This is our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

I suspect spam bot in the network and I had captured smtp traffic but could not find payload but just a reset from the external malicious ip address.

I now want to check if it is querying the dns for a suspicious ip address so that i can get the hostname

Please advise if wireshark can bet setup capture dns traffic with an mx query for specific ip in traffic to the dns server?

asked 29 Nov '14, 12:42

Shadyguy's gravatar image

Shadyguy
11112
accept rate: 0%


Your question is unclear. If you already have the suspicious IP address and you want the associated host name, go here to do a reverse DNS lookup. Enter the IP address in the input box and click "Lookup." Note that reverse lookups (IP address to host name) do not always succeed.

An MX lookup is done on a domain name, not an IP address, and it usually returns one or more host names, not IP addresses.

permanent link

answered 29 Nov '14, 18:48

Jim%20Aragon's gravatar image

Jim Aragon
7.2k733118
accept rate: 24%

It does not give any results when doing a reverse lookup.

dnsqueries.com and virustotal show that there are several 1000 IP neighbours or domains hosted for the same ip address

I do not know which name the client is trying to query and hence i need to find that out

So, But back to my question. I have an bad IP eg 200.X.X.X , can i setup wireshark to detect any mx queries for domains for that IP address 200.X.X.X on email relay server

(30 Nov '14, 07:35) Shadyguy

mx queries for domains for that IP address 200.X.X.X on email relay server

No, you can't detect MX queries (DNS traffic) on your mail server, unless that server is either your main internet router or also your DNS server and/or resolver.

(01 Dec '14, 17:01) Kurt Knochner ♦
Your answer
toggle preview

Follow this question

By Email:

Once you sign in you will be able to subscribe for any updates here

By RSS:

Answers

Answers and Comments

Markdown Basics

  • *italic* or _italic_
  • **bold** or __bold__
  • link:[text](http://url.com/ "title")
  • image?![alt text](/path/img.jpg "title")
  • numbered list: 1. Foo 2. Bar
  • to add a line break simply add two spaces to where you would like the new line to be.
  • basic HTML tags are also supported

Question tags:

×12
×1

question asked: 29 Nov '14, 12:42

question was seen: 2,822 times

last updated: 01 Dec '14, 17:01

p​o​w​e​r​e​d by O​S​Q​A