Wireshark-users: Re: [Wireshark-users] DNS Working but can't connect to anything

From: staedtlerx <staedtlerx@xxxxxxxxx>
Date: Tue, 27 Jan 2009 01:00:45 -0500
FWIW I have NO firewalls running and I get this same behavior in safe mode. What's perplexing is how everything works fine with my internal wifi but not the 4 other interfaces. Diags below:

ROUTE PRINT


===========================================================================
Interface List
0x1 ........................... MS TCP Loopback interface
0x90002 ...00 1a 80 64 01 30 ...... Marvell Yukon 88E8053 PCI-E Gigabit Ethernet Controller - Packet Scheduler Miniport
===========================================================================
===========================================================================
Active Routes:
Network Destination        Netmask          Gateway       Interface  Metric
          0.0.0.0          0.0.0.0      192.168.0.1     192.168.0.2       10
        127.0.0.0        255.0.0.0        127.0.0.1       127.0.0.1       1
      192.168.0.0    255.255.255.0      192.168.0.2     192.168.0.2       10
      192.168.0.2  255.255.255.255        127.0.0.1       127.0.0.1       10
    192.168.0.255  255.255.255.255      192.168.0.2     192.168.0.2       10
        224.0.0.0        240.0.0.0      192.168.0.2     192.168.0.2       10
  255.255.255.255  255.255.255.255      192.168.0.2     192.168.0.2       1
Default Gateway:       192.168.0.1
===========================================================================
Persistent Routes:
  None

IPCONFIG

Windows IP Configuration

        Host Name . . . . . . . . . . . . : laptop
        Primary Dns Suffix  . . . . . . . :
        Node Type . . . . . . . . . . . . : Hybrid
        IP Routing Enabled. . . . . . . . : No
        WINS Proxy Enabled. . . . . . . . : No
        DNS Suffix Search List. . . . . . : nyc.rr.com

Ethernet adapter Dock LAN:

        Connection-specific DNS Suffix  . : nyc.rr.com
        Description . . . . . . . . . . . : Marvell Yukon 88E8053 PCI-E Gigabit Ethernet Controller
        Physical Address. . . . . . . . . : 00-1A-80-64-01-30
        Dhcp Enabled. . . . . . . . . . . : Yes
        Autoconfiguration Enabled . . . . : Yes
        IP Address. . . . . . . . . . . . : 192.168.0.2
        Subnet Mask . . . . . . . . . . . : 255.255.255.0
        Default Gateway . . . . . . . . . : 192.168.0.1
        DHCP Server . . . . . . . . . . . : 192.168.0.1
        DNS Servers . . . . . . . . . . . : 192.168.0.1
        Lease Obtained. . . . . . . . . . : Tuesday, January 27, 2009 12:53:36 AM
        Lease Expires . . . . . . . . . . : Sunday, February 08, 2009 12:53:36 PM







On Tue, Jan 27, 2009 at 12:32 AM, Jim Young <sysjhy@xxxxxxxxxxxxxxx> wrote:
>>> staedtlerx <staedtlerx@xxxxxxxxx> 1/26/2009 11:16 PM >>>
> I tried NetMon - it appears to output the same exact info that Wireshark
> does. Should I somehow be invoking more info?

The two traces you sent both indicate that the Sony system (192.168.0.2)
--- the system that initiated the DNS queries --- is actually rejecting the DNS
replies it asked for!

The two ICMP  "Destination Unreachable (Port unreachable)" messages
within each trace are responses generated by your host (192.168.0.2) in
response the DNS response packets.

I've seen similar behavior when someone's workstation based firewall is
mis-configured, when multiple NIC cards are installed and mis-configured
or also (rarely) when the application that initiated the DNS request is no
longer listening on the UDP port that the request was initiated from.

FWIW: I doubt that your ping or tracert initiated DNS requests resulted
in the UDP port itself to be closed so soon after the requests was sent.
Generally speaking the Windows DNS stub resolver uses the same
ephemeral UDP port for all requests until the system is rebooted.  The
nslookup tool on the other hand uses a new ephemeral UDP port
for each DNS request.

It's seems somewhat odd that your system sends two DNS requests
so close in time to one other, but these are NOT duplicate packets,
each DNS request has a unique incrementing ip.id value.

Someone suggested that you show us a copy of how routing in
configured on this Windows machine.  You can generate this report
from a Windows cmd shell with the either of the following commands:

  route print

or

  netstat -r

Also a complete copy of your workstation's complete ip setup might
be useful:  e.g.

  ipconfig /all

Perhaps attaching the output of these two reports might shed some
light on what may be going on.

Best regards,

Jim Y.


___________________________________________________________________________
Sent via:    Wireshark-users mailing list <wireshark-users@xxxxxxxxxxxxx>
Archives:    http://www.wireshark.org/lists/wireshark-users
Unsubscribe: https://wireshark.org/mailman/options/wireshark-users
            mailto:wireshark-users-request@xxxxxxxxxxxxx?subject=unsubscribe