How to identify packet number where IP gets resolved

Thanks all, seems like there was some issue with that pcap. I captured again in a new pcap and I got the required name resolution.

Hey can anyone tell me how to get the packet number ?Is it the Leftmost column in the Wireshark ?
I wrote all the dns captures in a pcap file and opened it in wireshark.
Thanks

Yes @srinjoy, it is.

could you please specify which port should be captured.Because when I capture at 8081 nothing is captured.

It says
Standard query response No such name SOA ns1.google.com
Am i doing something wrong?

See this

You have to find the ip where google.com is changed
Hint it start with 172

meaning? ip is changed? i really dont understand what you are telling me

Where name google.com is changed you will find it in last column of wireshark

1 Like

Every site have ip address and dns … Just google about it… You will get an idea

Found it. Thanks!! I am getting those type of responses only twice or thrice in my entire .pcap file. Is it fine or should i do something?

It’s fine
Next time do google search please

Haha it just resolves one time for each server… You can search about how dns works if you have any confusion

1 Like

@SatyamSinghNiranjan

  • The reason we filter on Port 8081 is because our QBox Server runs on that port. But, this milestone deals with only ping and traceroute both of which has no relation to QBox

  • Still, the idea remains the same. Filter for packets(either allow ports or block ports).

  • Now, check if both ping and traceroute uses any particular port number for communication.

  • If yes, you can filter for only those ports using tcpdump like you did with 8081

  • If not, the best we can do is to not capture any other packets other than what’s required(hint: it’s not necessary every packet is addressed to some port). For hints on this, see here

Let me know if it helped :slight_smile:

1 Like

well, I used the following command to find the ports

sudo lsof -i -P -n | grep LISTEN
But this gave only tcp ports ,and also I couldn’t find any google ip in the .pcap file

It will be dns and start tcpdump before you start ping

@SatyamSinghNiranjan

  • See what protocol is used to resolve hostnames. Now, check the port number it uses.

  • You can filter packets in Wireshark using this port number to see packets that belong to that protocol

  • Now, peek through the Info column in Wireshark for these packets. You will be able to find packet(s) with google.com in it. Choose a SET of those packets.

1 Like

I could only find the port 8080.I think i’m doing it wrong.When I tried with ports 8081,8082,8083, tcpdump gave no response.

This is how I started:

  1. I started the ping google.com
  2. Then I ran the : tcpdump port 8080 -w ping_traceroute.pcap
  3. Then I started traceroute google.com

The above just gave me tcp packets.

That’s because you filtered for port 8080.

  • Do one thing, just print tcpdump(w/o filters) on your terminal w/o running ping or QBox server or anything

  • Are there any packets displayed? If so, these are from some background processes we don’t care about. Check which port numbers occupy a fair share of these request.(one or two most frequent)

  • Now to reduce the file size of pcap when you are capturing packets while running ping, you can use a filter on tcpdump to not catch packets for the above mentioned ports the background processes are using.

  • This way you’ll get a smaller size pcap file.

  • Open wireshark and use Wireshark display filter(please check on google what this is if you don’t know) to display only packets of port number of the protocol that resolves hostname(google.com) to some ip address(lets’ say 172.160.160.160)

  • You might be able to see multiple such packet sets. Get the packet numbers of one of these sets. You’ll be good to go with this. :slight_smile:

1 Like

We’ll this is my filtered output:


now how do I go about picking sets?