Haha it just resolves one time for each server… You can search about how dns works if you have any confusion
The reason we filter on Port 8081 is because our QBox Server runs on that port. But, this milestone deals with only
tracerouteboth of which has no relation to QBox
Still, the idea remains the same. Filter for packets(either allow ports or block ports).
Now, check if both
tracerouteuses any particular port number for communication.
If yes, you can filter for only those ports using
tcpdumplike you did with 8081
If not, the best we can do is to not capture any other packets other than what’s required(hint: it’s not necessary every packet is addressed to some port). For hints on this, see here
Let me know if it helped
well, I used the following command to find the ports
sudo lsof -i -P -n | grep LISTEN
But this gave only tcp ports ,and also I couldn’t find any google ip in the .pcap file
It will be dns and start tcpdump before you start ping
See what protocol is used to resolve hostnames. Now, check the port number it uses.
You can filter packets in Wireshark using this port number to see packets that belong to that protocol
Now, peek through the
Infocolumn in Wireshark for these packets. You will be able to find packet(s) with google.com in it. Choose a SET of those packets.
I could only find the port 8080.I think i’m doing it wrong.When I tried with ports 8081,8082,8083, tcpdump gave no response.
This is how I started:
- I started the ping google.com
- Then I ran the : tcpdump port 8080 -w ping_traceroute.pcap
- Then I started traceroute google.com
The above just gave me tcp packets.
That’s because you filtered for port 8080.
Do one thing, just print
tcpdump(w/o filters) on your terminal w/o running ping or QBox server or anything
Are there any packets displayed? If so, these are from some background processes we don’t care about. Check which port numbers occupy a fair share of these request.(one or two most frequent)
Now to reduce the file size of pcap when you are capturing packets while running
ping, you can use a filter on
tcpdumpto not catch packets for the above mentioned ports the background processes are using.
This way you’ll get a smaller size pcap file.
Open wireshark and use Wireshark display filter(please check on google what this is if you don’t know) to display only packets of port number of the protocol that resolves hostname(google.com) to some ip address(lets’ say 184.108.40.206)
You might be able to see multiple such packet sets. Get the packet numbers of one of these sets. You’ll be good to go with this.
You don’t want to filter with the ip addresses. Just filter for the port number used by the protocol that resolves Domain Name to IP(google for the port)
I didn’t understand this…
In Wireshark, don’t give the display filters like ip.src.
Remove those and hit enter to see all the packets in the pcap file.
Then, look in the
Protocolcolumn. Which protocol is used to resolve domain names?
to find the packets where the ip has been resolved, do dns filtering like this : dns.qry.name == “google.com”. Please close the thread if it works for you, so that others can take advantage of it instead keep asking the same question. thank you.
Thanks for that Wireshark display filter, I didn’t know that Handy one I should say.
What type of tcpdump filters have you applied to filter out dns output , in my output i was getting icmp and udp protocol