Hostname lookups? (tcpdump output)

Florian Hengstberger e0025265 at student.tuwien.ac.at
Thu Dec 30 09:23:54 PST 2004 

Hi!
I'm currently keeping track off all packets comming from my ISP
using tcpdump. I have a limited transfer rate and I'm wondering why there's
still (around 100KB per min) traffic although I have no
network connections open to the outside world.

So netstat gives me:

Active Internet connections
Proto Recv-Q Send-Q  Local Address          Foreign Address        (state)
tcp4       0      0  lazarus.49201          hpat989.external.http  TIME_WAIT
tcp4       0      0  lazarus.49199          66.102.9.104.http      ESTABLISHED
tcp4       0      0  localhost.smtp         *.*                    LISTEN
udp4       0      0  localhost.49158        localhost.ntp          
udp4       0      0  localhost.ntp          *.*                    
udp4       0      0  lazarus.ntp            *.*      

When I run tcpdump I get the following:

18:15:20.016995 arp who-has 62.116.56.99 tell 62.116.56.1
18:15:20.298713 lazarus.home.49562 > ns1.wwpa.com.domain:  46387+ PTR?
99.56.116.62.in-addr.arpa. (43)
18:15:20.347945 ns1.wwpa.com.domain > lazarus.home.49562:  46387 NXDomain*
0/0/0 (43)
18:15:20.348224 lazarus.home.49563 > ns1.wwpa.com.domain:  46388+ PTR?
1.56.116.62.in-addr.arpa. (42)
18:15:20.388817 ns1.wwpa.com.domain > lazarus.home.49563:  46388 NXDomain*
0/0/0 (42)
18:15:21.388378 lazarus.home.49564 > ns1.wwpa.com.domain:  46389+ PTR?
193.33.116.62.in-addr.arpa. (44)
18:15:21.400068 ns1.wwpa.com.domain > lazarus.home.49564:  46389 1/0/0 (70)
18:15:22.432207 arp who-has 62.116.56.98 tell 62.116.56.1
18:15:23.398410 lazarus.home.49565 > ns1.wwpa.com.domain:  46390+ PTR?
98.56.116.62.in-addr.arpa. (43)
18:15:23.456830 ns1.wwpa.com.domain > lazarus.home.49565:  46390 NXDomain*
0/0/0 (43)
18:15:25.191614 arp who-has 62.116.56.19 tell 62.116.56.1
18:15:25.386242 arp who-has 62.116.56.98 tell 62.116.56.1
18:15:25.448443 lazarus.home.49566 > ns1.wwpa.com.domain:  46391+ PTR?
19.56.116.62.in-addr.arpa. (43)
18:15:25.494756 ns1.wwpa.com.domain > lazarus.home.49566:  46391 NXDomain*
0/0/0 (43)
18:15:28.109842 arp who-has 62.116.56.19 tell 62.116.56.1

First question:
The arp-query seems to be ok and unavoidable, but what about
the connections to ns1.wwpa.com.domain?
Look like a reverese dns lookup to me or something?
Why is this, is this dangerous, how can I avoid this?
Why does the this connection not appear in netstat??

I use the standard client firewall, that's my /etc/rc.conf:
#setup the network
hostname="lazarus.home"
ifconfig_sis0="inet 62.116.56.107  netmask 255.255.255.128"
defaultrouter="62.116.56.1"
#ipv6_enable="YES"

#enable the standard firewall
firewall_enable="YES"
firewall_type="client"
firewall_quiet="NO"
firewall_logging="YES"

#enable services
sshd_enable="YES"
ntpd_enable="YES"
ntpd_flags="-c /etc/ntp.conf"

#system settings
keymap="german.iso"
#linux_enable="YES"
moused_enable="YES"

Secondly: I'm only running ntp and ssh (and mozilla), why is a socket
listening on the smtp port?

Thanks in advance
Florian

PS: Sorry for the output of netstat and tcpdump

More information about the freebsd-questions mailing list