Home / server / Questions / 89811
Accepted
chris
Asked: 2009-12-02 06:20:49 +0800 CST

tcpdump and dynamic dns update

  • 772

So here we have an example of why google is scared.... asking google to find the specific recipe for "what is the tcpdump incantation to sniff / filter only for ddns update packets" winds up with a billion pages of stuff not related to what I'm interested in... Lots of stuff about setting up a dns server, though.

so...

Anyone know the specific tcpdump filter you'd use to capture only dynamic dns update packets?

Wireshark and tcpdump both seem to recognize ddns update packets, (I'm using the wireshark example pcap file with ddns update packets from the wireshark wiki). So, at least I can just filter for port 53 traffic, but on this link that's going to be a metric-buttload of traffic.

Thanks! Sorry to ask a 101 type question...

tcpdump

2 Answers

  1. Best Answer

    Something like this seems to work for IPv4:

    tcpdump 'udp[0xa] & 0x78 = 0x28'

    Reasoning (offsets relative to the start of the UDP packet - probably easiest to follow along with Wireshark open):

    • bytes 0-7 = UDP header
    • bytes 8-9 = DNS transaction ID
    • byte 10 (0xa) = start of DNS flags

    The DNS opcode is bits 3-6 (hence the mask 01111000 = 0x78) of byte 10, and for updates we want DNS opcode 5; 5 << 3 = 40 = 0x28.

    • 6

  2. For such a request, dnscap is clearly a superior solution because you can write DNS-specific requests.

    A request like:

    % dnscap -w updates.pcap -mu -i eth0

    will keep, in the updates.pcap file only the ddns update requests.

    • 1