Skip to content

Instantly share code, notes, and snippets.

@n8fr8
Created February 10, 2022 22:41
Show Gist options
  • Save n8fr8/150d3666d2c843c8d89909d490ac6ae7 to your computer and use it in GitHub Desktop.
Save n8fr8/150d3666d2c843c8d89909d490ac6ae7 to your computer and use it in GitHub Desktop.
inbound:
[IPv4 Header (20 bytes)]
Version: 4 (IPv4)
IHL: 5 (20 [bytes])
TOS: [precedence: 0 (Routine)] [tos: 0 (Default)] [mbz: 0]
Total length: 66 [bytes]
Identification: 25123
Flags: (Reserved, Don't Fragment, More Fragment) = (false, true, false)
Fragment offset: 0 (0 [bytes])
TTL: 64
Protocol: 17 (UDP)
Header checksum: 0x2074
Source address: /172.16.0.1
Destination address: /10.0.2.3
[UDP Header (8 bytes)]
Source port: 59317 (unknown)
Destination port: 53 (Domain Name Server)
Length: 46 [bytes]
Checksum: 0xe880
[DNS Header (38 bytes)]
ID: 0x9b3e
QR: query
OPCODE: 0 (Query)
Authoritative Answer: false
Truncated: false
Recursion Desired: true
Recursion Available: false
Reserved Bit: 0
Authentic Data: false
Checking Disabled: false
RCODE: 0 (No Error)
QDCOUNT: 1
ANCOUNT: 0
NSCOUNT: 0
ARCOUNT: 0
Question:
QNAME: check.torproject.org
QTYPE: 1 (A (Host address))
QCLASS: 1 (Internet (IN))
OUTBOUND
[IPv4 Header (20 bytes)]
Version: 4 (IPv4)
IHL: 5 (20 [bytes])
TOS: [precedence: 0 (Routine)] [lowDelay: false] [highThroughput: false] [highReliability: false] [seventhBit: 0] [eighthBit: 0]
Total length: 82 [bytes]
Identification: 0
Flags: (Reserved, Don't Fragment, More Fragment) = (false, false, false)
Fragment offset: 0 (0 [bytes])
TTL: 0
Protocol: 17 (UDP)
Header checksum: 0x0288
Source address: /10.0.2.3
Destination address: /172.16.0.1
[UDP Header (8 bytes)]
Source port: 53 (Domain Name Server)
Destination port: 59317 (unknown)
Length: 62 [bytes]
Checksum: 0xadbd
[DNS Header (54 bytes)]
ID: 0x9b3e
QR: response
OPCODE: 0 (Query)
Authoritative Answer: false
Truncated: false
Recursion Desired: false
Recursion Available: false
Reserved Bit: 0
Authentic Data: false
Checking Disabled: false
RCODE: 0 (No Error)
QDCOUNT: 0
ANCOUNT: 1
NSCOUNT: 0
ARCOUNT: 0
Question:
QNAME: check.torproject.org
QTYPE: 1 (A (Host address))
QCLASS: 1 (Internet (IN))
Answer:
NAME: .check.torproject.org (name: , pointer: 12)
TYPE: 1 (A (Host address))
CLASS: 1 (Internet (IN))
TTL: 3600
RDLENGTH: 4
RDATA:
A RDATA:
ADDRESS: 116.202.120.181 (encoded)
@n8fr8
Copy link
Author

n8fr8 commented Feb 10, 2022

next packet:

[IPv4 Header (20 bytes)]
Version: 4 (IPv4)
IHL: 5 (20 [bytes])
TOS: [precedence: 0 (Routine)] [tos: 0 (Default)] [mbz: 0]
Total length: 55 [bytes]
Identification: 58063
Flags: (Reserved, Don't Fragment, More Fragment) = (false, true, false)
Fragment offset: 0 (0 [bytes])
TTL: 64
Protocol: 17 (UDP)
Header checksum: 0x97c1
Source address: /172.16.0.1
Destination address: /10.10.10.10
[UDP Header (8 bytes)]
Source port: 35609 (unknown)
Destination port: 53 (Domain Name Server)
Length: 35 [bytes]
Checksum: 0xc502
[DNS Header (27 bytes)]
ID: 0x3512
QR: query
OPCODE: 0 (Query)
Authoritative Answer: false
Truncated: false
Recursion Desired: true
Recursion Available: false
Reserved Bit: 0
Authentic Data: false
Checking Disabled: false
RCODE: 0 (No Error)
QDCOUNT: 1
ANCOUNT: 0
NSCOUNT: 0
ARCOUNT: 0
Question:
QNAME: xsbfipyca
QTYPE: 1 (A (Host address))
QCLASS: 1 (Internet (IN))

next response:

[IPv4 Header (20 bytes)]
Version: 4 (IPv4)
IHL: 5 (20 [bytes])
TOS: [precedence: 0 (Routine)] [lowDelay: false] [highThroughput: false] [highReliability: false] [seventhBit: 0] [eighthBit: 0]
Total length: 55 [bytes]
Identification: 0
Flags: (Reserved, Don't Fragment, More Fragment) = (false, false, false)
Fragment offset: 0 (0 [bytes])
TTL: 0
Protocol: 17 (UDP)
Header checksum: 0xfa91
Source address: /10.10.10.10
Destination address: /172.16.0.1
[UDP Header (8 bytes)]
Source port: 53 (Domain Name Server)
Destination port: 35609 (unknown)
Length: 35 [bytes]
Checksum: 0x4600
[DNS Header (27 bytes)]
ID: 0x3512
QR: response
OPCODE: 0 (Query)
Authoritative Answer: false
Truncated: false
Recursion Desired: false
Recursion Available: false
Reserved Bit: 0
Authentic Data: false
Checking Disabled: false
RCODE: 3 (Non-Existent Domain)
QDCOUNT: 0
ANCOUNT: 0
NSCOUNT: 0
ARCOUNT: 0
Question:
QNAME: xsbfipyca
QTYPE: 1 (A (Host address))
QCLASS: 1 (Internet (IN))

@n8fr8
Copy link
Author

n8fr8 commented Feb 10, 2022

another one to google.com DNS lookup

REQUEST:

[IPv4 Header (20 bytes)]
Version: 4 (IPv4)
IHL: 5 (20 [bytes])
TOS: [precedence: 0 (Routine)] [tos: 0 (Default)] [mbz: 0]
Total length: 56 [bytes]
Identification: 39
Flags: (Reserved, Don't Fragment, More Fragment) = (false, true, false)
Fragment offset: 0 (0 [bytes])
TTL: 64
Protocol: 17 (UDP)
Header checksum: 0x7e6d
Source address: /172.16.0.1
Destination address: /8.8.8.8
[UDP Header (8 bytes)]
Source port: 12088 (unknown)
Destination port: 53 (Domain Name Server)
Length: 36 [bytes]
Checksum: 0xe665
[DNS Header (28 bytes)]
ID: 0x19f9
QR: query
OPCODE: 0 (Query)
Authoritative Answer: false
Truncated: false
Recursion Desired: true
Recursion Available: false
Reserved Bit: 0
Authentic Data: false
Checking Disabled: false
RCODE: 0 (No Error)
QDCOUNT: 1
ANCOUNT: 0
NSCOUNT: 0
ARCOUNT: 0
Question:
QNAME: google.com
QTYPE: 1 (A (Host address))
QCLASS: 1 (Internet (IN))

RESPONSE:

[IPv4 Header (20 bytes)]
Version: 4 (IPv4)
IHL: 5 (20 [bytes])
TOS: [precedence: 0 (Routine)] [lowDelay: false] [highThroughput: false] [highReliability: false] [seventhBit: 0] [eighthBit: 0]
Total length: 72 [bytes]
Identification: 0
Flags: (Reserved, Don't Fragment, More Fragment) = (false, false, false)
Fragment offset: 0 (0 [bytes])
TTL: 0
Protocol: 17 (UDP)
Header checksum: 0xfe84
Source address: /8.8.8.8
Destination address: /172.16.0.1
[UDP Header (8 bytes)]
Source port: 53 (Domain Name Server)
Destination port: 12088 (unknown)
Length: 52 [bytes]
Checksum: 0x5d5d
[DNS Header (44 bytes)]
ID: 0x19f9
QR: response
OPCODE: 0 (Query)
Authoritative Answer: false
Truncated: false
Recursion Desired: false
Recursion Available: false
Reserved Bit: 0
Authentic Data: false
Checking Disabled: false
RCODE: 0 (No Error)
QDCOUNT: 0
ANCOUNT: 1
NSCOUNT: 0
ARCOUNT: 0
Question:
QNAME: google.com
QTYPE: 1 (A (Host address))
QCLASS: 1 (Internet (IN))
Answer:
NAME: .google.com (name: , pointer: 12)
TYPE: 1 (A (Host address))
CLASS: 1 (Internet (IN))
TTL: 300
RDLENGTH: 4
RDATA:
A RDATA:
ADDRESS: 142.250.185.174 (encoded)

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment