2

So here we have an example of why google is scared.... asking google to find the specific recipe for "what is the tcpdump incantation to sniff / filter only for ddns update packets" winds up with a billion pages of stuff not related to what I'm interested in... Lots of stuff about setting up a dns server, though.

so...

Anyone know the specific tcpdump filter you'd use to capture only dynamic dns update packets?

Wireshark and tcpdump both seem to recognize ddns update packets, (I'm using the wireshark example pcap file with ddns update packets from the wireshark wiki). So, at least I can just filter for port 53 traffic, but on this link that's going to be a metric-buttload of traffic.

Thanks! Sorry to ask a 101 type question...

chris
  • 11,784
  • 6
  • 41
  • 51
  • Google is scared? Of what? – joeqwerty Dec 01 '09 at 15:35
  • Of the fact that when you do certain types of searches you get an overwhelming volume of information that's not really slightly what you're interested in looking for. So, instead of asking google for that sort of information, people do a "vertical search" some place like here or twitter or facebook. – chris Dec 01 '09 at 18:25
  • Well considering the fact that they command better than 60% of the search market, and the fact that the competitors can't provide any better results, they're probably not scared. – joeqwerty Dec 02 '09 at 00:35
  • By that reasoning, Borland, Novell, Digital Research, Wang, Lotus, America Online, Ashton Tate, Compuserv, Xerox and Kodak shouldn't have been scared either. – chris Dec 02 '09 at 04:12

2 Answers2

6

Something like this seems to work for IPv4:

tcpdump 'udp[0xa] & 0x78 = 0x28'

Reasoning (offsets relative to the start of the UDP packet - probably easiest to follow along with Wireshark open):

  • bytes 0-7 = UDP header
  • bytes 8-9 = DNS transaction ID
  • byte 10 (0xa) = start of DNS flags

The DNS opcode is bits 3-6 (hence the mask 01111000 = 0x78) of byte 10, and for updates we want DNS opcode 5; 5 << 3 = 40 = 0x28.

SimonJ
  • 741
  • 3
  • 9
  • Thanks! That does indeed filter for exactly what I was looking for! I'm waiting until I can add a bounty before I mark this answer as accepted. – chris Dec 03 '09 at 05:37
1

For such a request, dnscap is clearly a superior solution because you can write DNS-specific requests.

A request like:

% dnscap -w updates.pcap -mu -i eth0

will keep, in the updates.pcap file only the ddns update requests.

bortzmeyer
  • 3,903
  • 1
  • 20
  • 24
  • It looks like a useful tool, but trying to figure out how to get and install it gave me flashbacks of trying install cnews so I could post to usenet from my school's ultrix box. – chris Dec 13 '09 at 23:37
  • Wow, I was an Ultrix sysadmin too! I remember my installation of INN, how it looked simple after cnews :-) Anyway, on Gentoo or Debian, just add 'or uncomment 'PORTLIBS= /usr/lib/libresolv.a BINDLIB=-lbind9' in the Makefile and type make. – bortzmeyer Dec 14 '09 at 21:13
  • Except you'd need to find a copy of cnews from somewhere to be able to post using inn. I miss ultrix, the good old days. Amazingly, interactive stuff on my old DECstation 3100 felt about the same as my modern computer, despite the fact that even my cell phone has 8 times as much memory and 100 times the CPU speed. plus ça change, plus c'est la même chose. – chris Jan 07 '10 at 16:43