can anyone help diagnose this trace ??

What does this trace mean?

Where is it coming from?

Is it abnormal?

I have substituted aaa-bbb for the last portion of the ip
address

I have substituted "xxx" for the ip server domain
(mayby dumb because 12-203 is unique to it)

22:00:04.642207 12-203-aaa-bbb.client."xxx".com.1237 >
ns1."xxx".com.domain: 2517+ PTR? 170.7.203.12.in-addr.arpa.
(43) (DF)
22:00:04.679506 ns1."xxx".com.domain >
12-203-26-242.client."xxx".com.1237: 2517* 1/4/4 (258) (DF)

The trace repeats about once every 6 seconds.

Dan

dan <(E-Mail Removed)> wrote:
> What does this trace mean?

> Where is it coming from?

> Is it abnormal?

> I have substituted aaa-bbb for the last portion of the ip
> address

> I have substituted "xxx" for the ip server domain
> (mayby dumb because 12-203 is unique to it)

> 22:00:04.642207 12-203-aaa-bbb.client."xxx".com.1237 >
> ns1."xxx".com.domain: 2517+ PTR? 170.7.203.12.in-addr.arpa.
> (43) (DF)
> 22:00:04.679506 ns1."xxx".com.domain >
> 12-203-26-242.client."xxx".com.1237: 2517* 1/4/4 (258) (DF)

Really dump as your or another IP from your LAN is still
readable for anyone and it perhaps tries to reverse lookups
itself asking your nameserver, if aaa=170 and bbb=7.
Perhaps some daemon trying to startup, hard to tell with
that bi data.

--
Michael Heiming

Remove +SIGNS and www. if you expect an answer, sorry for
inconvenience, but I get tons of SPAM

Michael Heiming <michael+(E-Mail Removed)> wrote:
> dan <(E-Mail Removed)> wrote:
> > What does this trace mean?

> > Where is it coming from?

> > Is it abnormal?

> > I have substituted aaa-bbb for the last portion of the ip
> > address

> > I have substituted "xxx" for the ip server domain
> > (mayby dumb because 12-203 is unique to it)

> > 22:00:04.642207 12-203-aaa-bbb.client."xxx".com.1237 >
> > ns1."xxx".com.domain: 2517+ PTR? 170.7.203.12.in-addr.arpa.
> > (43) (DF)
> > 22:00:04.679506 ns1."xxx".com.domain >
> > 12-203-26-242.client."xxx".com.1237: 2517* 1/4/4 (258) (DF)

> Really dump as your or another IP from your LAN is still
> readable for anyone and it perhaps tries to reverse lookups
> itself asking your nameserver, if aaa=170 and bbb=7.
> Perhaps some daemon trying to startup, hard to tell with
> that bi data.

Ops, should be aaa=7, bbb=170 of course, that's what you get from
it.

--
Michael Heiming

Remove +SIGNS and www. if you expect an answer, sorry for
inconvenience, but I get tons of SPAM

On Sun, 19 Oct 2003 13:20:56 -0700, dan <(E-Mail Removed)> wrote:
> What does this trace mean?
>
> Where is it coming from?
>
> Is it abnormal?

It looks like your box is making a request from your port 1237 to your
ISP's nameserver on port 53 (domain). The nameserver answers from its
port 53 to your port 1237. That part is perfectly normal, but no clue why
every 6 seconds. Could be anything attempting to resolve a name or IP
(Win or internet file sharing, IM, worm, etc.).

> I have substituted aaa-bbb for the last portion of the ip
> address
>
> I have substituted "xxx" for the ip server domain
> (mayby dumb because 12-203 is unique to it)
>
> 22:00:04.642207 12-203-aaa-bbb.client."xxx".com.1237 >
> ns1."xxx".com.domain: 2517+ PTR? 170.7.203.12.in-addr.arpa.
> (43) (DF)
> 22:00:04.679506 ns1."xxx".com.domain >
> 12-203-26-242.client."xxx".com.1237: 2517* 1/4/4 (258) (DF)
>
> The trace repeats about once every 6 seconds.
>
> Dan
>


--
David Efflandt - All spam ignored http://www.de-srv.com/
http://www.autox.chicago.il.us/ http://www.berniesfloral.net/
http://cgi-help.virtualave.net/ http://hammer.prohosting.com/~cgi-wiz/

Thanks,

I have additional information, the trace was output from:

tcpdump -i eth1

After more digging I came accross the use of '-n'.

Traces of:

tcpdump -i eth1 -n removed the dns requests. I have no idea
where the ip addresses in the dns were coming from. They did
not show up on the other trace. Are there any additional
thoughts on that one.

Dan

David Efflandt wrote:
> On Sun, 19 Oct 2003 13:20:56 -0700, dan <(E-Mail Removed)> wrote:
>
>>What does this trace mean?
>>
>>Where is it coming from?
>>
>>Is it abnormal?
>
>
> It looks like your box is making a request from your port 1237 to your
> ISP's nameserver on port 53 (domain). The nameserver answers from its
> port 53 to your port 1237. That part is perfectly normal, but no clue why
> every 6 seconds. Could be anything attempting to resolve a name or IP
> (Win or internet file sharing, IM, worm, etc.).
>
>
>>I have substituted aaa-bbb for the last portion of the ip
>>address
>>
>>I have substituted "xxx" for the ip server domain
>>(mayby dumb because 12-203 is unique to it)
>>
>>22:00:04.642207 12-203-aaa-bbb.client."xxx".com.1237 >
>>ns1."xxx".com.domain: 2517+ PTR? 170.7.203.12.in-addr.arpa.
>>(43) (DF)
>>22:00:04.679506 ns1."xxx".com.domain >
>>12-203-26-242.client."xxx".com.1237: 2517* 1/4/4 (258) (DF)
>>
>>The trace repeats about once every 6 seconds.
>>
>>Dan
>>
>
>
>