This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

Can Wireshark be used to detect mx queries for a specific IP address in traffic to dns server

0

I suspect spam bot in the network and I had captured smtp traffic but could not find payload but just a reset from the external malicious ip address.

I now want to check if it is querying the dns for a suspicious ip address so that i can get the hostname

Please advise if wireshark can bet setup capture dns traffic with an mx query for specific ip in traffic to the dns server?

asked 29 Nov '14, 12:42

Shadyguy's gravatar image

Shadyguy
11112
accept rate: 0%


One Answer:

0

Your question is unclear. If you already have the suspicious IP address and you want the associated host name, go here to do a reverse DNS lookup. Enter the IP address in the input box and click "Lookup." Note that reverse lookups (IP address to host name) do not always succeed.

An MX lookup is done on a domain name, not an IP address, and it usually returns one or more host names, not IP addresses.

answered 29 Nov '14, 18:48

Jim%20Aragon's gravatar image

Jim Aragon
7.2k733118
accept rate: 24%

It does not give any results when doing a reverse lookup.

dnsqueries.com and virustotal show that there are several 1000 IP neighbours or domains hosted for the same ip address

I do not know which name the client is trying to query and hence i need to find that out

So, But back to my question. I have an bad IP eg 200.X.X.X , can i setup wireshark to detect any mx queries for domains for that IP address 200.X.X.X on email relay server

(30 Nov '14, 07:35) Shadyguy

mx queries for domains for that IP address 200.X.X.X on email relay server

No, you can't detect MX queries (DNS traffic) on your mail server, unless that server is either your main internet router or also your DNS server and/or resolver.

(01 Dec '14, 17:01) Kurt Knochner ♦