xyz abc
asked on
DNS trace
Hi Team,
I am unable to see the DNS query in the wireshark trace , i tried deleting the cache , tried nslookup and also the browser.. Its the same issue,, no matter what i do i get the only response message in the DNS wireshark trace ,, it never captures the query message .. Also i dont see the reference part for packet number for query message of the DNS.. Let me know if there is any suggestion.
Regards..
I am unable to see the DNS query in the wireshark trace , i tried deleting the cache , tried nslookup and also the browser.. Its the same issue,, no matter what i do i get the only response message in the DNS wireshark trace ,, it never captures the query message .. Also i dont see the reference part for packet number for query message of the DNS.. Let me know if there is any suggestion.
Regards..
ASKER
Do you have any filters on?
---- No
Are you capturing the correct network interface?
Yes, I tried All Interfaces.
Have you tried capturing all network interfaces simultaneously?
Yes
I tried DNS, tcp.port==53 , udp.port==53
I tried for other websites internally in office i can see the query message part, But from internet i dont see the "Query Message " and under the packet there is no reference of packet number in query Response. So basically i see only Query responses no Queries captured in Wireshark.....
I cannot point this to google DNS since we have GSLB in picture the whole point of testing will be gone......
Not sure of this weird behavior.....
---- No
Are you capturing the correct network interface?
Yes, I tried All Interfaces.
Have you tried capturing all network interfaces simultaneously?
Yes
I tried DNS, tcp.port==53 , udp.port==53
I tried for other websites internally in office i can see the query message part, But from internet i dont see the "Query Message " and under the packet there is no reference of packet number in query Response. So basically i see only Query responses no Queries captured in Wireshark.....
I cannot point this to google DNS since we have GSLB in picture the whole point of testing will be gone......
Not sure of this weird behavior.....
I want to remind you that capture filters and display filters are two different kinds of filters.
Please try to capture all packets with a filter of "port 53", and do not use a display filter.
The purpose of testing against Google's DNS is to help troubleshoot your wireshark problems - it's not there to replace your existing DNS infrastructure. What I'm trying to get working is your ability to do Wireshark traces, not to test your GSLB infrastructure.
Please try to capture all packets with a filter of "port 53", and do not use a display filter.
The purpose of testing against Google's DNS is to help troubleshoot your wireshark problems - it's not there to replace your existing DNS infrastructure. What I'm trying to get working is your ability to do Wireshark traces, not to test your GSLB infrastructure.
ASKER
Ok Thanks Lester, I agree my point here is when the wireshark can capture the same queries sometimes and it doesnot sometimes... So i dont know if that is something wrong with wireshark.....
ASKER
I think its working.. My Apologies .... I think its capture filters..... i will confirm in sometime...
Thanks Lester.....
Thanks Lester.....
Good to hear :)
Wireshark doesn't have the ability to "choose" what kind of traffic to capture. It captures what you tell it to capture, and what the WinPCap Driver can see.
If you have a network infrastrucutre for example which uses 802.1x or IPSEC to communicate with certain servers - like your domain controllers (and subsequently, DNS), then you won't be able to use wireshark effectively, because most if not all of your traffic will be encyrpted, and undecipherable. Perhaps this is what you are experiencing?
Wireshark doesn't have the ability to "choose" what kind of traffic to capture. It captures what you tell it to capture, and what the WinPCap Driver can see.
If you have a network infrastrucutre for example which uses 802.1x or IPSEC to communicate with certain servers - like your domain controllers (and subsequently, DNS), then you won't be able to use wireshark effectively, because most if not all of your traffic will be encyrpted, and undecipherable. Perhaps this is what you are experiencing?
ASKER
Its looks like the same issue when i try from Internet... But it works from my office network... From internet No Query messages only responses....
ASKER
Does anyone what is going on.... ? I have the same issue even after setting the capture filter to port 53 as well no go...... And its only from internet.. when i try the same from office network it works perfectly fine... Any Wireshark DNS experts to help me.... ?
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Actually it never got fixed
Using a capture fulter of "port 53" will capture DNS queries both ways. Here is a sample trace when I ran "nslookup google.co.uk"
Tip: you can also specify a DNS server to query - try do this while running a capture:
Open in new window
This will force your query to go to Google's public DNS server at 8.8.8.8