How to identify packet number where IP gets resolved

Haha it just resolves one time for each server… You can search about how dns works if you have any confusion

1 Like

@SatyamSinghNiranjan

  • The reason we filter on Port 8081 is because our QBox Server runs on that port. But, this milestone deals with only ping and traceroute both of which has no relation to QBox

  • Still, the idea remains the same. Filter for packets(either allow ports or block ports).

  • Now, check if both ping and traceroute uses any particular port number for communication.

  • If yes, you can filter for only those ports using tcpdump like you did with 8081

  • If not, the best we can do is to not capture any other packets other than what’s required(hint: it’s not necessary every packet is addressed to some port). For hints on this, see here

Let me know if it helped :slight_smile:

1 Like

well, I used the following command to find the ports

sudo lsof -i -P -n | grep LISTEN
But this gave only tcp ports ,and also I couldn’t find any google ip in the .pcap file

It will be dns and start tcpdump before you start ping

@SatyamSinghNiranjan

  • See what protocol is used to resolve hostnames. Now, check the port number it uses.

  • You can filter packets in Wireshark using this port number to see packets that belong to that protocol

  • Now, peek through the Info column in Wireshark for these packets. You will be able to find packet(s) with google.com in it. Choose a SET of those packets.

1 Like

I could only find the port 8080.I think i’m doing it wrong.When I tried with ports 8081,8082,8083, tcpdump gave no response.

This is how I started:

  1. I started the ping google.com
  2. Then I ran the : tcpdump port 8080 -w ping_traceroute.pcap
  3. Then I started traceroute google.com

The above just gave me tcp packets.

That’s because you filtered for port 8080.

  • Do one thing, just print tcpdump(w/o filters) on your terminal w/o running ping or QBox server or anything

  • Are there any packets displayed? If so, these are from some background processes we don’t care about. Check which port numbers occupy a fair share of these request.(one or two most frequent)

  • Now to reduce the file size of pcap when you are capturing packets while running ping, you can use a filter on tcpdump to not catch packets for the above mentioned ports the background processes are using.

  • This way you’ll get a smaller size pcap file.

  • Open wireshark and use Wireshark display filter(please check on google what this is if you don’t know) to display only packets of port number of the protocol that resolves hostname(google.com) to some ip address(lets’ say 172.160.160.160)

  • You might be able to see multiple such packet sets. Get the packet numbers of one of these sets. You’ll be good to go with this. :slight_smile:

1 Like

We’ll this is my filtered output:


now how do I go about picking sets?

You don’t want to filter with the ip addresses. Just filter for the port number used by the protocol that resolves Domain Name to IP(google for the port)

I didn’t understand this…

  • In Wireshark, don’t give the display filters like ip.src.

  • Remove those and hit enter to see all the packets in the pcap file.

  • Then, look in the Protocol column. Which protocol is used to resolve domain names?


i found this what is packet no.

to find the packets where the ip has been resolved, do dns filtering like this : dns.qry.name == “google.com”. Please close the thread if it works for you, so that others can take advantage of it instead keep asking the same question. thank you.

@jayanta

Thanks for that Wireshark display filter, I didn’t know that :slight_smile: Handy one I should say.

1 Like

What type of tcpdump filters have you applied to filter out dns output , in my output i was getting icmp and udp protocol