Saturday, January 29, 2011

tcpdump and dynamic dns update

So here we have an example of why google is scared.... asking google to find the specific recipe for "what is the tcpdump incantation to sniff / filter only for ddns update packets" winds up with a billion pages of stuff not related to what I'm interested in... Lots of stuff about setting up a dns server, though.

so...

Anyone know the specific tcpdump filter you'd use to capture only dynamic dns update packets?

Wireshark and tcpdump both seem to recognize ddns update packets, (I'm using the wireshark example pcap file with ddns update packets from the wireshark wiki). So, at least I can just filter for port 53 traffic, but on this link that's going to be a metric-buttload of traffic.

Thanks! Sorry to ask a 101 type question...

From serverfault chris

  • check here : http://www.dyndns.com/developers/specs/syntax.html

    The tcpdump would be something like this :

    tcpdump -i interface_name -s 65000 port 80 or port 8245 or port 443

    Gerald Combs : Ports 80 and 443 will likely pick up more traffic than you're looking for. "tcpdump -i -s 0 host members.dyndns.org" might work better. Updates will go to that machine no matter what according to the spec.
    chris : Oh -- I'm not looking for the traffic to one of the dynamic dns service providers on the internet. I'm looking for dns update packets sent from servers on my network to my dns server to update my dns server's internal dns records. I know it'll probably start with port 53 but I'm hoping there is some more strict filter that will get rid of the address queries that'll constitute 99.9% of the udp port 53 dst host a.b.c.d
    From Stephan

  • Something like this seems to work for IPv4:

    tcpdump 'udp[0xa] & 0x78 = 0x28'

    Reasoning (offsets relative to the start of the UDP packet - probably easiest to follow along with Wireshark open):

    • bytes 0-7 = UDP header
    • bytes 8-9 = DNS transaction ID
    • byte 10 (0xa) = start of DNS flags

    The DNS opcode is bits 3-6 (hence the mask 01111000 = 0x78) of byte 10, and for updates we want DNS opcode 5; 5 << 3 = 40 = 0x28.

    chris : Thanks! That does indeed filter for exactly what I was looking for! I'm waiting until I can add a bounty before I mark this answer as accepted.
    From SimonJ

  • For such a request, dnscap is clearly a superior solution because you can write DNS-specific requests.

    A request like:

    % dnscap -w updates.pcap -mu -i eth0

    will keep, in the updates.pcap file only the ddns update requests.

    chris : It looks like a useful tool, but trying to figure out how to get and install it gave me flashbacks of trying install cnews so I could post to usenet from my school's ultrix box.
    bortzmeyer : Wow, I was an Ultrix sysadmin too! I remember my installation of INN, how it looked simple after cnews :-) Anyway, on Gentoo or Debian, just add 'or uncomment 'PORTLIBS= /usr/lib/libresolv.a BINDLIB=-lbind9' in the Makefile and type make.
    chris : Except you'd need to find a copy of cnews from somewhere to be able to post using inn. I miss ultrix, the good old days. Amazingly, interactive stuff on my old DECstation 3100 felt about the same as my modern computer, despite the fact that even my cell phone has 8 times as much memory and 100 times the CPU speed. plus ça change, plus c'est la même chose.
    From bortzmeyer

  • Does the following filter tcpdump 'udp[0xa] & 0x78 = 0x28' only grab packets coming from port 53 or does the port number need to be specified in the filter?

    Linh

    From Linh Ly
Posted by Ku XI at 5:30 PM

0 comments:

Post a Comment

Subscribe to: Post Comments (Atom)