can anyone help diagnose this trace ??

Discussion in 'Linux Networking' started by dan, Oct 19, 2003.

  1. dan

    dan Guest

    What does this trace mean?

    Where is it coming from?

    Is it abnormal?

    I have substituted aaa-bbb for the last portion of the ip

    I have substituted "xxx" for the ip server domain
    (mayby dumb because 12-203 is unique to it)

    22:00:04.642207 12-203-aaa-bbb.client."xxx".com.1237 >
    ns1."xxx".com.domain: 2517+ PTR?
    (43) (DF)
    22:00:04.679506 ns1."xxx".com.domain >
    12-203-26-242.client."xxx".com.1237: 2517* 1/4/4 (258) (DF)

    The trace repeats about once every 6 seconds.

    dan, Oct 19, 2003
  2. Really dump as your or another IP from your LAN is still
    readable for anyone and it perhaps tries to reverse lookups
    itself asking your nameserver, if aaa=170 and bbb=7.
    Perhaps some daemon trying to startup, hard to tell with
    that bi data.
    Michael Heiming, Oct 19, 2003
  3. Ops, should be aaa=7, bbb=170 of course, that's what you get from
    Michael Heiming, Oct 19, 2003
  4. It looks like your box is making a request from your port 1237 to your
    ISP's nameserver on port 53 (domain). The nameserver answers from its
    port 53 to your port 1237. That part is perfectly normal, but no clue why
    every 6 seconds. Could be anything attempting to resolve a name or IP
    (Win or internet file sharing, IM, worm, etc.).
    David Efflandt, Oct 21, 2003
  5. dan

    dan Guest


    I have additional information, the trace was output from:

    tcpdump -i eth1

    After more digging I came accross the use of '-n'.

    Traces of:

    tcpdump -i eth1 -n removed the dns requests. I have no idea
    where the ip addresses in the dns were coming from. They did
    not show up on the other trace. Are there any additional
    thoughts on that one.

    dan, Oct 21, 2003
