-from keramida@ceid.upatras.gr) Received: from gothmog.gr (patr530-a132.otenet.gr [212.205.215.132]) j03NTQdb017435; Tue, 4 Jan 2005 01:29:46 +0200 Received: from gothmog.gr (gothmog [127.0.0.1]) by gothmog.gr (8.13.1/8.13.1) with ESMTP id j03NTFno045096; Tue, 4 Jan 2005 01:29:15 +0200 (EET) (envelope-from keramida@ceid.upatras.gr) Received: (from giorgos@localhost) by gothmog.gr (8.13.1/8.13.1/Submit) id j03NTFVu045095; Tue, 4 Jan 2005 01:29:15 +0200 (EET) (envelope-from keramida@ceid.upatras.gr) Date: Tue, 4 Jan 2005 01:29:15 +0200 From: Giorgos Keramidas To: Florian Hengstberger Message-ID: <20050103232915.GB44980@gothmog.gr> References: Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: cc: freebsd-questions@freebsd.org Subject: Re: Hostname lookups? (tcpdump output) X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 03 Jan 2005 23:30:03 -0000 On 2004-12-30 18:23, Florian Hengstberger wrote: > Hi! > I'm currently keeping track off all packets comming from my ISP using > tcpdump. I have a limited transfer rate and I'm wondering why there's > still (around 100KB per min) traffic although I have no network > connections open to the outside world. > > So netstat gives me: > > Active Internet connections > Proto Recv-Q Send-Q Local Address Foreign Address (state) > tcp4 0 0 lazarus.49201 hpat989.external.http TIME_WAIT > tcp4 0 0 lazarus.49199 66.102.9.104.http ESTABLISHED > tcp4 0 0 localhost.smtp *.* LISTEN > udp4 0 0 localhost.49158 localhost.ntp > udp4 0 0 localhost.ntp *.* > udp4 0 0 lazarus.ntp *.* > > When I run tcpdump I get the following: > > 18:15:20.016995 arp who-has 62.116.56.99 tell 62.116.56.1 > 18:15:20.298713 lazarus.home.49562 > ns1.wwpa.com.domain: 46387+ PTR? 99.56.116.62.in-addr.arpa. (43) > 18:15:20.347945 ns1.wwpa.com.domain > lazarus.home.49562: 46387 NXDomain* 0/0/0 (43) > 18:15:20.348224 lazarus.home.49563 > ns1.wwpa.com.domain: 46388+ PTR? 1.56.116.62.in-addr.arpa. (42) > 18:15:20.388817 ns1.wwpa.com.domain > lazarus.home.49563: 46388 NXDomain* 0/0/0 (42) > 18:15:21.388378 lazarus.home.49564 > ns1.wwpa.com.domain: 46389+ PTR? 193.33.116.62.in-addr.arpa. (44) > 18:15:21.400068 ns1.wwpa.com.domain > lazarus.home.49564: 46389 1/0/0 (70) > 18:15:22.432207 arp who-has 62.116.56.98 tell 62.116.56.1 > 18:15:23.398410 lazarus.home.49565 > ns1.wwpa.com.domain: 46390+ PTR? 98.56.116.62.in-addr.arpa. (43) > 18:15:23.456830 ns1.wwpa.com.domain > lazarus.home.49565: 46390 NXDomain* 0/0/0 (43) > 18:15:25.191614 arp who-has 62.116.56.19 tell 62.116.56.1 > 18:15:25.386242 arp who-has 62.116.56.98 tell 62.116.56.1 > 18:15:25.448443 lazarus.home.49566 > ns1.wwpa.com.domain: 46391+ PTR? 19.56.116.62.in-addr.arpa. (43) > 18:15:25.494756 ns1.wwpa.com.domain > lazarus.home.49566: 46391 NXDomain* 0/0/0 (43) > 18:15:28.109842 arp who-has 62.116.56.19 tell 62.116.56.1 You have several programs that may be making the DNS queries you see: a) Some HTTP servers attempt to resolve the IP addresses of the clients that connect to them, in order to write host names (instead of IP addresses) in their log files. b) Sendmail or other MTAs may query the name of IP addresses that connect to them, in an attempt to stop spammers, dialup users or other clients that attempt to relay through them. c) The tcpdump utility itself makes DNS queries for the IP addresses that appear in traced packets, unless run with the -n option.