juschillin
asked on
Help deciphering DNS Packet
I'm trying to read through several packets of info for a project I'm working on, but I keep getting stuck.
If I send out a mDNS query (just repeating one that another device sent and I captures), it seems find. If it has more than one query in it and I change anything, the second query gets corrupted, even though I've checked all the byte counts and made sure they were accurate.
There are several questions in this so bear with me. I'll try and write the questions in the packet and keep in legible. This is a packet capture from Wireshark.
If I send out a mDNS query (just repeating one that another device sent and I captures), it seems find. If it has more than one query in it and I change anything, the second query gets corrupted, even though I've checked all the byte counts and made sure they were accurate.
There are several questions in this so bear with me. I'll try and write the questions in the packet and keep in legible. This is a packet capture from Wireshark.
///////////////////////////NOT RELEVANT////////////////////////////////////////////////////////////
0000 01 00 5e 00 00 fb 04 1e 64 2a 80 b5 08 00 45 00 ..^..... d*....E.
0010 01 35 fc 8d 00 00 ff 11 1a 1d c0 a8 02 69 e0 00 .5...... .....i..
0020 00 fb 14 e9 14 e9 01 21 ef e1
///////////////////////////END NOT RELEVANT////////////////////////////////////////////////////
00 00 84 00 00 00 .......! ........
0030 00 04 00 00 00 01 28 65 35 61 64 62 37 39 63 61 ......(e 5adb79ca
0040 35 31 33 35 30 38 63 37 38 63 35 32 32 31 33 34 513508c7 8c522134
0050 64 37 62 33 63 34 34 32 36 35 66 31 62 64 62 0d d7b3c442 65f1bdb.
0060 5f 74 6f 75 63 68 2d 72 65 6d 6f 74 65 04 5f 74 _touch-r emote._t
0070 63 70 05 6c 6f 63 61 6c 00 <<What is this byte? RFC doesn't refer to a delimiter that I have seen.
00 21 80 01 <<What is the 80 here? Typically it would be 0001 which would stand for CLASS IN. (I can live with not knowing why this is, but it's always nice when stuff actually makes sense)
00 00 00 cp.local ..!.....
0080 78 00 17 00 00 00 00 c0 41 0e 53 65 6e 69 63 61 x....... A.Senica
0090 73 2d 69 50 68 6f 6e 65 c0 48 c0 0c <<This is my MAIN Question!!! What are the last 4 bytes here? c048c00c. It seems to represent a PTR or Pointer Record. But I can't make any sense of it. Wireshark seems to want to split them so that c048 is part of the Senicas-iPhone and c00c is the PTR for the next question (Which is TXT and say that c00c is the domain name for that question). But I dont' understand how it resolves or how I come about c00c. I'm guessing that c048 is RDATA that says the rest of the information is [here]. Can someone please explain this to me?
00 10 80 01 s-iPhone .H......
00a0 00 00 11 94 00 5a 16 44 76 4e 6d 3d 53 65 6e 69 .....Z.D vNm=Seni
00b0 63 61 e2 80 99 73 20 69 50 68 6f 6e 65 15 50 61 ca...s i Phone.Pa
00c0 69 72 3d 46 36 36 41 37 35 34 41 37 38 36 34 35 ir=F66A7 54A78645
00d0 34 34 36 0a 52 65 6d 56 3d 31 30 30 30 30 09 74 446.RemV =10000.t
00e0 78 74 76 65 72 73 3d 31 0b 52 65 6d 4e 3d 52 65 xtvers=1 .RemN=Re
00f0 6d 6f 74 65 0b 44 76 54 79 3d 69 50 68 6f 6e 65 mote.DvT y=iPhone
0100 09 5f 73 65 72 76 69 63 65 73 07 5f 64 6e 73 2d ._servic es._dns-
0110 73 64 04 5f 75 64 70 c0 48 00 0c 00 01 00 00 11 sd._udp. H.......
0120 94 00 02 c0 35 c0 35 00 0c 00 01 00 00 11 94 00 ....5.5. ........
0130 02 c0 0c c0 5f 00 01 80 01 00 00 00 78 00 04 c0 ...._... ....x...
0140 a8 02 69 ..iASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.