This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

Capturing mDNS packet

0

Hi, I have a bunch of Apple devices, printer etc. in my home that all supports Bonjour. The mDNS Watcher app can find all of them. But when I capture with Wireshark, I don’t see any of them.

I followed this thread & applied the display filter ‘dns and udp.port eq 5353’ but I don’t see anything.

Is there any other way I can look at mDNS packet?

asked 07 Jul '14, 22:23

lilyhack's gravatar image

lilyhack
11223
accept rate: 0%


2 Answers:

0

Your display filter is correct. Maybe there simply weren't any mDNS packets during the period that you captured traffic. mDNS responses are cached, so it isn't necessary for a network device to issue a mDNS query every time it wants to communicate with another device.

Try power-cycling one of the Apple devices while you're capturing with Wireshark. You should be able to see mDNS startup probes and service announcements per Section 8 of RFC 6762.

answered 08 Jul '14, 00:15

Jim%20Aragon's gravatar image

Jim Aragon
7.2k733118
accept rate: 24%

0

dns and udp.port eq 5353

If you apply that filter on the following sample capture file, do you see any frames?

http://wiki.wireshark.org/SampleCaptures?action=AttachFile&do=get&target=mDNS1.zip

If you see no matching frames, there is something wrong with your Wireshark configuration, maybe some dissectors disabled, or another protocol on port 5353 was set to 'decode as'.

If you see matching frames, there was either no mDNS traffic while you were capturing or there is something wrong with your capture setup.

So, here are some questions:

  • where/how did you capture (ethernet/wireless)?
  • Did you use any capture filters?
  • are there VLANs involved?
  • what is your OS and OS version?
  • what is your Wireshark version?

Regards
Kurt

answered 08 Jul '14, 07:33

Kurt%20Knochner's gravatar image

Kurt Knochner ♦
24.8k1039237
accept rate: 15%

@Kurt-Knochner, Yes I see MDNS packet with your capture. And it seems my windows firewall blocked the port 5353. After disabling the firewall, I see mDNS packets generated my devices.

(08 Jul '14, 09:44) lilyhack

After disabling the firewall, I see mDNS packets generated my devices.

good.

(08 Jul '14, 11:35) Kurt Knochner ♦