2011-04-06
Tip: when searching DNS answers for cert ...
Tip: when searching DNS answers for certain IP addresses, use the -n flag for tcpdump. Otherwise tcpdump will 'helpfully' resolve the IP back to a name.You may need to scroll the output below to the right to see what I mean.
# tcpdump -r zorin.pcap port 53 -v | grep webcam 14:02:27.731039 IP (tos 0x0, ttl 128, id 24132, offset 0, flags [none], proto 17, length: 63) zorin.cs.uu.nl.53459 > kwak.cs.uu.nl.domain: 41099+ A? webcam.idefix.net. (35) 14:02:27.734230 IP (tos 0x0, ttl 64, id 0, offset 0, flags [DF], proto 17, length: 241) kwak.cs.uu.nl.domain > zorin.cs.uu.nl.53459: 41099 1/3/5 webcam.idefix.net. A koos.idefix.net (213)And what I was testing for:# tcpdump -nr zorin.pcap port 53 -v | grep webcam reading from file zorin.pcap, link-type EN10MB (Ethernet) 14:02:27.731039 IP (tos 0x0, ttl 128, id 24132, offset 0, flags [none], proto 17, length: 63) 131.211.80.21.53459 > 131.211.80.32.domain: 41099+ A? webcam.idefix.net. (35) 14:02:27.734230 IP (tos 0x0, ttl 64, id 0, offset 0, flags [DF], proto 17, length: 241) 131.211.80.32.domain > 131.211.80.21.53459: 41099 1/3/5 webcam.idefix.net. A xx.xx.xx.xx (213)That is something I can grep for a weird IP.