7.2.3.5 lab - using wireshark to examine a udp dns capture
TRANSCRIPT
©
L
T
O
B
R
P
P
© 2013 Cisco and
Lab - Us
Topology
Objectives
Part 1: Re
Part 2: Us
Part 3: An
Backgroun
If you havnetwork oyou type aYour PC’sas the traDNS quer
In this labprotocol. Y
Note: This
Required R
1 PC (Win
Part 1: R
In Part 1, addressesDNS servbe used in
Part 2: U
In Part 2, UDP trans
d/or its affiliates.
sing Wir
ecord a PC’s
se Wireshark
nalyze Captu
nd / Scenar
ve ever used tof servers thata website URs DNS server nsport layer pries and respo
b, you will comYou will use W
s lab cannot b
Resources
ndows 7, Vist
Record a
you will use ts of your PC’s
ver IP addressn the following
IP ad
MAC
Defau
DNS
Use Wires
you will set usport protoco
All rights reserve
eshark t
s IP Configur
k to Capture
ured DNS or
rio
the Internet, yt translates us
RL into your brquery and th
protocol. UDPonses are ver
mmunicate witWireshark to e
be completed
a, or XP with
PC’s IP C
the ipconfig /s network intes specified forg parts of this
dress
address
ult gateway IP
server IP add
shark to C
up Wireshark l while comm
ed. This docume
to Exam
ration Inform
DNS Querie
UDP Packet
you have useser-friendly dorowser, your Phe DNS serveP is connectiory small and d
th a DNS servexamine the
d using Netlab
a command
Configura
/all commanderface card (Nr the PC. Recs lab with pac
P address
dress
Capture D
to capture DNunicating with
ent is Cisco Publi
mine a UD
mation
s and Respo
s
d the Domainomain namesPC performs
er’s response onless and dodo not require
ver by sendinDNS query a
b. This lab ass
prompt acces
ation Info
d on your locaNIC), the IP acord this inforcket analysis.
DNS Que
NS query andh a DNS serv
ic.
DP DNS
onses
n Name Systes like www.goa DNS querymake use of es not require
e the overhea
ng a DNS quend response
sumes that yo
ss, Internet ac
ormation
al PC to find address of themation in the
eries and
d response paver.
S Captur
em (DNS). DNoogle.com to ay to the DNS sthe User Date a session sad of TCP.
ery using the Uexchanges w
ou have Inter
ccess, and W
and record thee specified de table provide
Respons
ackets to dem
re
NS is a distriban IP addressserver’s IP adtagram Protocetup as does
UDP transporwith the name
rnet access.
Wireshark insta
e MAC and IPfault gatewayed. The inform
ses
monstrate the
Page 1 of 6
buted s. When ddress. col (UDP) TCP.
rt server.
alled)
P y, and the mation will
use of
L
©
P
S
Lab - Using W
© 2013 Cisco and
a. Click
Note:
b. Selecthat is
c. After s
d. Open
e. Click
Part 3: A
In Part 3, the IP add
Step 1: Filt
a. In the
Note:commWirescommbrows
b. In theand “A
Wireshark to
d/or its affiliates.
the Windows
If Wireshark
ct an interfaces associated w
selecting the
a web brows
Stop to stop
Analyze C
you will examdresses for ww
ter DNS pac
e Wireshark m
If you do notmand prompt wshark capture mand prompt wser.
e packet list paA www.googl
Examine a U
All rights reserve
Start button
is not yet ins
e for Wiresharwith the recor
desired interf
ser and type w
the Wireshar
Captured
mine the UDPww.google.co
ckets.
main window,
t see any resuwindow, type and repeat th
window, you c
ane (top secte.com”. See f
UDP DNS Ca
ed. This docume
and navigate
stalled, it can
rk for capturinrded PC’s IP a
face, click Sta
www.google.
rk capture whe
DNS or U
packets that om.
type dns in th
ults after the Dipconfig /flu
he instructioncan type nslo
ion) of the maframe 4 as an
apture
ent is Cisco Publi
e to the Wires
be downloade
ng packets. Uand Media Ac
art to capture
.com. Press E
en you see G
UDP Pack
were genera
he entry area
DNS filter waushdns to rems in Part 2b –
ookup www.g
ain window, lon example.
ic.
shark program
ed at http://ww
se the Interfaccess Contro
e the packets.
Enter to conti
Google’s home
kets
ated when com
a of the Filter
as applied, clomove all prev–2e. If this dogoogle.com
ocate the pac
m.
ww.wireshark
ace List to chl (MAC) addr
.
inue.
e page.
mmunicating
toolbar. Click
ose the web bious DNS reses not resolvas an alterna
cket that inclu
k.org/downloa
hoose the inteesses in Part
with a DNS s
k Apply or pre
browser and insults. Restart e the issue, in
ative to the we
des “standard
Page 2 of 6
ad.html.
erface t 1.
server for
ess Enter.
n the the n the eb
d query”
L
©
S
Lab - Using W
© 2013 Cisco and
Step 2: Ex
Examine Wiresharkdisplayedin gray.
a. In thethe nuwww.
b. The Efrom yfrom t
Is the
c. In theaddreexam
Can y
Loca
Defa
The IPas the
d. A UDheade
Expanthere randoPort 5from c
Wireshark to
d/or its affiliates.
amine UDP
UDP by usingk capture framin the packet
e packet detaiumber of bytegoogle.com.
Ethernet II lineyour local PCthe default ga
source MAC
e Internet Protess of this DNple, the desti
you pair up th
Device
al PC
ault Gateway
P packet and e data.
P header onlyer is only 16 b
nd the User Dare only four
omly generate53 is a well-knclients.
Examine a U
All rights reserve
P segment u
g a DNS querme 4 in the pat details pane
ls pane, frames to send a D
e displays theC because youateway, becau
C address the
tocol Version S query is 19nation addres
e IP and MAC
header enca
y has four fielbits as depicte
Datagram Profields. The so
ed by the locanown port res
UDP DNS Ca
ed. This docume
using DNS q
ry for www.goacket list panee (middle sect
me 4 had 74 byDNS query to
e source and dur local PC oruse this is the
same as reco
4 line, the IP92.168.1.11, ass is the defa
C addresses f
IP Address
apsulates the
lds: source poed below.
otocol in the pource port nu
al PC using poserved for use
apture
ent is Cisco Publi
query.
oogle.com as e is selected ftion) of the ma
ytes of data oa name serve
destination Mriginated the De last stop bef
orded from Pa
packet Wiresand the destinult gateway. T
for the source
UDP segmen
ort, destinatio
acket details mber in this eort numbers te with DNS. D
ic.
captured by Wfor analysis. Tain window. T
on the wire aser requesting
MAC addresseDNS query. Tfore this quer
art 1 for the lo
shark capturenation IP addThe router is
e and destina
M
nt. The UDP s
on port, length
pane by clickexample is 52hat are not re
DNS servers l
Wireshark. InThe protocolsThe protocol e
s displayed ong the IP addre
es. The sourcThe destinatiory exits the loc
ocal PC?
e indicates tharess is 192.16the default ga
ation devices?
MAC Address
segment cont
h, and checks
king the plus (2110. The soueserved. The isten on port
n this examples in this queryentries are hi
n the first lineesses of
ce MAC addreon MAC addrecal network.
at the source 68.1.1. In thisateway in this
?
s
tains the DNS
sum. Each fie
(+) sign. Noticurce port wasdestination p53 for DNS q
Page 3 of 6
e, y are ghlighted
e. This is
ess is ess is
IP s s network.
S query
eld in UDP
ce that s port is 53. queries
L
©
S
Lab - Using W
© 2013 Cisco and
In thisThe ofollow
The c
The Uhandslayer.
Recor
Is the
Is the
Step 3: Ex
In this ste
Wireshark to
d/or its affiliates.
s example, theother 32 byteswing illustratio
checksum is u
UDP header hshake in TCP
rd your Wires
Frame Size
Source MA
Destination
Source IP
Destination
Source Po
Destination
source IP ad
destination I
amine UDP
ep, you will ex
Examine a U
All rights reserve
e length of ths are used by n in the packe
used to determ
has low overhP. Any data tra
shark results i
e
AC address
n MAC addre
address
n IP address
rt
n Port
ddress the sam
P address the
P using DNS
xamine the DN
UDP DNS Ca
ed. This docume
is UDP segmDNS query d
et bytes pane
mine the integ
ead becauseansfer reliabil
n the table be
ess
s
me as the loc
e same as the
S response.
NS response
apture
ent is Cisco Publi
ment is 40 bytedata. The 32 be (lower sectio
grity of the pa
e UDP does nity issues tha
elow:
cal PC’s IP ad
e default gate
packet and v
ic.
es. Out of 40 bytes of DNSon) of the Wir
acket after it h
ot have fieldsat occur must
ddress record
eway noted in
verify that DNS
bytes, 8 byteS query data isreshark main
has traversed
s that are assbe handled b
ded in Part 1?
n Part 1?
S response p
es are used ass highlighted window.
the Internet.
sociated with tby the applica
packet also us
Page 4 of 6
s header. in the
three-way ation
ses UDP.
L
©
Lab - Using W
© 2013 Cisco and
a. In thiswire is
b. In thedevice
c. NoticeWhat
Destin
What
d. In the52110sent t
The srespo
WhenAnsw
Wireshark to
d/or its affiliates.
s example, fras 290 bytes. I
e Ethernet II fre is the destin
e the source ais the source
nation IP add
happened to
e UDP segme0. Port numbeto the DNS se
source port nuonse with a so
n the DNS reswers section.
Examine a U
All rights reserve
ame 5 is the cIt is a larger p
rame for the Dnation MAC a
and destinatioe IP address?
ress:
the roles of s
nt, the role ofer 52110 is therver. Your loc
umber is 53. Tource port num
sponse is exp
UDP DNS Ca
ed. This docume
correspondingpacket as com
DNS responseaddress?
on IP address
source and de
f the port numhe same port tcal PC listens
The DNS servmber of 53 ba
panded, notice
apture
ent is Cisco Publi
g DNS responmpared to the
e, from what
ses in the IP p
S
estination for
mbers has alsothat was genes for a DNS re
ver listens forack to originat
e the resolved
ic.
nse packet. NDNS query p
device is the
packet. What
Source IP ad
the local hos
o reversed. Terated by theesponse on th
r a DNS querytor of the DNS
d IP addresse
Notice the numpacket.
source MAC
t is the destina
dress:
st and default
The destinatioe local PC whehis port.
y on port 53 aS query.
es for www.go
mber of bytes
address and
ation IP addre
gateway?
on port numbeen the DNS q
and then send
oogle.com in
Page 5 of 6
s on the
what
ess?
er is query was
ds a DNS
the
L
©
R
Lab - Using W
© 2013 Cisco and
Reflection
What are
Wireshark to
d/or its affiliates.
the benefits o
Examine a U
All rights reserve
of using UDP
UDP DNS Ca
ed. This docume
instead of TC
apture
ent is Cisco Publi
CP as a trans
ic.
sport protocol for DNS?
Page 6 of 6