From owner-freebsd-questions Wed Nov 3 7:45:29 1999 Delivered-To: freebsd-questions@freebsd.org Received: from dan.emsphone.com (dan.emsphone.com [199.67.51.101]) by hub.freebsd.org (Postfix) with ESMTP id 2D65C14DBD for ; Wed, 3 Nov 1999 07:45:21 -0800 (PST) (envelope-from dan@dan.emsphone.com) Received: (from dan@localhost) by dan.emsphone.com (8.9.3/8.9.3) id JAA54398; Wed, 3 Nov 1999 09:43:52 -0600 (CST) (envelope-from dan) Date: Wed, 3 Nov 1999 09:43:52 -0600 From: Dan Nelson To: Cliff Addy Cc: questions@FreeBSD.ORG Subject: Re: help reading tcpdump output Message-ID: <19991103094352.A53581@dan.emsphone.com> References: <199909241425.AA052523114@broccoli.graphics.cornell.edu> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii X-Mailer: Mutt 1.0i In-Reply-To: ; from fbsdlist@federation.addy.com on Wed, Nov 03, 1999 at 10:36:03AM -0500 X-OS: FreeBSD 4.0-CURRENT Sender: owner-freebsd-questions@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.ORG In the last episode (Nov 03), Cliff Addy said: > We're swapping nameservice to a new machine and I ran tcpdump to watch > what's still going to port 25 on the old machine. I'm seeing a lot of > strange packets I don't understand, such as > > 10:31:26.360261 207.115.59.220.53 > 207.239.68.2.53: 16144 (30) > 10:31:28.991805 209.180.245.130.53 > 207.239.68.2.53: 757 (37) > 10:31:29.846414 131.15.136.2.8673 > 207.239.68.2.53: 61184 (32) > 10:31:30.520673 194.22.190.5.3693 > 207.239.68.2.53: 48437 (35) > 10:31:33.071580 152.163.189.173.4393 > 207.239.68.2.53: 49123 (35) Port 53 is DNS lookups. The default 'snarf' length that tcpdump uses is 68 bytes per packet, which is only enough to print the basic IP/TCP/UDP information. The tcpdump manpage suggests -s 128 as a starting point if you want to view DNS packets in full. -- Dan Nelson dnelson@emsphone.com To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message