Need help with reading tcpdump output for UDP Name Server Requests

To: debian-user@lists.debian.org
Subject: Need help with reading tcpdump output for UDP Name Server Requests
From: Paul E Condon <pecondon@quiknet.com>
Date: Thu, 22 Aug 2002 21:02:59 -0700
Message-id: <[🔎] 20020823040259.GA807@quiknet.com>
Mail-followup-to: debian-user@lists.debian.org

I am using tcpdump to answer some questions about the operation of my LAN. 
At the moment, I would like to understand some lines that report name server 
requests. I have the following lines in one run:

14:27:31.878854 big.lan.gnu.32770 > cmn.lan.gnu.domain:  52213+ AAAA? cmn.lan.gnu. (29) (DF)
14:27:31.879894 cmn.lan.gnu.domain > big.lan.gnu.32770:  52213 ServFail 0/0/0 (29)
14:27:31.880309 big.lan.gnu.32770 > cmn.lan.gnu.domain:  52213+ AAAA? cmn.lan.gnu. (29) (DF)
14:27:31.880691 cmn.lan.gnu.domain > big.lan.gnu.32770:  52213 ServFail 0/0/0 (29)
14:27:31.880961 big.lan.gnu.32770 > cmn.lan.gnu.domain:  52214+ AAAA? cmn. (21) (DF)

And these lines in another

14:59:08.604194 big.lan.gnu.32770 > cmn.lan.gnu.domain:  13694+ A? www.nytimes.com. (33) (DF)
14:59:13.612287 big.lan.gnu.32770 > cmn.lan.gnu.domain:  13694+ A? www.nytimes.com. (33) (DF)
14:59:18.623348 big.lan.gnu.32770 > cmn.lan.gnu.domain:  13695+ A? www.nytimes.com.lan.gnu. (41) (DF)
14:59:18.623992 cmn.lan.gnu.domain > big.lan.gnu.32770:  13695 ServFail 0/0/0 (41)
14:59:18.625343 big.lan.gnu.32770 > cmn.lan.gnu.domain:  13695+ A? www.nytimes.com.lan.gnu. (41) (DF)
14:59:18.625785 cmn.lan.gnu.domain > big.lan.gnu.32770:  13695 ServFail 0/0/0 (41)
14:59:18.626772 big.lan.gnu.32770 > cmn.lan.gnu.domain:  36845+ A? www.nytimes.com. (33) (DF)

These lines appear to match to formats of Name Server Requests and Responses as described in the 
tcpdump man page, except that I do not see an explanation for ' AAAA?'. In the man page there is an
explanation for ' A?'; it indicates a query that requests an address record, but there is not an 
exhaustive list of query types. Is ' AAAA?' a different query type, or is the 'AAA' following the 
initial ' A' a query class code. I don't see either an 'AAAA' class or an 'AAA' type documented in 
RFC-1035.

Where else should I look? 
Or is the answer so simple and obvious that someone can give it to me from memory? 
Or is this OT for this list? 
To what list should I go with this question?

TIA


-- 
Paul E Condon           
pecondon@quiknet.com

Reply to:

Follow-Ups:
- Re: Need help with reading tcpdump output for UDP Name Server Requests
  - From: Geoff Crompton <geoff.crompton@bjhcontrols.com.au>

Prev by Date: Re: newbie trying to install an application
Next by Date: RE: Need help with reading tcpdump output for UDP Name Server Req uests
Previous by thread: Re: How to install NVIDIA Geforce 4 and SoundMAX audio on woody ?
Next by thread: Re: Need help with reading tcpdump output for UDP Name Server Requests
Index(es):
- Date
- Thread