Huge thanks to our Platinum Members Endace and LiveAction,
and our Silver Member Veeam, for supporting the Wireshark Foundation and project.

Wireshark-users: Re: [Wireshark-users] Question about MDNS

From: Guy Harris <guy@xxxxxxxxxxxx>
Date: Mon, 24 May 2010 11:14:04 -0700
On May 24, 2010, at 10:24 AM, Terry Martin wrote:

> I am sniffing  wireless traffic and getting malformed MDNS packets.

More correctly, you are getting packets that Wireshark thinks should be dissected as MDNS packets, but where the Wireshark dissector is finding an error.

Unfortunately, TCP and UDP ports are, unlike, for example, Ethernet type values and IP protocol numbers, not all assigned *solely* for the use of a particular protocol.  As such, although port 5353 is assigned to Multicast DNS (MDNS), there is no *guarantee* that a packet sent to or from port 5353 is a MDNS packet.  (Well, technically, there's no guarantee that a packet with an Ethernet type of 0x0800 is an IPv4 packet, but machines that use 0x0800 for anything other than IPv4 will have a lot of difficulty working with any other equipment on an Ethernet, so that's a lot less likely.)

> Here is an example ( I have changed the addresses to protect the innocent) :
>  
> No.     Time        Source                Destination           Protocol Info
>       5 5.735756    10.1.17.32             178.27.05.50          MDNS     Standard query[Malformed Packet]
>  
> Frame 5 (114 bytes on wire, 114 bytes captured)
> Ethernet II, Src: Dell_70:41:da (00:24:e8:27:41:da), Dst: AxiomTec_43:f9:0b (00:82:e0:43:f9:0b)
> Internet Protocol, Src: 10.1.17.32 (10.1.17.32), Dst: 178.27.05.50 (178.27.05.50)
> User Datagram Protocol, Src Port: mdns (5353), Dst Port: movaz-ssc (5252)
> Domain Name System (query)
> [Malformed Packet: DNS]

The error occurred so early in the dissection that I suspect that this is not, in fact, an MDNS packet.

The name of one of the biggest users of MDNS doesn't appear in the dissection of the Ethernet source or destination address, but Mac OS X and iPhone OS aren't the *only* OSes using it, so that doesn't inherently prove that it's not MDNS - for example, Apple has "Bonjour for Windows" software, so Windows can use MDNS as well (I don't know whether any other software for Windows, or newer versions of Windows itself, uses it), there exist MDNS implementations for UN*Xes other than OS X and iPhone OS, and I think, for example, some printers use it.

Axiomtek - the AxiomTec in the dissection of the destination address - is a maker of industrial PCs, so they might be using some industrial control protocol.  Port 5252 is apparently assigned to "Movaz SSC"; I'm not sure what "Movaz SSC" is, although there was a company "Movaz Networks" that made wavelength-division multiplexing equipment (i.e., frequency-division multiplexing at *extremely* high frequencies :-)), who were bought by ADVA Optical Networking.

What sort of traffic are you running on your network - especially any industrial control or specialized low-level network monitoring traffic?  ("Low-level" in the sense of "well below the IP or other network-layer protocols", i.e. protocols that might deal with particular physical networking technologies.)  That might be the protocol being used here.