I'm sending and recieving a packet with the module scapy.
a = sr(IP(src="192.168.1.100",dst="8.8.4.4")/UDP(sport=RandShort(),dport=53)/DNS(rd=1,qd=DNSQR(qname="google.com",qtype="ALL",qclass="IN"),ar=DNSRROPT(rclass=3000)),timeout=1)
If I display the packet size of of the command and response:
#command size
print len(a[0][0][0])
>67
#response size
print len(a[0][0][1])
>496
But if I capture the packets with Wireshark, it shows me a packet length:
command: 83 bytes
response: 512 bytes
So we know in Wireshark we have an additional size of 16 bytes for command and response..
83-67 =16
512-496 =16
And I want to know (just for educational proposes) what are the additional 16 bytes captured by Wireshark? Somebody have a deep 'knowhow' in networking and can tell me what happens?
EDIT:
Output of a[0].summary():
IP / UDP / DNS Qry "google.com" ==> IP / UDP / DNS Ans "74.125.68.102"
Output of a[0][0][0].show():
###[ IP ]###
version = 4
ihl = None
tos = 0x0
len = **67**
id = 1
flags =
frag = 0
ttl = 64
proto = udp
chksum = None
src = 192.168.1.100
dst = 8.8.4.4
\options \
###[ UDP ]###
sport = 41454
dport = domain
len = None
chksum = None
###[ DNS ]###
id = 0
qr = 0
opcode = QUERY
aa = 0
tc = 0
rd = 1
ra = 0
z = 0
ad = 0
cd = 0
rcode = ok
qdcount = 1
ancount = 0
nscount = 0
arcount = 1
\qd \
|###[ DNS Question Record ]###
| qname = 'google.com'
| qtype = ALL
| qclass = IN
an = None
ns = None
\ar \
|###[ DNS OPT Resource Record ]###
| rrname = '.'
| type = OPT
| rclass = 3000
| extrcode = 0
| version = 0
| z = D0
| rdlen = None
| \rdata \
Output of a[0].show():
###[ IP ]###
version = 4L
ihl = 5L
tos = 0x0
len = **496**
id = 41777
flags =
frag = 0L
ttl = 56
proto = udp
chksum = 0xfb3
src = 8.8.4.4
dst = 192.168.1.100
\options \
###[ UDP ]###
sport = domain
dport = 41454
len = 476
chksum = 0x2fef
###[ DNS ]###
id = 0
qr = 1L
opcode = QUERY
aa = 0L
tc = 0L
rd = 1L
ra = 1L
z = 0L
ad = 0L
cd = 0L
rcode = ok
qdcount = 1
ancount = 19
nscount = 0
arcount = 1
\qd \
|###[ DNS Question Record ]###
| qname = 'google.com.'
| qtype = ALL
| qclass = IN
\an \
|###[ DNS Resource Record ]###
| rrname = 'google.com.'
| type = A
| rclass = IN
| ttl = 299
| rdlen = 4
| rdata = '74.125.68.102'
|###[ DNS Resource Record ]###
| rrname = 'google.com.'
| type = A
| rclass = IN
| ttl = 299
| rdlen = 4
| rdata = '74.125.68.113'
|###[ DNS Resource Record ]###
| rrname = 'google.com.'
| type = A
| rclass = IN
| ttl = 299
| rdlen = 4
| rdata = '74.125.68.139'
|###[ DNS Resource Record ]###
| rrname = 'google.com.'
| type = A
| rclass = IN
| ttl = 299
| rdlen = 4
| rdata = '74.125.68.100'
|###[ DNS Resource Record ]###
| rrname = 'google.com.'
| type = A
| rclass = IN
| ttl = 299
| rdlen = 4
| rdata = '74.125.68.138'
|###[ DNS Resource Record ]###
| rrname = 'google.com.'
| type = A
| rclass = IN
| ttl = 299
| rdlen = 4
| rdata = '74.125.68.101'
|###[ DNS Resource Record ]###
| rrname = 'google.com.'
| type = AAAA
| rclass = IN
| ttl = 299
| rdlen = 16
| rdata = '2404:6800:4003:c02::65'
|###[ DNS Resource Record ]###
| rrname = 'google.com.'
| type = NS
| rclass = IN
| ttl = 21599
| rdlen = 16
| rdata = 'ns2.google.com.'
|###[ DNS Resource Record ]###
| rrname = 'google.com.'
| type = MX
| rclass = IN
| ttl = 599
| rdlen = 17
| rdata = '\x00\x14\x04alt1\x05aspmx\x01l\xc0\x0c'
|###[ DNS Resource Record ]###
| rrname = 'google.com.'
| type = SOA
| rclass = IN
| ttl = 59
| rdlen = 34
| rdata = '\xc0\xa4\tdns-admin\xc0\x0c\x07\xbe\xf2\xb0\x00\x00\x03\x84\x00\x00\x03\x84\x00\x00\x07\x08\x00\x00\x00<'
|###[ DNS Resource Record ]###
| rrname = 'google.com.'
| type = MX
| rclass = IN
| ttl = 599
| rdlen = 9
| rdata = '\x00(\x04alt3\xc0\xbd'
|###[ DNS Resource Record ]###
| rrname = 'google.com.'
| type = MX
| rclass = IN
| ttl = 599
| rdlen = 4
| rdata = '\x00\n\xc0\xbd'
|###[ DNS Resource Record ]###
| rrname = 'google.com.'
| type = 257
| rclass = IN
| ttl = 21599
| rdlen = 19
| rdata = '\x00\x05issuesymantec.com'
|###[ DNS Resource Record ]###
| rrname = 'google.com.'
| type = NS
| rclass = IN
| ttl = 21599
| rdlen = 16
| rdata = 'ns3.google.com.'
|###[ DNS Resource Record ]###
| rrname = 'google.com.'
| type = MX
| rclass = IN
| ttl = 599
| rdlen = 9
| rdata = '\x00\x1e\x04alt2\xc0\xbd'
|###[ DNS Resource Record ]###
| rrname = 'google.com.'
| type = NS
| rclass = IN
| ttl = 21599
| rdlen = 16
| rdata = 'ns1.google.com.'
|###[ DNS Resource Record ]###
| rrname = 'google.com.'
| type = MX
| rclass = IN
| ttl = 599
| rdlen = 9
| rdata = '\x002\x04alt4\xc0\xbd'
|###[ DNS Resource Record ]###
| rrname = 'google.com.'
| type = TXT
| rclass = IN
| ttl = 3599
| rdlen = 36
| rdata = 'v=spf1 include:_spf.google.com ~all'
|###[ DNS Resource Record ]###
| rrname = 'google.com.'
| type = NS
| rclass = IN
| ttl = 21599
| rdlen = 16
| rdata = 'ns4.google.com.'
ns = None
\ar \
|###[ DNS OPT Resource Record ]###
| rrname = '.'
| type = OPT
| rclass = 512
| extrcode = 0
| version = 0
| z = D0
| rdlen = 0
| \rdata \
a[0].summary()to let people understand what is going on here. – Pierre