I am a bit confused with the abundant tcpdump tutorials on internet. I am having a few of the virtual machines running on a virtualization server.Where I am debugging a problem.Port 53 is the one in problem. I have a bridged setup where out of 4 LAN cards on the machine in question one is active and it is xen-br0 I want to check if there is any request coming on port 53 on the server by other machines on LAN in question. I also want to see if the guest operating systems on LAN or any other machine is sending traffic at port 53.Due to abundant messages being generated via tcpdump I am finding it difficult to grep the output at desired port.
So how can I use it if some one can give an example that would be helpful. Thanks in advance.
You can use this command: tcpdump -n -s 1500 -i eth0 udp port 53 (Replace 'eth0' with the name of your ethernet interface, e.g. 'fxp0') This shows all packets going in and out of your machine for UDP port 53 (DNS) Source:DNS exercise 1
If you only want to see who is talking with whom on port udp/tcp 53 without requiring to have the detailed payload of such conversation, your best bet is to use netflow.
I would dare to guess that you are using linux. If so, you could use ulogd to generate the netflow information from the traffic you are receiving and then process it using nfdump (if you are command-line oriented) and/or nfsen (if you are more of the visual type) (nfdump/nfsen are part of the same opensource project).
As an example, ulogd is enabled with only one iptables rule:
and having fprobe-ulog running so each and every flow generated by ulogd goes to the netflow collector (in this case nfdump) listening on the port you have configured nfdump to listen for (in this case port 9995):
So if you want to know, who has trying to talk to your server on port udp/tcp 53, you could query your flows using nfdump:
For this specific issue you are describing, installing ulogd and nfdump/nfsen may sound overkill but experience tells me that having your infrastructure netflow enabled will greatly help you in any kind of traffic/security troubleshooting you may need to do in the future so it may very well worth the effort.
Hey I know this is not a complete solution, but it is quick and might come in handy
This should give you an idea of what using the port. (ps I have never used it for dns)