Ask Your Question

Revision history [back]

click to hide/show revision 1
initial version

dns request, response malformed?

Following are three DNS requests from a QNAP NAS device, and responses from a Samba 4.7 Internal DNS server. The first is straightforward enough, but on the second and third both the request and response are found to be "Malformed" by Wireshark. I'm wondering if this has to do with the problem I'm seen between my QNAP and my Samba DCs.

Here's the first one, just asking for the LDAP SRV records for the domain, and getting the correct response:

No.     Time           Source          Destination           Protocol Length Info
      1 0.000000       wilkins3.intranet.seamanpaper.com moa.intranet.seamanpaper.com DNS      89     Standard query 0x0000 SRV
_ldap._tcp.ma.seamanpaper.com

Frame 1: 89 bytes on wire (712 bits), 89 bytes captured (712 bits) on interface 0 Ethernet II, Src: Qnap_27:e2:59 (24:5e:be:27:e2:59), Dst: RealtekU_4b:a0:b7 (52:54:00:4b:a0:b7) Internet Protocol Version 4, Src: wilkins3.intranet.seamanpaper.com (192.168.10.152), Dst: moa.intranet.seamanpaper.com (192.168.10.104) User Datagram Protocol, Src Port: 40429 (40429), Dst Port: domain (53) Domain Name System (query)

No.     Time           Source          Destination           Protocol Length Info
      2 0.001159       moa.intranet.seamanpaper.com wilkins3.intranet.seamanpaper.com DNS  232    Standard query response 0x0000 SRV _ldap._tcp.ma.seamanpaper.com SRV 0 100 389 emu.ma.seamanpaper.com SRV 0 100 389 moa.ma.seamanpaper.com SRV 0 100 389 ava.ma.seamanpaper.com SRV 0 100 389 auk.ma.seamanpaper.com SOA moa.ma.seamanpaper.com

Frame 2: 232 bytes on wire (1856 bits), 232 bytes captured (1856 bits) on interface 0 Ethernet II, Src: RealtekU_4b:a0:b7 (52:54:00:4b:a0:b7), Dst: Qnap_27:e2:59 (24:5e:be:27:e2:59) Internet Protocol Version 4, Src: moa.intranet.seamanpaper.com (192.168.10.104), Dst: wilkins3.intranet.seamanpaper.com (192.168.10.152) User Datagram Protocol, Src Port: domain (53), Dst Port: 40429 (40429) Domain Name System (response)

Here's the second:

   No.     Time           Source                Destination           Protocol Length Info
         3 0.001255       wilkins3.intranet.seamanpaper.com auk.intranet.seamanpaper.com DNS      64     Standard query 0x0001[Malformed Packet]

    Frame 3: 64 bytes on wire (512 bits), 64 bytes captured (512 bits) on interface 0
    Ethernet II, Src: Qnap_27:e2:59 (24:5e:be:27:e2:59), Dst: RealtekU_a9:12:d7 (52:54:00:a9:12:d7)
    Internet Protocol Version 4, Src: wilkins3.intranet.seamanpaper.com (192.168.10.152), Dst: auk.intranet.seamanpaper.com (192.168.10.109)
    User Datagram Protocol, Src Port: 40429 (40429), Dst Port: domain (53)
    Domain Name System (query)
    [Malformed Packet: DNS]
        [Expert Info (Error/Malformed): Malformed Packet (Exception occurred)]
            [Malformed Packet (Exception occurred)]
            [Severity level: Error]
            [Group: Malformed]

    No.     Time           Source                Destination           Protocol Length Info
          4 0.001940       auk.intranet.seamanpaper.com wilkins3.intranet.seamanpaper.com DNS      64     Standard query response 0x0001 Format error[Malformed Packet]

    Frame 4: 64 bytes on wire (512 bits), 64 bytes captured (512 bits) on interface 0
    Ethernet II, Src: RealtekU_a9:12:d7 (52:54:00:a9:12:d7), Dst: Qnap_27:e2:59 (24:5e:be:27:e2:59)
    Internet Protocol Version 4, Src: auk.intranet.seamanpaper.com (192.168.10.109), Dst: wilkins3.intranet.seamanpaper.com (192.168.10.152)
    User Datagram Protocol, Src Port: domain (53), Dst Port: 40429 (40429)
    Domain Name System (response)
    [Malformed Packet: DNS]
        [Expert Info (Error/Malformed): Malformed Packet (Exception occurred)]
            [Malformed Packet (Exception occurred)]
            [Severity level: Error

And the third:

No.     Time           Source                Destination           Protocol Length Info
      5 0.001941       wilkins3.intranet.seamanpaper.com moa.intranet.seamanpaper.com DNS      64     Standard query 0x0002[Malformed Packet]

Frame 5: 64 bytes on wire (512 bits), 64 bytes captured (512 bits) on interface 0
Ethernet II, Src: Qnap_27:e2:59 (24:5e:be:27:e2:59), Dst: RealtekU_4b:a0:b7 (52:54:00:4b:a0:b7)
Internet Protocol Version 4, Src: wilkins3.intranet.seamanpaper.com (192.168.10.152), Dst: moa.intranet.seamanpaper.com (192.168.10.104)
User Datagram Protocol, Src Port: 40429 (40429), Dst Port: domain (53)
Domain Name System (query)
[Malformed Packet: DNS]
    [Expert Info (Error/Malformed): Malformed Packet (Exception occurred)]
        [Malformed Packet (Exception occurred)]
        [Severity level: Error]
        [Group: Malformed]

No.     Time           Source                Destination           Protocol Length Info
      6 0.002399       moa.intranet.seamanpaper.com wilkins3.intranet.seamanpaper.com DNS      64     Standard query response 0x0002 Format error[Malformed Packet]

Frame 6: 64 bytes on wire (512 bits), 64 bytes captured (512 bits) on interface 0
Ethernet II, Src: RealtekU_4b:a0:b7 (52:54:00:4b:a0:b7), Dst: Qnap_27:e2:59 (24:5e:be:27:e2:59)
Internet Protocol Version 4, Src: moa.intranet.seamanpaper.com (192.168.10.104), Dst: wilkins3.intranet.seamanpaper.com (192.168.10.152)
User Datagram Protocol, Src Port: domain (53), Dst Port: 40429 (40429)
Domain Name System (response)
[Malformed Packet: DNS]
    [Expert Info (Error/Malformed): Malformed Packet (Exception occurred)]
        [Malformed Packet (Exception occurred)]
        [Severity level: Error]
        [Group: Malformed]

I don't have enough karma to upload the capture file.

dns request, response malformed?

Following are three DNS requests from a QNAP NAS device, and responses from a Samba 4.7 Internal DNS server. The first is straightforward enough, but on the second and third both the request and response are found to be "Malformed" by Wireshark. I'm wondering if this has to do with the problem I'm seen between my QNAP and my Samba DCs.

The capture file is here: https://drive.google.com/open?id=1qG4g0KwQlLESH9ec0oLoXo2ghcmB2WZw

Here's the first one, just asking for the LDAP SRV records for the domain, and getting the correct response:

No.     Time           Source          Destination           Protocol Length Info
      1 0.000000       wilkins3.intranet.seamanpaper.com moa.intranet.seamanpaper.com DNS      89     Standard query 0x0000 SRV
_ldap._tcp.ma.seamanpaper.com

Frame 1: 89 bytes on wire (712 bits), 89 bytes captured (712 bits) on interface 0 Ethernet II, Src: Qnap_27:e2:59 (24:5e:be:27:e2:59), Dst: RealtekU_4b:a0:b7 (52:54:00:4b:a0:b7) Internet Protocol Version 4, Src: wilkins3.intranet.seamanpaper.com (192.168.10.152), Dst: moa.intranet.seamanpaper.com (192.168.10.104) User Datagram Protocol, Src Port: 40429 (40429), Dst Port: domain (53) Domain Name System (query)

No.     Time           Source          Destination           Protocol Length Info
      2 0.001159       moa.intranet.seamanpaper.com wilkins3.intranet.seamanpaper.com DNS  232    Standard query response 0x0000 SRV _ldap._tcp.ma.seamanpaper.com SRV 0 100 389 emu.ma.seamanpaper.com SRV 0 100 389 moa.ma.seamanpaper.com SRV 0 100 389 ava.ma.seamanpaper.com SRV 0 100 389 auk.ma.seamanpaper.com SOA moa.ma.seamanpaper.com

Frame 2: 232 bytes on wire (1856 bits), 232 bytes captured (1856 bits) on interface 0 Ethernet II, Src: RealtekU_4b:a0:b7 (52:54:00:4b:a0:b7), Dst: Qnap_27:e2:59 (24:5e:be:27:e2:59) Internet Protocol Version 4, Src: moa.intranet.seamanpaper.com (192.168.10.104), Dst: wilkins3.intranet.seamanpaper.com (192.168.10.152) User Datagram Protocol, Src Port: domain (53), Dst Port: 40429 (40429) Domain Name System (response)

Here's the second:

   No.     Time           Source                Destination           Protocol Length Info
         3 0.001255       wilkins3.intranet.seamanpaper.com auk.intranet.seamanpaper.com DNS      64     Standard query 0x0001[Malformed Packet]

    Frame 3: 64 bytes on wire (512 bits), 64 bytes captured (512 bits) on interface 0
    Ethernet II, Src: Qnap_27:e2:59 (24:5e:be:27:e2:59), Dst: RealtekU_a9:12:d7 (52:54:00:a9:12:d7)
    Internet Protocol Version 4, Src: wilkins3.intranet.seamanpaper.com (192.168.10.152), Dst: auk.intranet.seamanpaper.com (192.168.10.109)
    User Datagram Protocol, Src Port: 40429 (40429), Dst Port: domain (53)
    Domain Name System (query)
    [Malformed Packet: DNS]
        [Expert Info (Error/Malformed): Malformed Packet (Exception occurred)]
            [Malformed Packet (Exception occurred)]
            [Severity level: Error]
            [Group: Malformed]

    No.     Time           Source                Destination           Protocol Length Info
          4 0.001940       auk.intranet.seamanpaper.com wilkins3.intranet.seamanpaper.com DNS      64     Standard query response 0x0001 Format error[Malformed Packet]

    Frame 4: 64 bytes on wire (512 bits), 64 bytes captured (512 bits) on interface 0
    Ethernet II, Src: RealtekU_a9:12:d7 (52:54:00:a9:12:d7), Dst: Qnap_27:e2:59 (24:5e:be:27:e2:59)
    Internet Protocol Version 4, Src: auk.intranet.seamanpaper.com (192.168.10.109), Dst: wilkins3.intranet.seamanpaper.com (192.168.10.152)
    User Datagram Protocol, Src Port: domain (53), Dst Port: 40429 (40429)
    Domain Name System (response)
    [Malformed Packet: DNS]
        [Expert Info (Error/Malformed): Malformed Packet (Exception occurred)]
            [Malformed Packet (Exception occurred)]
            [Severity level: Error

And the third:

No.     Time           Source                Destination           Protocol Length Info
      5 0.001941       wilkins3.intranet.seamanpaper.com moa.intranet.seamanpaper.com DNS      64     Standard query 0x0002[Malformed Packet]

Frame 5: 64 bytes on wire (512 bits), 64 bytes captured (512 bits) on interface 0
Ethernet II, Src: Qnap_27:e2:59 (24:5e:be:27:e2:59), Dst: RealtekU_4b:a0:b7 (52:54:00:4b:a0:b7)
Internet Protocol Version 4, Src: wilkins3.intranet.seamanpaper.com (192.168.10.152), Dst: moa.intranet.seamanpaper.com (192.168.10.104)
User Datagram Protocol, Src Port: 40429 (40429), Dst Port: domain (53)
Domain Name System (query)
[Malformed Packet: DNS]
    [Expert Info (Error/Malformed): Malformed Packet (Exception occurred)]
        [Malformed Packet (Exception occurred)]
        [Severity level: Error]
        [Group: Malformed]

No.     Time           Source                Destination           Protocol Length Info
      6 0.002399       moa.intranet.seamanpaper.com wilkins3.intranet.seamanpaper.com DNS      64     Standard query response 0x0002 Format error[Malformed Packet]

Frame 6: 64 bytes on wire (512 bits), 64 bytes captured (512 bits) on interface 0
Ethernet II, Src: RealtekU_4b:a0:b7 (52:54:00:4b:a0:b7), Dst: Qnap_27:e2:59 (24:5e:be:27:e2:59)
Internet Protocol Version 4, Src: moa.intranet.seamanpaper.com (192.168.10.104), Dst: wilkins3.intranet.seamanpaper.com (192.168.10.152)
User Datagram Protocol, Src Port: domain (53), Dst Port: 40429 (40429)
Domain Name System (response)
[Malformed Packet: DNS]
    [Expert Info (Error/Malformed): Malformed Packet (Exception occurred)]
        [Malformed Packet (Exception occurred)]
        [Severity level: Error]
        [Group: Malformed]

I don't have enough karma to upload the capture file.