This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

multiple ip addresses

0

I tried to capture traffic to a site with multiple ip addresses, and got very few results. Obviously, if I state a pcap filter like "host facebook.com", this creates a filter with one ip address returned from dns at the time I start the capture. How should I capture that traffic correctly?

asked 13 Mar '12, 00:18

Wurzelsepp's gravatar image

Wurzelsepp
1222
accept rate: 0%

2 Answers:

1

You could create a filter with all IP addresses that are involved, like "host 1.2.3.4 or 1.2.3.5 or 1.2.3.6" etc, but that would require you to already know which IPs will be contacted (which you usually don't, especially not for large scale websites that link to tons of external resources).

A better approach might be not to filter on anything and capture it all, and then making sure that the client will only communicate with the website you want - meaning: shut down all other programs that could add packets to the capture and only run the one client program (in your case probably the web browser) which is necessary to access the ressource.

answered 13 Mar '12, 04:58

Jasper's gravatar image

Jasper ♦♦
23.8k551284
accept rate: 18%

1

Obviously, if I state a pcap filter like "host facebook.com", this creates a filter with one ip address returned from dns at the time I start the capture.

Actually, no, it doesn't, because DNS returns multiple IP addresses for facebook.com:

$ host facebook.com
facebook.com has address 66.220.149.11
facebook.com has address 69.171.224.11
facebook.com has address 69.171.229.11
facebook.com mail is handled by 10 smtpin.mx.facebook.com.
$ tcpdump -i en0 -d ip host facebook.com
tcpdump: WARNING: en0: no IPv4 address assigned
(000) ldh      [12]
(001) jeq      #0x800           jt 2    jf 11
(002) ld       [26]
(003) jeq      #0x45abe50b      jt 10   jf 4
(004) jeq      #0x42dc950b      jt 10   jf 5
(005) jeq      #0x45abe00b      jt 10   jf 6
(006) ld       [30]
(007) jeq      #0x45abe50b      jt 10   jf 8
(008) jeq      #0x42dc950b      jt 10   jf 9
(009) jeq      #0x45abe00b      jt 10   jf 11
(010) ret      #65535
(011) ret      #0

(I used "ip host" rather than "host" to eliminate distracting BPF code that also checks for ARP packets.) Note that it's checking for all three IP addresses as both source and destination addresses.

If the site's DNS entry has multiple IP addresses, all of them will be checked for. If, however, the DNS server only returns one IP address at a time, and returns different IP addresses for different requests, you would need to get a complete list of all its IP addresses and construct the filter by hand, e.g.

host 66.120.149.11 or host 69.171.224.11 or host 69.171.229.11

answered 13 Mar '12, 11:09

Guy%20Harris's gravatar image

Guy Harris ♦♦
17.4k335196
accept rate: 19%

Hi,

I will try with the 3 addresses found for facebook.com and one more for www.facebook.com. However, there are certainly services which use many more IP addresses than just 3 or 4. I once tried to understand the traffic generated by a single windows machine, and it turned out that it was talking to a multitude of kaspersky-related sites. At that time I would have liked to capture "not host .kaspersky." @Jasper: sometimes it is hardly possible to observe a system in isolation....

(13 Mar '12, 22:23) Wurzelsepp

Unfortunately, not host .kaspersky.com (which is what I assume you meant) would be EXTREMELY difficult, if not impossible, to implement. It would probably require a zone transfer of all A and AAAA or A6 or whatever they're called records from the kaspersky.com domain and construct a large and complicated BPF program that is not host first and not host second and...

If a given DNS host name has many more IP addresses than just 3 or 4, that's not, in principle, a problem, as long as a DNS query for that host name returns all the IP addresses.

(13 Mar '12, 22:46) Guy Harris ♦♦

Hi,

my current problem (facebook) seems to be solved with the four ip addresses (3 for facebook.com and another one for www.facebook.com) There are, however, hosts where dns , at any moment in time, only annonces part of the available addresses. So I had the vague idea that a listener might follow dns traffic and then readjust the pcap filter

(16 Mar '12, 22:41) Wurzelsepp

It might be possible to write such a listener, although it wouldn't be able to instantly readjust the filter, so there would be a window in which traffic to the new IP address might be missed.

In any case, neither tcpdump nor Wireshark are such a listener, and neither is likely to become one any time soon.

(16 Mar '12, 23:17) Guy Harris ♦♦