from the man pages of tcpdump: src > dst: id op? flags qtype qclass name (len) with the narrative explaining that: If a query contains an answer, nameserver, or authorative section, ancount, nscount, or arcount are printed as [na], [nn], or [nau], where 'n' is the appropriate count. Applying that to the 12:15:24.020319 DNS.server.com.33795 > outside.guy.com.domain: 56162 > [1au][|domain] (DF) data, you have a source > destination: id of 56162 1 authority section domaintype with a Don't Frag flag. Again, if the SHADOW sensor is functioning properly, you should be able to apply tcpdump to the raw data and read the HEX output to see exactly what was in the packet. -----Original Message----- From: larosa, vjay [mailto:larosa_vjayat_private] Sent: Thursday, December 12, 2002 1:54 PM To: 'Valdis.Kletnieksat_private'; larosa, vjay Cc: incidentsat_private Subject: RE: DNS help That is exactly what I am trying to figure out. What is the meaning of '[1au][|domain]'. 56162 is the DNS transaction ID. When a DNS server makes a request a number is tagged to it, that way when the reply comes back it can match it up with the request. I just don't know what the meaning of 1au is. vjl -----Original Message----- From: Valdis.Kletnieksat_private [mailto:Valdis.Kletnieksat_private] Sent: Thursday, December 12, 2002 12:18 PM To: larosa, vjay Cc: incidentsat_private Subject: Re: DNS help On Wed, 11 Dec 2002 16:09:49 EST, "larosa, vjay" <larosa_vjayat_private> said: > Hello, > > These packets were caught using a shadow IDS sensor. I was hoping that > somebody > in the list could help me understand what is happening below. I am familiar > with snort > and tcpdump, as well as the concept of packet fragmentation. I am mostly > interested in > finding out about the DNS requests being made, and why they are coming back > fragmented. Given that they fragged at 1480, I'd suspect you're going through a VPN at some point. You're going to their nameserver to look something up and the replies are gettng fragged on the way. Is your DNS server a secondary for a zone hosted at outside.guy.com? This looks like it might be AXFR traffic. It's hard to tell without knowing what IDS produced the log entries - if I knew what '56162 [1au][|domain]' meant I could tell you more. > 12:15:24.020319 DNS.server.com.33795 > outside.guy.com.domain: 56162 > [1au][|domain] (DF) > 12:15:24.170988 outside.guy.com.domain > DNS.server.com.33795: > 56162[|domain] (frag 48818:1480@0+) -- Valdis Kletnieks Computer Systems Senior Engineer Virginia Tech ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
This archive was generated by hypermail 2b30 : Thu Dec 12 2002 - 14:10:37 PST