Failed UDP packets

[robcza]

I have an issue with failed UPD packets, although the traffic looks good to me and Wireshark also:

• Transaction IDs match
• request/response is included in the traffic
• passivedns is the latest code available to date

Therefore I don't think this is similar to this issue: https://github.com/gamelinux/passivedns/issues/106

The pcap has been anonymized by dnswasher, however the original pcap has exactly the same results. failedupd-anon.zip

passivedns -r ./failedudp-anon.pcap

[*] PassiveDNS 1.2.1
[*] By Edward Bjarte Fjellskål <edward.fjellskaal@gmail.com>
[*] Using libpcap version 1.8.1
[*] Using ldns version 1.7.0
[*] Reading from file ./failedudp-anon.pcap

1542877131.333128||0.0.0.3||127.0.0.1||IN||google.com.||A||172.217.23.206||189||1

-- Total DNS records allocated            :           1
-- Total DNS assets allocated             :           1
-- Total DNS packets over IPv4/TCP        :           0
-- Total DNS packets over IPv6/TCP        :           0
-- Total DNS packets over TCP decoded     :           0
-- Total DNS packets over TCP failed      :           0
-- Total DNS packets over IPv4/UDP        :          81
-- Total DNS packets over IPv6/UDP        :           0
-- Total DNS packets over UDP decoded     :           1
-- Total DNS packets over UDP failed      :          80
-- Total packets received from libpcap    :         130
-- Total Ethernet packets received        :           0
-- Total VLAN packets received            :           0

[*] passivedns ended.

Any idea why the packets are failing?

[robcza]

We have found the reason, the whole packet is shifted by VLAN and it does not match the passivedns packet structure, though it is a valid UDP packet. Not sure how to fix it though.