Thanks all, seems like there was some issue with that pcap. I captured again in a new pcap and I got the required name resolution.
Hey can anyone tell me how to get the packet number ?Is it the Leftmost column in the Wireshark ?
I wrote all the dns captures in a pcap file and opened it in wireshark.
Yes @srinjoy, it is.
could you please specify which port should be captured.Because when I capture at 8081 nothing is captured.
Standard query response No such name SOA ns1.google.com
Am i doing something wrong?
You have to find the ip where google.com is changed
Hint it start with 172
meaning? ip is changed? i really dont understand what you are telling me
Where name google.com is changed you will find it in last column of wireshark
Every site have ip address and dns … Just google about it… You will get an idea
Found it. Thanks!! I am getting those type of responses only twice or thrice in my entire .pcap file. Is it fine or should i do something?
Next time do google search please
Haha it just resolves one time for each server… You can search about how dns works if you have any confusion
The reason we filter on Port 8081 is because our QBox Server runs on that port. But, this milestone deals with only
tracerouteboth of which has no relation to QBox
Still, the idea remains the same. Filter for packets(either allow ports or block ports).
Now, check if both
tracerouteuses any particular port number for communication.
If yes, you can filter for only those ports using
tcpdumplike you did with 8081
If not, the best we can do is to not capture any other packets other than what’s required(hint: it’s not necessary every packet is addressed to some port). For hints on this, see here
Let me know if it helped
well, I used the following command to find the ports
sudo lsof -i -P -n | grep LISTEN
But this gave only tcp ports ,and also I couldn’t find any google ip in the .pcap file
It will be dns and start tcpdump before you start ping
See what protocol is used to resolve hostnames. Now, check the port number it uses.
You can filter packets in Wireshark using this port number to see packets that belong to that protocol
Now, peek through the
Infocolumn in Wireshark for these packets. You will be able to find packet(s) with google.com in it. Choose a SET of those packets.
I could only find the port 8080.I think i’m doing it wrong.When I tried with ports 8081,8082,8083, tcpdump gave no response.
This is how I started:
- I started the ping google.com
- Then I ran the : tcpdump port 8080 -w ping_traceroute.pcap
- Then I started traceroute google.com
The above just gave me tcp packets.
That’s because you filtered for port 8080.
Do one thing, just print
tcpdump(w/o filters) on your terminal w/o running ping or QBox server or anything
Are there any packets displayed? If so, these are from some background processes we don’t care about. Check which port numbers occupy a fair share of these request.(one or two most frequent)
Now to reduce the file size of pcap when you are capturing packets while running
ping, you can use a filter on
tcpdumpto not catch packets for the above mentioned ports the background processes are using.
This way you’ll get a smaller size pcap file.
Open wireshark and use Wireshark display filter(please check on google what this is if you don’t know) to display only packets of port number of the protocol that resolves hostname(google.com) to some ip address(lets’ say 220.127.116.11)
You might be able to see multiple such packet sets. Get the packet numbers of one of these sets. You’ll be good to go with this.