The following is an excerpt from the output of tcpdump -nli eth1 ‘udp’:
13:03:17.277327 IP 192.168.123.5.1065 > 192.168.5.112.53: 43653+ A? lpi.org. (25)
13:03:17.598624 IP 192.168.5.112.53 > 192.168.123.5.1065: 43653 1/0/0 A
24.215.7.109 (41)
Which network service or protocol was used?
A.
FTP
B.
HTTP
C.
SSH
D.
DNS
E.
DHCP
Explanation:
192.168.5.112.53 shows that we connect to Port 53 and /etc/services specifies port 53 as DNS.
# cat /etc/services
Domain 53/tcp # name-domain server
Domain 53/udp here is another example of tcpdump catching a DNS request and response:
11:17:44.585523 IP 10.1.112.106.48380 > 8.8.8.8.53: 7880+ A? www.google.at. (31)
11:17:44.621611 IP 8.8.8.8.53 > 10.1.112.106.48380: 7880 8/0/0 CNAME www.google.com.,
CNAME www.l.google.com., A 209.85.135.103, A 209.85.135.147, A
209.85.135.105, A 209.85.135.104, A 209.85.135.99, A 209.85.135.106 (175)