Hi, I have a bunch of Apple devices, printer etc. in my home that all supports Bonjour. The mDNS Watcher app can find all of them. But when I capture with Wireshark, I don’t see any of them. I followed this thread & applied the display filter ‘dns and udp.port eq 5353’ but I don’t see anything. Is there any other way I can look at mDNS packet? asked 07 Jul '14, 22:23  lilyhack |
2 Answers:
Your display filter is correct. Maybe there simply weren't any mDNS packets during the period that you captured traffic. mDNS responses are cached, so it isn't necessary for a network device to issue a mDNS query every time it wants to communicate with another device. Try power-cycling one of the Apple devices while you're capturing with Wireshark. You should be able to see mDNS startup probes and service announcements per Section 8 of RFC 6762. answered 08 Jul '14, 00:15  Jim Aragon |
If you apply that filter on the following sample capture file, do you see any frames?
If you see no matching frames, there is something wrong with your Wireshark configuration, maybe some dissectors disabled, or another protocol on port 5353 was set to 'decode as'. If you see matching frames, there was either no mDNS traffic while you were capturing or there is something wrong with your capture setup. So, here are some questions:
Regards answered 08 Jul '14, 07:33  Kurt Knochner ♦ |
@Kurt-Knochner, Yes I see MDNS packet with your capture. And it seems my windows firewall blocked the port 5353. After disabling the firewall, I see mDNS packets generated my devices.
good.