This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

DNS responses

1

Ok, a simple question here. I'm trying to trace DNS traffic. I've enable port spanning to watch traffic. I use DNS as the filter. I see all the DNS queries going to my DNS but I see no responses, and I know it gets a response because it resolves. Am I missing a setting somewhere?

Some more info.

I am Spaning from port 15 cisco 4948( where the server is connected to the switch) to port 13 ( where my laptop with wireshark is connected) The server only has one NIC. I can see traffic of diffrent types leaving and entering the server.

in regards to span

Encapsulation : Native Ingress : Disabled Learning : Disabled Filter Pkt Type : RX Only : Good

I did try it on a diffrent switch with no show filter type so I assume it is set to both.

I tried the requested (vlan and dns) filter with no change

Thanks

asked 13 Dec '10, 13:10

tubamaphoner's gravatar image

tubamaphoner
16113
accept rate: 0%

edited 14 Dec '10, 08:58

Where are you spanning? Although the default for cisco switches is to span TX/RX, it's possible that someone set it up to be RX only.

Or it's possible that your server is using a teaming adapter (Etherchannel or LACP bundles) and you are watching only one adapter.

Finally, it's possible that your server has two NICs and the return traffic is coming in via the other NIC.

(13 Dec '10, 14:14) hansangb

... or could it be that the request is not vlan tagged and the response is vlan tagged? Could you try the filter "dns or (vlan and dns)"?

(14 Dec '10, 01:27) SYN-bit ♦♦

@SYNbit: I don't have a trace to check this, but I wonder if you would really need to add "vlan and dns" if you're already filtering on dns. As far as my experience goes Wireshark tries to find matches (I would call it greedy), so an additional VLAN tag would not exclude a DNS packet IMHO because it is still a DNS packet. Or am I mistaken?

(14 Dec '10, 09:26) Jasper ♦♦

"but I wonder if you would really need to add "vlan and dns" if you're already filtering on dns"

In a capture filter, yes, you do. That's libpcap/WinPcap, not Wireshark, doing the filtering, and it requires the "vlan and" to find VLAN-encapsulated DNS packets.

In a display filter, no, you don't.

(18 Dec '10, 18:35) Guy Harris ♦♦

One Answer:

0

"I can see traffic of different types leaving and entering the server." Then the span and the capture is correctly set up.

You say "it resolves" : then another machine (or local file) did it. Try to figure out the source of it

on a windows client : nslookup (ENTER and check the default server)

on a linux client : dig (ENTER and check for the line begining with ";; SERVER:")

answered 17 Dec '10, 09:10

frame's gravatar image

frame
162
accept rate: 0%

edited 17 Dec '10, 09:16

Wait...can you type "show span" or "show monitor" and post the output?

(20 Dec '10, 19:04) hansangb