This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

queries and answers of mDNS are in the same frame

0

I use dns-sd -B _services._dns-sd._udp on my Mac to query dns-sd services in my home network, it does reply, but when I inspect it in wireshark, it shows like this:

Frame 1: 142 bytes on wire (1136 bits), 142 bytes captured (1136 bits) on interface 0
Ethernet II, Src: Apple_ef:11:4b (7c:d1:c3:ef:11:4b), Dst: IPv4mcast_fb (01:00:5e:00:00:fb)
Internet Protocol Version 4, Src: 10.109.201.113, Dst: 224.0.0.251
User Datagram Protocol, Src Port: 5353, Dst Port: 5353
Multicast Domain Name System (query)
    Transaction ID: 0x0000
    Flags: 0x0000 Standard query
    Questions: 1
    Answer RRs: 2
    Authority RRs: 0
    Additional RRs: 0
    Queries
        _services._dns-sd._udp.local: type PTR, class IN, "QU" question
    Answers
        _services._dns-sd._udp.local: type PTR, class IN, _http._tcp.local
            Name: _services._dns-sd._udp.local
            Type: PTR (domain name PoinTeR) (12)
            .000 0000 0000 0001 = Class: IN (0x0001)
            0... .... .... .... = Cache flush: False
            Time to live: 3595
            Data length: 13
            Domain Name: _http._tcp.local
        _services._dns-sd._udp.local: type PTR, class IN, _apple-mobdev2._tcp.local
            Name: _services._dns-sd._udp.local
            Type: PTR (domain name PoinTeR) (12)
            .000 0000 0000 0001 = Class: IN (0x0001)
            0... .... .... .... = Cache flush: False
            Time to live: 4157
            Data length: 17
            Domain Name: _apple-mobdev2._tcp.local

the query and answers are in the same frame, so the source and destination of query packet and answer packet are the same. My understanding is the query is from my computer to the multicast address(224.0.0.251) and the answer is in reverse, is it correct?

asked 06 Mar '17, 18:21

jfly's gravatar image

jfly
41459
accept rate: 0%

edited 06 Mar '17, 18:42


One Answer:

2

I believe it is part of the "Known Answer Suppression" mechanism of mDNS.

See section 7.1 of RFC 6762 for further explanation. [link]

answered 06 Mar '17, 21:28

Rooster_50's gravatar image

Rooster_50
23891218
accept rate: 15%