Created
January 21, 2013 20:13
-
-
Save labeneator/4588880 to your computer and use it in GitHub Desktop.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # dtruss: an strace equivalent for OSX | |
| # dtruss nslookup www.google.com | |
| Server: 192.168.1xx.2 | |
| Address: 192.168.1xx.2#53 | |
| Non-authoritative answer: | |
| Name: www.google.com | |
| Address: 197.80.128.24 | |
| SYSCALL(args) = return | |
| issetugid(0x10B3CC000, 0x7FFF6AFCBD50, 0x7FFF6AFCBC00) = 0 0 | |
| ... | |
| ... | |
| open_nocancel("/dev/random\0", 0x0, 0x0) = 4 0 | |
| read_nocancel(0x4, "V\370\3xxxxxxxxxxx", 0x80) = 128 0 | |
| close_nocancel(0x4) = 0 0 | |
| open_nocancel("/dev/random\0", 0x0, 0x0) = 4 0 | |
| read_nocancel(0x4, "4#\207F\n\336V2xxxxxxx", 0x80) = 128 0 | |
| close_nocancel(0x4) = 0 0 | |
| socket(0x2, 0x2, 0x11) = 4 0 | |
| fcntl(0x4, 0x0, 0x14) = 20 0 | |
| close(0x4) = 0 0 | |
| fcntl(0x14, 0x3, 0x0) = 2 0 | |
| fcntl(0x14, 0x4, 0x6) = 0 0 | |
| setsockopt(0x14, 0xFFFF, 0x1022) = 0 0 | |
| setsockopt(0x14, 0xFFFF, 0x400) = 0 0 | |
| getsockopt(0x14, 0xFFFF, 0x1002) = 0 0 | |
| bind(0x14, 0x10B55C410, 0x10) = 0 0 | |
| recvmsg(0x14, 0x7FFF6AFCB930, 0x0) = -1 Err#35 | |
| kevent(0x3, 0x7FFF6AFCBA60, 0x1) = 0 0 | |
| sendmsg(0x14, 0x7FFF6AFCB8E0, 0x0) = 32 0 | |
| kevent(0x3, 0x0, 0x0) = 0 0 | |
| kevent(0x3, 0x0, 0x0) = 1 0 | |
| kevent(0x3, 0x7FFF6AFCBA90, 0x1) = 0 0 | |
| recvmsg(0x14, 0x7FFF6AFCB940, 0x0) = 48 0 | |
| fstat64(0x1, 0x7FFF6AFCA3E8, 0x7FFF6AFCA4AC) = 0 0 | |
| ioctl(0x1, 0x4004667A, 0x7FFF6AFCA484) = 0 0 | |
| write_nocancel(0x1, "Server:\t\t192.168.1xx.2\n\0", 0x17) = 23 0 | |
| write_nocancel(0x1, "Address:\t192.168.1xx.2#53\n\0", 0x1A) = 26 0 | |
| write_nocancel(0x1, "\n\0", 0x1) = 1 0 | |
| write_nocancel(0x1, "Non-authoritative answer:\n\0", 0x1A) = 26 0 | |
| write_nocancel(0x1, "Name:\twww.google.com\n\0", 0x15) = 21 0 | |
| write_nocancel(0x1, "Address: 197.80.128.24\n\0", 0x17) = 23 0 | |
| ... | |
| .... | |
| .... | |
| # Started a concurrent tshark capture session for a google.com lookup | |
| $ tshark -r google.pcap -R "dns.qry.name==www.google.com" -V | |
| Frame 61: 74 bytes on wire (592 bits), 74 bytes captured (592 bits) on interface 0 | |
| Interface id: 0 | |
| WTAP_ENCAP: 1 | |
| Arrival Time: Jan 21, 2013 21:57:30.182718000 SAST | |
| [Time shift for this packet: 0.000000000 seconds] | |
| Epoch Time: 1358798250.182718000 seconds | |
| [Time delta from previous captured frame: 0.078960000 seconds] | |
| [Time delta from previous displayed frame: 0.000000000 seconds] | |
| [Time since reference or first frame: 2.722339000 seconds] | |
| Frame Number: 61 | |
| Frame Length: 74 bytes (592 bits) | |
| Capture Length: 74 bytes (592 bits) | |
| [Frame is marked: False] | |
| [Frame is ignored: False] | |
| [Protocols in frame: eth:ip:udp:dns] | |
| Ethernet II, Src: Apple_xx:bb:cc (7c:d1:c3:xx:bb:cc), Dst: D-LinkIn_dd:ee:ff (c8:be:19:dd:ee:ff) | |
| Destination: D-LinkIn_dd:ee:ff (c8:be:19:dd:ee:ff) | |
| Address: D-LinkIn_dd:ee:ff (c8:be:19:dd:ee:ff) | |
| .... ..0. .... .... .... .... = LG bit: Globally unique address (factory default) | |
| .... ...0 .... .... .... .... = IG bit: Individual address (unicast) | |
| Source: Apple_xx:bb:cc (7c:d1:c3:xx:bb:cc) | |
| Address: Apple_xx:bb:cc (7c:d1:c3:xx:bb:cc) | |
| .... ..0. .... .... .... .... = LG bit: Globally unique address (factory default) | |
| .... ...0 .... .... .... .... = IG bit: Individual address (unicast) | |
| Type: IP (0x0800) | |
| Internet Protocol Version 4, Src: 192.168.1xx.101 (192.168.1xx.101), Dst: 192.168.1xx.2 (192.168.127.2) | |
| Version: 4 | |
| Header length: 20 bytes | |
| Differentiated Services Field: 0x00 (DSCP 0x00: Default; ECN: 0x00: Not-ECT (Not ECN-Capable Transport)) | |
| 0000 00.. = Differentiated Services Codepoint: Default (0x00) | |
| .... ..00 = Explicit Congestion Notification: Not-ECT (Not ECN-Capable Transport) (0x00) | |
| Total Length: 60 | |
| Identification: 0x6ddb (28123) | |
| Flags: 0x00 | |
| 0... .... = Reserved bit: Not set | |
| .0.. .... = Don't fragment: Not set | |
| ..0. .... = More fragments: Not set | |
| Fragment offset: 0 | |
| Time to live: 64 | |
| Protocol: UDP (17) | |
| Header checksum: 0x8d1d [correct] | |
| [Good: True] | |
| [Bad: False] | |
| Source: 192.168.1xx.101 (192.168.1xx.101) | |
| Destination: 192.168.1xx.2 (192.168.127.2) | |
| User Datagram Protocol, Src Port: 60346 (60346), Dst Port: domain (53) | |
| Source port: 60346 (60346) | |
| Destination port: domain (53) | |
| Length: 40 | |
| Checksum: 0xad30 [validation disabled] | |
| [Good Checksum: False] | |
| [Bad Checksum: False] | |
| Domain Name System (query) | |
| Transaction ID: 0x581d | |
| Flags: 0x0100 Standard query | |
| 0... .... .... .... = Response: Message is a query | |
| .000 0... .... .... = Opcode: Standard query (0) | |
| .... ..0. .... .... = Truncated: Message is not truncated | |
| .... ...1 .... .... = Recursion desired: Do query recursively | |
| .... .... .0.. .... = Z: reserved (0) | |
| .... .... ...0 .... = Non-authenticated data: Unacceptable | |
| Questions: 1 | |
| Answer RRs: 0 | |
| Authority RRs: 0 | |
| Additional RRs: 0 | |
| Queries | |
| www.google.com: type A, class IN | |
| Name: www.google.com | |
| Type: A (Host address) | |
| Class: IN (0x0001) | |
| Frame 62: 90 bytes on wire (720 bits), 90 bytes captured (720 bits) on interface 0 | |
| Interface id: 0 | |
| WTAP_ENCAP: 1 | |
| Arrival Time: Jan 21, 2013 21:57:30.184381000 SAST | |
| [Time shift for this packet: 0.000000000 seconds] | |
| Epoch Time: 1358798250.184381000 seconds | |
| [Time delta from previous captured frame: 0.001663000 seconds] | |
| [Time delta from previous displayed frame: 0.001663000 seconds] | |
| [Time since reference or first frame: 2.724002000 seconds] | |
| Frame Number: 62 | |
| Frame Length: 90 bytes (720 bits) | |
| Capture Length: 90 bytes (720 bits) | |
| [Frame is marked: False] | |
| [Frame is ignored: False] | |
| [Protocols in frame: eth:ip:udp:dns] | |
| Ethernet II, Src: D-LinkIn_dd:ee:ff (c8:be:19:dd:ee:ff), Dst: Apple_xx:bb:cc (7c:d1:c3:xx:bb:cc) | |
| Destination: Apple_xx:bb:cc (7c:d1:c3:xx:bb:cc) | |
| Address: Apple_xx:bb:cc (7c:d1:c3:xx:bb:cc) | |
| .... ..0. .... .... .... .... = LG bit: Globally unique address (factory default) | |
| .... ...0 .... .... .... .... = IG bit: Individual address (unicast) | |
| Source: D-LinkIn_dd:ee:ff (c8:be:19:dd:ee:ff) | |
| Address: D-LinkIn_dd:ee:ff (c8:be:19:dd:ee:ff) | |
| .... ..0. .... .... .... .... = LG bit: Globally unique address (factory default) | |
| .... ...0 .... .... .... .... = IG bit: Individual address (unicast) | |
| Type: IP (0x0800) | |
| Internet Protocol Version 4, Src: 192.168.1xx.2 (192.168.127.2), Dst: 192.168.1xx.101 (192.168.1xx.101) | |
| Version: 4 | |
| Header length: 20 bytes | |
| Differentiated Services Field: 0x00 (DSCP 0x00: Default; ECN: 0x00: Not-ECT (Not ECN-Capable Transport)) | |
| 0000 00.. = Differentiated Services Codepoint: Default (0x00) | |
| .... ..00 = Explicit Congestion Notification: Not-ECT (Not ECN-Capable Transport) (0x00) | |
| Total Length: 76 | |
| Identification: 0x0000 (0) | |
| Flags: 0x02 (Don't Fragment) | |
| 0... .... = Reserved bit: Not set | |
| .1.. .... = Don't fragment: Set | |
| ..0. .... = More fragments: Not set | |
| Fragment offset: 0 | |
| Time to live: 64 | |
| Protocol: UDP (17) | |
| Header checksum: 0xbae8 [correct] | |
| [Good: True] | |
| [Bad: False] | |
| Source: 192.168.1xx.2 (192.168.127.2) | |
| Destination: 192.168.1xx.101 (192.168.1xx.101) | |
| User Datagram Protocol, Src Port: domain (53), Dst Port: 60346 (60346) | |
| Source port: domain (53) | |
| Destination port: 60346 (60346) | |
| Length: 56 | |
| Checksum: 0x27fd [validation disabled] | |
| [Good Checksum: False] | |
| [Bad Checksum: False] | |
| Domain Name System (response) | |
| [Request In: 61] | |
| [Time: 0.001663000 seconds] | |
| Transaction ID: 0x581d | |
| Flags: 0x8000 Standard query response, No error | |
| 1... .... .... .... = Response: Message is a response | |
| .000 0... .... .... = Opcode: Standard query (0) | |
| .... .0.. .... .... = Authoritative: Server is not an authority for domain | |
| .... ..0. .... .... = Truncated: Message is not truncated | |
| .... ...0 .... .... = Recursion desired: Don't do query recursively | |
| .... .... 0... .... = Recursion available: Server can't do recursive queries | |
| .... .... .0.. .... = Z: reserved (0) | |
| .... .... ..0. .... = Answer authenticated: Answer/authority portion was not authenticated by the server | |
| .... .... ...0 .... = Non-authenticated data: Unacceptable | |
| .... .... .... 0000 = Reply code: No error (0) | |
| Questions: 1 | |
| Answer RRs: 1 | |
| Authority RRs: 0 | |
| Additional RRs: 0 | |
| Queries | |
| www.google.com: type A, class IN | |
| Name: www.google.com | |
| Type: A (Host address) | |
| Class: IN (0x0001) | |
| Answers | |
| www.google.com: type A, class IN, addr 197.80.128.24 | |
| Name: www.google.com | |
| Type: A (Host address) | |
| Class: IN (0x0001) | |
| Time to live: 2 minutes, 30 seconds | |
| Data length: 4 | |
| Addr: 197.80.128.24 (197.80.128.24) |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment