// First, I need to convert the copy-pasted hexdump (in pkt.hex) to a binary file. // I'll use xxd in reverse mode, but I need to strip the addresses first. firefly:~ user$ cut -c10- pkt.hex 4500 0073 8276 0000 3e11 10dd 81aa 1104 81aa d4ce 0035 fcb1 005f d5bb 6d0f 8180 0001 0000 0001 0000 0574 6168 6f65 0263 7309 6461 7274 6d6f 7574 6803 6564 7500 001c 0001 c012 0006 0001 0000 0b70 0023 c012 0a70 6f73 746d 6173 7465 72c0 1200 0500 4300 0012 c000 000e 1000 000e 1000 000e 10 firefly:~ user$ cut -c10- pkt.hex | xxd -rp > pkt.bin // Check that it worked as intended: firefly:~ user$ xxd pkt.bin 0000000: 4500 0073 8276 0000 3e11 10dd 81aa 1104 E..s.v..>....... 0000010: 81aa d4ce 0035 fcb1 005f d5bb 6d0f 8180 .....5..._..m... 0000020: 0001 0000 0001 0000 0574 6168 6f65 0263 .........tahoe.c 0000030: 7309 6461 7274 6d6f 7574 6803 6564 7500 s.dartmouth.edu. 0000040: 001c 0001 c012 0006 0001 0000 0b70 0023 .............p.# 0000050: c012 0a70 6f73 746d 6173 7465 72c0 1200 ...postmaster... 0000060: 0500 4300 0012 c000 000e 1000 000e 1000 ..C............. 0000070: 000e 10 // Now to feed it to scapy: firefly:~ user$ scapy INFO: Can't import PyX. Won't be able to use psdump() or pdfdump(). WARNING: No route found for IPv6 destination :: (no default route?) Welcome to Scapy (2.3.1) >>> f = open("pkt.bin", "r") >>> buff = f.read() >>> len(buff) 115 >>> hexdump(buff) 0000 45 00 00 73 82 76 00 00 3E 11 10 DD 81 AA 11 04 E..s.v..>....... 0010 81 AA D4 CE 00 35 FC B1 00 5F D5 BB 6D 0F 81 80 .....5..._..m... 0020 00 01 00 00 00 01 00 00 05 74 61 68 6F 65 02 63 .........tahoe.c 0030 73 09 64 61 72 74 6D 6F 75 74 68 03 65 64 75 00 s.dartmouth.edu. 0040 00 1C 00 01 C0 12 00 06 00 01 00 00 0B 70 00 23 .............p.# 0050 C0 12 0A 70 6F 73 74 6D 61 73 74 65 72 C0 12 00 ...postmaster... 0060 05 00 43 00 00 12 C0 00 00 0E 10 00 00 0E 10 00 ..C............. 0070 00 0E 10 ... >>> IP(buff).show() ###[ IP ]### version= 4L ihl= 5L tos= 0x0 len= 115 id= 33398 flags= frag= 0L ttl= 62 proto= udp chksum= 0x10dd src= 129.170.17.4 dst= 129.170.212.206 \options\ ###[ UDP ]### sport= domain dport= 64689 len= 95 chksum= 0xd5bb ###[ DNS ]### id= 27919 qr= 1L opcode= QUERY aa= 0L tc= 0L rd= 1L ra= 1L z= 0L ad= 0L cd= 0L rcode= ok qdcount= 1 ancount= 0 nscount= 1 arcount= 0 \qd\ |###[ DNS Question Record ]### | qname= 'tahoe.cs.dartmouth.edu.' | qtype= AAAA | qclass= IN an= None \ns\ |###[ DNS Resource Record ]### | rrname= 'cs.dartmouth.edu.' | type= SOA | rclass= IN | ttl= 2928 | rdlen= 35 | rdata= '\xc0\x12\npostmaster\xc0\x12\x00\x05\x00C\x00\x00\x12\xc0\x00\x00\x0e\x10\x00\x00\x0e\x10\x00\x00\x0e\x10' ar= None >>> [1]+ Stopped scapy // OK, so this is a SOA record, which I got for asking 129.170.17.4 for the // AAAA record of tahoe.cs.dartmouth.edu! 129.170.17.4 doesn't know, but // delegates to cs.dartmouth.edu . // Do I get the same when I ask for that record? firefly:~ user$ dig @129.170.17.4 aaaa tahoe.cs.dartmouth.edu ; <<>> DiG 9.8.3-P1 <<>> @129.170.17.4 aaaa tahoe.cs.dartmouth.edu ; (1 server found) ;; global options: +cmd ;; connection timed out; no servers could be reached // Too bad 129.170.17.4 will not answer to my home network! So I run the same // command on tahoe: firefly:~ user$ ssh tahoe dig @129.170.17.4 aaaa tahoe.cs.dartmouth.edu ; <<>> DiG 9.10.4-P8-RedHat-9.10.4-5.P8.fc25 <<>> @129.170.17.4 aaaa tahoe.cs.dartmouth.edu ; (1 server found) ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 51302 ;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 1 ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 4096 ;; QUESTION SECTION: ;tahoe.cs.dartmouth.edu. IN AAAA ;; AUTHORITY SECTION: cs.dartmouth.edu. 3600 IN SOA cs.dartmouth.edu. postmaster.cs.dartmouth.edu. 327747 4800 3600 3600 3600 ;; Query time: 1 msec ;; SERVER: 129.170.17.4#53(129.170.17.4) ;; WHEN: Thu Jun 01 19:30:23 EDT 2017 ;; MSG SIZE rcvd: 98 // Yup, that's what it does.