ab - U ing Wir eshark o Exa ine in e a U DP DN
Captur e
opology
bjectives Part 1: R cord a PC’ PC’ IP Configur ation Infor ation Part 2: U e Wireshar to Capture DNS Queries and Resp nses Part 3: A alyze Capt red DNS or UDP Packet s
ackgrou d / Scena io If you have ever used he Internet, ou have used the Domai Name Syst m (DNS). D S is a distri uted network of servers tha translates u er-friendly domain name like www.google.com to n IP addres . When you type website URL into your b owser, your C performs a DNS query to the DNS erver’s IP a dress. Your PC’ DNS server query and the DNS server’s response make use of the User Datagram Proto ol (UDP) as the transport layer rotocol. UD is connectionless and does not requir e a session setup as does TCP. DNS que ies and resp nses are ve y small and o not requir the overhe d of TCP. In this lab, you will co municate wi h a DNS ser er by sending a DNS que ry using the DP transport protocol. ou will use ireshark to examine the DNS query a nd response exchanges ith the name server. Note: Note: This lab cannot e completed using Netla . This lab as sumes that y ou have Inter net access.
equired
esources
1 PC (Wi dows 7, Vista, or XP with a command prompt acce s, Internet a ccess, and
art 1:
ecord a PC’s IP
In Part 1, you will use he ipconfig addresse of your PC’ network int DNS server IP addres specified fo be used i the following parts of thi
onfigur tion Info rmation all comman on your loc l PC to find nd record the MAC and I rface card ( IC), the IP a ddress of the specified default gatewa , and the the PC. Re ord this infor mation in the table provid d. The infor ation will lab with packet analysis. 192.168.1.5
IP address
art 2:
MAC address
00-24-21-A2-E3-52
Defa lt gateway I address
192.168.1.1
DNS server IP ad ress
200.107.10.52
se Wire hark to
ireshark inst lled)
apture
NS Que ries and Respon es
In Part 2, you will set up Wireshark to capture D S query and response p ckets to de onstrate the use of UDP tran port protocol while communicating wit a DNS serv er.
2013 Cisco an /or its affiliates. All rights reserv reserved. This docume nt is Cisco Publiic.
Page 1 of 6
The world's largest digital library
Try Scribd FREE for 30 days to access over 125 million titles without ads or interruptions! Start Free Trial Cancel Anytime.
The world's largest digital library
Try Scribd FREE for 30 days to access over 125 million titles without ads or interruptions! Start Free Trial Cancel Anytime.
ab - Using a.
ireshark to Examine a
DP DNS Capture
Click the Windows Start button Start button and navigate to the Wires hark progra . Note: Note: If Wireshark is not yet installed, it can be downloaded at http://www.wireshar .org/downlo d.html d.html..
b. Select an interface for Wiresha k for capturing packets. U se the Interf ce List to List to c oose the int rface that i associated ith the reco ded PC’s IP and Media A cess Control (MAC) addr esses in Part 1. c.
After selecting the desired inter ace, click St rt to capture the packets..
d. Open a web brow er and type e.
ww.google..com. .com . Press Enter to contiinue.
Click Stop to Stop to stop the Wireshar k capture when you see G oogle’s home page.
art 3:
nalyze
aptured DNS or
DP Pac ets
In Part 3, you will exa ine the UDP packets that were generated when co municating with a DNS s erver for the IP ad resses for www.google.c m.
tep 1: a.
Fil er DNS pa kets.
In the Wireshark
ain window, type dn s in t e entry area of the Filter toolbar. Clic Ap pl y or pr ss Enter.
Note: Note: If you do no see any res lts after the NS filter wa s applied, cl se the web b rowser and i the com and prompt indow, type ipconfig /flu shdns to shdns to re ove all previous DNS results. Restart the Wire hark capture and repeat t e instructions in Part 2b 2e. If this do es not resolve the issue, i the com and prompt indow, you can type ns l okup www.google.com as an alternative to the w b brow er.
The world's largest digital library
Try Scribd FREE for 30 days to access over 125 million titles without ads or interruptions! Start Free Trial Cancel Anytime.
ab - Using
tep 2:
ireshark to Examine a
DP DNS Capture
Examine UDP segment u sing DNS uery.
Examine UDP by usin a DNS quer y for www.google.com as captured by Wireshark. In this exampl , Wireshar capture fra e 4 in the packet list pan is selected or analysis. he protocol in this quer are displayed in the packe details pane (middle section) of the m ain window. he protocol ntries are highlighted in gray.
a.
In the packet details pane, frame 4 had 74 b tes of data n the wire a displayed o the first line. This is the n mber of byt s to send a NS query to a name server requesting the IP addre sses of www.google.com.
b.
The thernet II lin displays the source and estination M AC address s. The source MAC addr ss is from our local PC because yo r local PC or iginated the NS query. he destination MAC addr ss is from he default g teway, beca se this is the last stop be ore this quer y exits the lo al network. Is the source MAC address the same as rec rded from P art 1 for the l cal PC?
c.
Si
In the Internet Pro ocol Version 4 line, the IP packet Wire hark captur indicates th t the source IP address of this DNS query is 192.168.1.11, nd the desti ation IP add ress is 192.168.1.1. In thi example, the destination addre s is the default gateway. he router is the default g teway in thi network. Can ou pair up the IP and MA addresses or the sourc and destination devices Device
IP Address
AC Ad dr es s
Local PC
192.168.15
00-24-21-A2-E3-52
Default Gateway
192.168.1.1
a0-f3-c1-65-84-14
The I packet and header encapsulates the UDP segme t. The UDP egment contains the DN as th data. d.
query
A UDP header onl has four fields: source p rt, destinatio n port, lengt , and check um. Each field in UDP head r is only 16 its as depict d below.
Expa d the User atagram Protocol in the packet details pane by clic ing the plus (+) sign. Noti ce that there are only four fields. The s urce port number in this xample is 5 110. The so rce port wa
The world's largest digital library
Try Scribd FREE for 30 days to access over 125 million titles without ads or interruptions! Start Free Trial Cancel Anytime.
ab - Using
ireshark to Examine a
DP DNS Capture
In thi example, the length of th is UDP segment is 40 byt s. Out of 40 bytes, 8 bytes are used a header. The other 32 byte are used by DNS query ata. The 32 ytes of DNS query data i highlighted in the follo ing illustration in the pack t bytes pane (lower secti n) of the Wi eshark main window.
The checksum is sed to deter ine the inte rity of the pa cket after it h as traversed the Internet. The DP header as low overhead because UDP does n ot have field that are associated with hree-way hand hake in TCP. Any data tr nsfer reliability issues tha t occur must be handled by the application layer. Record your Wire hark results in the table b low: Frame Siz Source M C address Destination MAC addr ss Source IP address Destination IP address Source Po rt Destination Port Is the source IP a dress the sa e as the local PC’s IP a dress recorded in Part 1?
Si
The world's largest digital library
Try Scribd FREE for 30 days to access over 125 million titles without ads or interruptions! Start Free Trial Cancel Anytime.
ab - Using
ireshark to Examine a
DP DNS Capture
a.
In thi example, fr me 5 is the orrespondin DNS respo se packet. otice the nu ber of bytes on the wire is 290 bytes. It is a larger packet as co pared to the DNS query acket.
b.
In the Ethernet II f ame for the NS response, from what device is the source MAC address and what device is the desti ation MAC address? Del servidor DNS y de la máquina local
c.
Notic the source and destinati n IP addres es in the IP acket. What is the destination IP addr ss? What is the source IP address? Desti ation IP address:
19 192.168.1.5
Source IP ad dress:
200.107.10.52
What happened to the roles of ource and d stination for the local host and default gateway? Se invirtieron d.
In the UDP segment, the role of the port nu bers has also reversed. he destination port numb r is 5211 . Port numb r 52110 is the same port hat was gen erated by the local PC when the DNS uery was sent to the DNS s rver. Your local PC listen for a DNS r sponse on this port. The source port n mber is 53. he DNS ser er listens for a DNS quer on port 53 nd then sen s a DNS response with a s urce port nu ber of 53 b ck to origina or of the DN S query. Whe the DNS re ponse is expanded, notic the resolve IP address s for www.g ogle.com in the An s ers section. ers section.
The world's largest digital library
Try Scribd FREE for 30 days to access over 125 million titles without ads or interruptions! Start Free Trial Cancel Anytime.
ab - Using
ireshark to Examine a
DP DNS Capture
eflection What are the benefits f using UDP instead of T P as a transport trans port protocol for DNS? El tamaño de segmentos disminuye al no usar bytes de control ya que es un protocolo sin estado, lo que incrementa la velocidad de transmisión y el menor uso de recursos.