command line ID vs Wireshark transaction ID (dns.id)

John W. Blue john.blue at rrcic.com
Fri Aug 11 04:28:13 UTC 2017


Mark,

If only it was that easy!

Because I have went through heaps and heaps of test configurations, I can say with some confidence, that you have not actually tried to correlate the values yourself in a similar fashion.

(insane is defined as doing the same thing over and expecting a different result, correct?)

Before I composed this email I did one last tcpdump where I tested via the command:

# rndc flush
# tcpdump -n -i bge1 -s0 -w airnav.pcap port domain

The query command in another shell was:

$ dig www.airnav.com.

With a result of:

; <<>> DiG <<>> www.airnav.com.
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 64934
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 3, ADDITIONAL: 6

;; QUESTION SECTION:
;www.airnav.com.                        IN      A

;; ANSWER SECTION:
www.airnav.com.         300     IN      A       206.125.168.131

The screenshot of the resulting pcap is here:

http://www.rfmapping.com/airnav.png

Although I would expect transaction 0xc905 to be the one that produced the above dig results, for grins, none of the hex transaction id's can be converted to match the id "64934".

John

-----Original Message-----
From: Mark Andrews [mailto:marka at isc.org] 
Sent: Thursday, August 10, 2017 7:26 PM
To: John W. Blue
Cc: bind-users at lists.isc.org
Subject: Re: command line ID vs Wireshark transaction ID (dns.id)


Apply Occam's razor.

The packet in wireshark is not the packet DiG displayed.

--
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742                 INTERNET: marka at isc.org


More information about the bind-users mailing list