> The newsletter is only sent out once a day, so I would have to wait > until tomorrow. I'll record it then. I have already experimented with > tshark and recorded port 53.
When you run your packet capture, do not restrict your capture to only port 53. As a general rule, always keep your filtering as open as possible. That will allow for capturing potentially critical evidence such as ICMP error messages, ARP broadcasts, etc... or the absence of such things when they should be there. So at minimum add "icmp and arp" to your filter expression. > What I noticed as a network layman is that a certain > response takes much longer on server 1 with the problems than > on server 2. Your tshark snippets do not show "a certain response" taking much longer. That might be the explanation, but what you show is not proof of that. Your snippets only show response packets with varying amounts of separation between them. Without the request packet which generated the response, we can't calculate an actual time to respond, and have no way of knowing with certainty what the situation really is. Another general rulle: don't limit the amount of information you provide to those who are trying to help you or make them infer information. It's fine to mention only certain packets in an email, but put the full packet capture on a public resource somewhere accessible. Michael Batchelder ISC Support
-- Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information. bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
