This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

TCP Streams and their DNS counterpart…

0

Alright guys, I have multiple clarification questions on DNS connections and TCP Streams...

  1. Does every DNS Query and Response have a corresponding TCP Stream?
  2. Does every TCP Stream have a correspodning DNS Query and Response? (I imagine one of these has to be independent).
  3. If one of the above isn't true - when do they and when don't they?
  4. Is it possible in tshark to know which DNS Query and Response goes to which TCP Stream (as in is it possible to set a field for it "tshark -r infile -T Fields -e blah blah" and see their relationship)?
  5. Im writing a script that measures time from when button is pressed, which posts a message, to when the post is finshed uploading. Would the most accurate way be from the DNS query to the TCP ACK, or would it just be from TCP SYN to TCP ACK? (I suppose this assums that DNS Connections and TCP connections are related).
  6. Lastly, is there anything I am missing? (if you know something that is really interesting or useful that is related to this topic - you should pretend like I asked a question here that would solicit your answer : p )

Thanks guys, Im excited to finally understand some of these concepts.

//Z

asked 31 Mar '14, 17:59

Nefarii's gravatar image

Nefarii
31449
accept rate: 100%

edited 31 Mar '14, 18:01

One Answer:

3

Does every DNS Query and Response have a corresponding TCP Stream?

No. A DNS query might result from an attempt to look up a host to which to send UDP packets, for example. DNS queries can be used for other purposes, such as translating an IP address to a host name. And looking up an IP address for a host might require more than one DNS query, e.g. "example.com" might require that a DNS server for ".com" be looked up, and then that "example.com" might be looked up on that server.

Does every TCP Stream have a correspodning DNS Query and Response?

No. Somebody might try to connect to a host with a known IP address, or might be getting the IP address for the host from a file, or might be using some other protocol, such as NIS, to look up the IP address for the host. Or the host might already have a cached copy of a previous lookup of a host name.

If one of the above isn't true - when do they and when don't they?

Neither is true. See above.

Is it possible in tshark to know which DNS Query and Response goes to which TCP Stream

Given that not all DNS query/response pairs correspond to a TCP stream (and not all TCP streams have a DNS query/response associated with them), no. At best, you can try to find a DNS query/response pair that returned an IP address used in a later TCP stream.

Im writing a script that measures time from when button is pressed, which posts a message, to when the post is finshed uploading. Would the most accurate way be from the DNS query to the TCP ACK, or would it just be from TCP SYN to TCP ACK?

What if it takes 10 seconds (on a slow machine) between the time when the button is pressed and when a DNS query is sent out, if necessary, to find the IP address of the host to which to upload the post? In that case, you can't use any packet sniffer find out the time between the button is pressed and when the post finishes being uploaded, because the first 10 seconds don't necessarily correspond to network traffic - they might be due to the code to handle the button push being paged out and having to be paged in from disk, or due to a lot of CPU time being spent to get to the host name lookup, or something such as that.

answered 31 Mar '14, 19:32

Guy%20Harris's gravatar image

Guy Harris ♦♦
17.4k335196
accept rate: 19%

Thanks for the answers, a few follow up questions though - 1.) If there is an android application that posts something onto facebook (update or picture), would there most likely be a DNS connection before the TCP connection? 2.) Relating to question 6, would it be best then to just take the Round Trip TCP connection time to determine how long it took for an item to post?

(31 Mar '14, 19:51) Nefarii
1

If there is an android application that posts something onto facebook (update or picture), would there most likely be a DNS connection before the TCP connection?

If they've already been accessing Facebook, the machine probably has an IP address corresponding to www.facebook.com, so there's a good chance that there would not be a DNS query/response.

Relating to question 6, would it be best then to just take the Round Trip TCP connection time to determine how long it took for an item to post?

That depends on what you mean by "how long it took for an item to post". If you're only looking at network delays, the best way to do it is to:

  • if there is a DNS lookup for a Facebook domain name, use the DNS query as the starting time, otherwise use the first TCP packet to the Facebook server as the starting time;
  • use the time of the last TCP segment of the posted item as the ending time.

However, that doesn't say how long it took the server to do the post, so you'd need to look for the first segment of the response to the POST request to get that.

You'd also have to worry about, for example, the Facebook app or browser periodically polling the server to update lists of how many friends were online, etc., etc..

Note that there wouldn't necessarily be a new connection established for the POST, either.

(31 Mar '14, 19:58) Guy Harris ♦♦