Tip: when searching DNS answers for cert ... / 2011-04-06

Tip: when searching DNS answers for certain IP addresses, use the -n flag for tcpdump. Otherwise tcpdump will 'helpfully' resolve the IP back to a name.

You may need to scroll the output below to the right to see what I mean.

# tcpdump -r zorin.pcap port 53 -v | grep webcam
14:02:27.731039 IP (tos 0x0, ttl 128, id 24132, offset 0, flags [none], proto 17, length: 63) zorin.cs.uu.nl.53459 > kwak.cs.uu.nl.domain:  41099+ A? webcam.idefix.net. (35)
14:02:27.734230 IP (tos 0x0, ttl  64, id 0, offset 0, flags [DF], proto 17, length: 241) kwak.cs.uu.nl.domain > zorin.cs.uu.nl.53459:  41099 1/3/5 webcam.idefix.net. A koos.idefix.net (213)

And what I was testing for:

# tcpdump -nr zorin.pcap port 53 -v | grep webcam
reading from file zorin.pcap, link-type EN10MB (Ethernet)
14:02:27.731039 IP (tos 0x0, ttl 128, id 24132, offset 0, flags [none], proto 17, length: 63) 131.211.80.21.53459 > 131.211.80.32.domain:  41099+ A? webcam.idefix.net. (35)
14:02:27.734230 IP (tos 0x0, ttl  64, id 0, offset 0, flags [DF], proto 17, length: 241) 131.211.80.32.domain > 131.211.80.21.53459:  41099 1/3/5 webcam.idefix.net. A xx.xx.xx.xx (213)

That is something I can grep for a weird IP.