Wireshark

Wireshark is a powerful tool used to capture packets sent over a network and analyse the content of the packets retrieved. The file dnsrealtrace.pcapng contains a trace of the packets sent and received when a web page is downloaded from a web server over the SUTD network.

In the process of downloading the web page, DNS is used to find the IP address of the server.

Observe Wireshark Capture File

Open the dnsrealtrace.pcapng in Wireshark and answer the following questions. You can refer to Wireshark tutorial here before proceeding, but most things are self-explanatory. If the download link doesn’t work, head to eDimension Week 13 to get the file.

After opening the file, you should have this interface:

Task 12

TASK 12: Locate the DNS query and response messages. Are they sent over UDP or TCP?

Which numbers are these DNS query packets? Hint: look under protocol DNS

Task 13

TASK 13: What is the destination port for the DNS query message? What is the source port of the DNS response message?

Task 14

TASK 14: What is the IP address to which the DNS query message was sent? Run scutil --dns to determine the IPv4 address of your local DNS server. Are these two addresses the same?

Task 15

TASK 15: Examine the second DNS query message in the Wireshark capture. What type of DNS query is it?

  • Does the query message contain any answers?

Then examine the second DNS response message.

  • How many answers are provided?
  • What does each of these answers contain?

Task 16

TASK 16: Locate a TCP SYN packet sent by your host subsequent to the above (second) DNS response.

This packet opens a TCP connection between your host and the web server. Does the destination IP address of the SYN packet correspond to any of the IP addresses provided in the DNS response message?

Optional Activity

Capturing packets for packet analysis with wireshark:

  1. Once the program is launched, select the network interface to capture and click on the sharkfin icon at the top left of the application right under the menu bar to begin capturing packets. If you click on each packet, you can see each layer’s header and the application layer payload.

  2. To explore the interface, mention the interface (e.g. eth0, wlan) in the capture option.

  3. There are display filters to analyse the packets.

    • Protocols: TCP, UDP, ARP, SMTP, etc.
    • Protocol fields: port, src.addr, length, etc. (E.g. ip.src == 192.168.1.1)
    • For more detailed instructions on Wireshark, refer to its official homepage