Hostname lookups? (tcpdump output)

Giorgos Keramidas keramida at ceid.upatras.gr
Mon Jan 3 15:30:03 PST 2005


On 2004-12-30 18:23, Florian Hengstberger <e0025265 at student.tuwien.ac.at> wrote:
> Hi!
> I'm currently keeping track off all packets comming from my ISP using
> tcpdump. I have a limited transfer rate and I'm wondering why there's
> still (around 100KB per min) traffic although I have no network
> connections open to the outside world.
>
> So netstat gives me:
>
> Active Internet connections
> Proto Recv-Q Send-Q  Local Address          Foreign Address        (state)
> tcp4       0      0  lazarus.49201          hpat989.external.http  TIME_WAIT
> tcp4       0      0  lazarus.49199          66.102.9.104.http      ESTABLISHED
> tcp4       0      0  localhost.smtp         *.*                    LISTEN
> udp4       0      0  localhost.49158        localhost.ntp
> udp4       0      0  localhost.ntp          *.*
> udp4       0      0  lazarus.ntp            *.*
>
> When I run tcpdump I get the following:
>
> 18:15:20.016995 arp who-has 62.116.56.99 tell 62.116.56.1
> 18:15:20.298713 lazarus.home.49562 > ns1.wwpa.com.domain:  46387+ PTR? 99.56.116.62.in-addr.arpa. (43)
> 18:15:20.347945 ns1.wwpa.com.domain > lazarus.home.49562:  46387 NXDomain* 0/0/0 (43)
> 18:15:20.348224 lazarus.home.49563 > ns1.wwpa.com.domain:  46388+ PTR? 1.56.116.62.in-addr.arpa. (42)
> 18:15:20.388817 ns1.wwpa.com.domain > lazarus.home.49563:  46388 NXDomain* 0/0/0 (42)
> 18:15:21.388378 lazarus.home.49564 > ns1.wwpa.com.domain:  46389+ PTR? 193.33.116.62.in-addr.arpa. (44)
> 18:15:21.400068 ns1.wwpa.com.domain > lazarus.home.49564:  46389 1/0/0 (70)
> 18:15:22.432207 arp who-has 62.116.56.98 tell 62.116.56.1
> 18:15:23.398410 lazarus.home.49565 > ns1.wwpa.com.domain:  46390+ PTR? 98.56.116.62.in-addr.arpa. (43)
> 18:15:23.456830 ns1.wwpa.com.domain > lazarus.home.49565:  46390 NXDomain* 0/0/0 (43)
> 18:15:25.191614 arp who-has 62.116.56.19 tell 62.116.56.1
> 18:15:25.386242 arp who-has 62.116.56.98 tell 62.116.56.1
> 18:15:25.448443 lazarus.home.49566 > ns1.wwpa.com.domain:  46391+ PTR? 19.56.116.62.in-addr.arpa. (43)
> 18:15:25.494756 ns1.wwpa.com.domain > lazarus.home.49566:  46391 NXDomain* 0/0/0 (43)
> 18:15:28.109842 arp who-has 62.116.56.19 tell 62.116.56.1

You have several programs that may be making the DNS queries you see:

a) Some HTTP servers attempt to resolve the IP addresses of the clients
that connect to them, in order to write host names (instead of IP
addresses) in their log files.

b) Sendmail or other MTAs may query the name of IP addresses that
connect to them, in an attempt to stop spammers, dialup users or other
clients that attempt to relay through them.

c) The tcpdump utility itself makes DNS queries for the IP addresses
that appear in traced packets, unless run with the -n option.



More information about the freebsd-questions mailing list