L

Lab - Us
sing Wireshark to
t Exam
mine a UD
DP DNS
S Capturre
T
Topology

O
Objectives
Part 1: Re
ecord a PC’s
s IP Configurration Inform
mation
Part 2: Us k to Capture DNS Queries and Respo
se Wireshark onses
Part 3: An
nalyze Captu
ured DNS or UDP Packets

B
Backgroun
nd / Scenarrio
If you hav
ve ever used the
t Internet, you
y have used the Domain n Name Syste em (DNS). DNNS is a distrib
buted
network of
o servers thatt translates us
ser-friendly do
omain namess like www.go oogle.com to aan IP addresss. When
you type a website UR RL into your brrowser, your PC
P performs a DNS queryy to the DNS sserver’s IP ad ddress.
Your PC’s s DNS server query and th he DNS serve er’s response make use of the User Dattagram Protoccol (UDP)
as the transport layer protocol.
p UDPP is connectioonless and do es not require
e a session setup as does TCP.
DNS querries and respo onses are verry small and dod not require
e the overheaad of TCP.
In this lab
b, you will com
mmunicate witth a DNS serv
ver by sendin
ng a DNS que
ery using the U
UDP transporrt
protocol. You
Y will use Wireshark
W to examine
e the DNS query a nd response exchanges w with the name server.
Note: This
s lab cannot be
b completed
d using Netlab
b. This lab asssumes that yo
ou have Interrnet access.

R
Required Resources
R
1 PC (Win
ndows 7, Vista, or XP with a command prompt accesss, Internet acccess, and W
Wireshark insta
alled)

P
Part 1: Record
R a PC’s IP Configura
C ation Info
ormation
In Part 1, you will use the
t ipconfig /all/ command d on your locaal PC to find aand record the
e MAC and IP P
addresses s of your PC’ss network inteerface card (N
NIC), the IP a ddress of thee specified default gatewayy, and the
DNS serv ver IP address cord this infor mation in the table provide
s specified forr the PC. Rec ed. The inform
mation will
be used inn the following
g parts of this
s lab with pac
cket analysis.

IP address 192.168.1.2
MAC address 2C-F0-5D-76-BA-D8
Defau
ult gateway IP
P address 192.168.1.1
DNS server IP add
dress 192.168.1.1

P
Part 2: Use
U Wires
shark to Capture
C DNS
D Que
eries and Respons
ses
In Part 2, you will set up
u Wireshark to capture DN
NS query andd response pa
ackets to dem
monstrate the use of
UDP trans sport protocol while communicating with
h a DNS servver.

© 2013 Cisco and

d/or its affiliates. All rights reserve
ed. This docume
ent is Cisco Publiic. Page 1 of 6
L
Lab - Using Wireshark
W to Examine a UDP
U DNS Ca
apture

a. Click the Windows Start button and navigate

e to the Wiresshark program
m.
stalled, it can be downloade
Note: If Wireshark is not yet ins ed at http://ww
ww.wiresharkk.org/downloa
ad.html.
b. Selecct an interface
e for Wiresharrk for capturin
ng packets. U se the Interfa
ace List to ch
hoose the inte
erface
that is
s associated with
w the recorrded PC’s IP and a Media Acccess Control (MAC) addresses in Partt 1.
c. After selecting
s the desired interfface, click Sta
art to capture
e the packets..
d. Open a web brows
ser and type www.google.
w .com. Press E
Enter to contiinue.
e. Click Stop to stop the Wiresharrk capture whe
en you see G
Google’s home
e page.

P
Part 3: Analyze
A Captured
C DNS or UDP
U Pack
kets
In Part 3, you will exam
mine the UDP packets that were genera
ated when com
mmunicating with a DNS sserver for
the IP adddresses for wwww.google.co
om.

S
Step 1: Filtter DNS pac
ckets.
a. In the
e Wireshark main
m window, type dns in th a of the Filter toolbar. Clickk Apply or pre
he entry area ess Enter.
Note: If you do nott see any resu
ults after the DNS
D filter wa
as applied, clo
ose the web bbrowser and in n the
commmand prompt window,
w type ipconfig /fluushdns to rem move all previous DNS ressults. Restart the
shark capture and repeat th
Wires he instructions in Part 2b ––2e. If this does not resolve the issue, in
n the
commmand prompt window,
w you can
c type nslo ookup www.g google.com as an alterna ative to the weeb
brows
ser.

b. In the
e packet list pa
ane (top section) of the ma
ain window, lo
ocate the paccket that includes “standard
d query”
and “AA www.google.com”. See frame
f 4 as an
n example.

© 2013 Cisco and

d/or its affiliates. All rights reserve
ed. This docume
ent is Cisco Publiic. Page 2 of 6
L
Lab - Using Wireshark
W to Examine a UDP
U DNS Ca
apture

S
Step 2: Examine UDP
P segment using
u DNS query.
q
Examine UDP by using g a DNS querry for www.go oogle.com as captured by W Wireshark. In
n this example e,
Wiresharkk capture fram
me 4 in the paacket list pane
e is selected ffor analysis. T
The protocolss in this queryy are
displayed in the packett details pane
e (middle secttion) of the maain window. T entries are highlighted
The protocol e
in gray.

e packet details pane, fram

a. In the me 4 had 74 by
ytes of data o
on the wire ass displayed on
n the first line
e. This is
the nuumber of byte
es to send a DNS
D query to a name serve er requesting
g the IP addreesses of
www.google.com.
b. The Ethernet
E II line
e displays the
e source and destination
d M
MAC addresse es. The sourcce MAC addre ess is
from your
y local PCC because you ur local PC orriginated the D
DNS query. T The destinatio on MAC addre ess is
from the
t default ga ateway, becauuse this is the
e last stop beffore this querry exits the loccal network.
Is the source MAC
C address the same as reco
orded from Pa ocal PC? Da
art 1 for the lo
c. In the
e Internet Prottocol Version 4 line, the IP packet Wiresshark capture at the source IP
e indicates tha
addreess of this DNS query is 1992.168.1.11, anda the destinnation IP address is 192.16 68.1.1. In thiss
example, the destination addres ss is the default gateway. TThe router is the default ga
ateway in thiss network.
Can you
y pair up the IP and MAC
C addresses for
f the source
e and destina
ation devices?
?

Device IP Address M
MAC Address
s

Loca
al PC 192.168.1.2 2c-f0-5d-76-ba-d8
Defa
ault Gateway 192.168.1.1 70:f8:2b:4b:ea:c0
The IP
P packet and header enca
apsulates the UDP segmen
nt. The UDP ssegment conttains the DNS
S query
as the
e data.
d. A UDP header only y has four fiellds: source po
ort, destinatio
on port, length
h, and checkssum. Each fie
eld in UDP
heade
er is only 16 bits
b as depicte ed below.

Expannd the User Datagram

D Pro
otocol in the packet details pane by clickking the plus ((+) sign. Noticce that
there are only four fields. The so
ource port number in this eexample is 52 2110. The sou urce port wass
randoomly generateed by the locaal PC using po ort numbers t hat are not re
eserved. The destination p port is 53.
Port 53
5 is a well-kn
nown port res served for usee with DNS. DDNS servers listen on port 53 for DNS q queries
from clients.
c

© 2013 Cisco and

d/or its affiliates. All rights reserve
ed. This docume
ent is Cisco Publiic. Page 3 of 6
L
Lab - Using Wireshark
W to Examine a UDP
U DNS Ca
apture

In this
s example, the e length of this UDP segmment is 40 bytees. Out of 40 bytes, 8 byte
es are used ass header.
The other
o 32 bytess are used by DNS query data.
d The 32 bbytes of DNSS query data iss highlighted in the
wing illustration in the packe
follow et bytes pane on) of the Wirreshark main window.
e (lower sectio

The checksum
c is used
u to determ
mine the integ
grity of the pa has traversed the Internet.
acket after it h
The UDP
U header has
h low overhead because e UDP does n ot have fieldss that are asssociated with tthree-way
handsshake in TCP ansfer reliability issues tha
P. Any data tra at occur must be handled bby the applica
ation
layer.
shark results in the table be
Recorrd your Wires elow:

Frame Size
e

Source MA
AC address

Destination
n MAC addre
ess

Source IP address

Destination
n IP address
s

Source Port

Destination
n Port

Is the source IP ad
ddress the sam
me as the loc
cal PC’s IP ad ded in Part 1? Da
ddress record
Is the destination IP address the
e same as the
e default gate n Part 1? Da
eway noted in

S
Step 3: Examine UDP
P using DNS
S response.
In this ste
ep, you will ex
xamine the DN
NS response packet and vverify that DNS
S response p
packet also usses UDP.

© 2013 Cisco and

d/or its affiliates. All rights reserve
ed. This docume
ent is Cisco Publiic. Page 4 of 6
L
Lab - Using Wireshark
W to Examine a UDP
U DNS Ca
apture

a. In this
s example, fra
ame 5 is the corresponding
c g DNS respon nse packet. N
Notice the num
mber of bytess on the
wire is
s 290 bytes. It
I is a larger packet
p as com
mpared to the DNS query ppacket.

b. In the
e Ethernet II frrame for the DNS
D e, from what device is the source MAC address and what
response
devicee is the destinnation MAC address?
a
Source MAC adresa je adresa default gatewaya, a destination MAC adresa je adresa mojeg računala.
c. Notice
e the source and
a destinatioon IP address
ses in the IP p
packet. Whatt is the destina
ation IP addre
ess?
What is the source
e IP address?
nation IP address: 192.168.1.2
Destin Source IP address: 192.168.1.1
S
What happened to the roles of source
s estination for the local hosst and default gateway?
and de
Uloge su zamjenili
d. In the
e UDP segment, the role off the port num
mbers has alsoo reversed. T
The destinatio
on port numbe
er is
52110 0. Port numbe
er 52110 is th
he same port that
t was gene
erated by the
e local PC wheen the DNS q
query was
sent to
t the DNS se erver. Your loc
cal PC listens
s for a DNS re
esponse on thhis port.
The source
s port nu
umber is 53. The
T DNS serv ver listens forr a DNS queryy on port 53 a
and then send
ds a DNS
respo
onse with a so
ource port num
mber of 53 ba
ack to originattor of the DNS
S query.
When
n the DNS ressponse is exp
panded, notice
e the resolved
d IP addresse oogle.com in the
es for www.go
Answ
wers section.

© 2013 Cisco and

d/or its affiliates. All rights reserve
ed. This docume
ent is Cisco Publiic. Page 5 of 6
L
Lab - Using Wireshark
W to Examine a UDP
U DNS Ca
apture

R
Reflection
What are the benefits of
o using UDP instead of TC
CP as a transsport protocol for DNS?

UDP je brži jer nema potrebe za slanjem potvrde privitka paketa i ima minimalne troškove.

© 2013 Cisco and

d/or its affiliates. All rights reserve
ed. This docume
ent is Cisco Publiic. Page 6 of 6