Table of Contents for
Packet Analysis with Wireshark

Version ebook / Retour

Cover image for bash Cookbook, 2nd Edition Packet Analysis with Wireshark by Anish Nath Published by Packt Publishing, 2015
  1. Cover
  2. Table of Contents
  3. Packet Analysis with Wireshark
  4. Packet Analysis with Wireshark
  5. Credits
  6. About the Author
  7. About the Reviewers
  8. www.PacktPub.com
  9. Preface
  10. What you need for this book
  11. Who this book is for
  12. Conventions
  13. Reader feedback
  14. Customer support
  15. 1. Packet Analyzers
  16. Introducing Wireshark
  17. Other packet analyzer tools
  18. Summary
  19. 2. Capturing Packets
  20. Troubleshooting
  21. Wireshark user interface
  22. Wireshark features
  23. Tcpdump and snoop
  24. References
  25. Summary
  26. 3. Analyzing the TCP Network
  27. TCP connection establishment and clearing
  28. TCP data communication
  29. TCP close sequence
  30. Lab exercise
  31. TCP troubleshooting
  32. TCP latency issues
  33. Wireshark TCP sequence analysis
  34. References
  35. Summary
  36. 4. Analyzing SSL/TLS
  37. The SSL/TLS handshake
  38. Key exchange
  39. Decrypting SSL/TLS
  40. Debugging issues
  41. Summary
  42. 5. Analyzing Application Layer Protocols
  43. BOOTP/DHCP
  44. DNS
  45. HTTP
  46. References
  47. Summary
  48. 6. WLAN Capturing
  49. Analyzing the Wi-Fi networks
  50. Wi-Fi sniffing products
  51. Summary
  52. 7. Security Analysis
  53. The DOS attack
  54. Scanning
  55. ARP duplicate IP detection
  56. DrDoS
  57. BitTorrent
  58. Wireshark protocol hierarchy
  59. Summary
  60. Index

DNS

DNS stands for Domain Name System. DNS is used by all machines to translate hostnames into IP addresses. This mechanism is used to translate names to attributes such as addresses (IPv4/IPv6) based on the query type.

DNS has three major components:

  • A name space
  • Servers making that name space available
  • Resolvers (clients) that query the servers about the name space

This topic will focus on the resolver perspective, where the client sends a query to the server and the server answers the query. There can be multiple answers to the same query.

DNS Wireshark filter

Wireshark's dns filter is used to display only DNS traffic, and UDP port 53 is used to capture DNS traffic.

Port

The default DNS port is 53, and it uses the UDP protocol. Some DNS systems use the TCP protocol also. TCP is used when the response data size exceeds 512 bytes, or for tasks such as zone transfers.

Resource records

The following format is used by the DNS system:

Field

Description

Length

Wireshark filter

NAME

The owner name

variable

dns.qry.name == "google.com"

TYPE

Type of Resource Record (RR) in numeric form

2

dns.qry.type == 1 (A Record Type)

dns.qry.type == 255 (ANY Record Type)

dns.qry.type == 2 (NS name server)

dns.qry.type == 15(MX mail exchange)

dns.qry.type == 28 (AAAA quad A, Ipv6 record Type)

CLASS

Class code

2

dns.qry.class == 0x0001 (IN set to internet)

TTL

Time to live

4

 

RDLENGTH

Length in octets of the RDATA field

2

 

RDATA

Additional RRspecific data

Variable

 

DNS traffic

In this chapter, the dig and nslookup network commands are used to query the DNS server. Open the sample DNS-Packet.pcap file, set the display filter to dns.qry.type==28, and examine the query.

In this example, client (192.168.1.101) is asking the name server (8.8.4.4) to resolve ipv6.google.com by setting these parameters in the query section:

  • The client sets the record type AAAA record
  • The client sets the hostname (ipv6.google.com)
  • Client set the class (that is, IN (Internet))
  • The name server (8.8.4.4) responds to the client with multiple answers
  • ipv6.google.com is the canonical name that equals ipv6.l.google.com
  • ipv6.l.google.com has the AAAA address 2404:6800:4007:805::200e
    DNS traffic

User can use the popular dig or nslookup network utility commands to query different DNS record types. Use a network capture in the background and observe the query and answer section for each command:

  • Query a record type used to show the IPv4 address of the given hostname:
    bash# nslookup google.com
bash# dig google.com
bash# dig A +noadditional +noquestion +nocomments +nocmd +nostats google.com. @8.8.4.4
  • Query the AXFR record type; AXFR is used to transfer zone files from the master to the secondary name server:
    bash# nslookup -type=axfr google.com 8.8.4.4
bash# dig AXFR +noadditional +noquestion +nocomments +nocmd +nostats +multiline google.com. @8.8.4.4
  • Query the CNAME record type. CNAME is used to set up the alias:
    bash# nslookup -type=cname google.com 8.8.4.4
bash# dig CNAME +noadditional +noquestion +nocomments +nocmd +nostats google.com. @8.8.4.4
  • Query the MX record type; MX is the mail exchange record:
    bash# nslookup -type=mx google.com 8.8.4.4
bash# dig MX +noadditional +noquestion +nocomments +nocmd +nostats google.com. @8.8.4.4
  • Query the NS record type; NS is the name server record:
    bash# nslookup -type=ns google.com 8.8.4.4
bash# dig NS +noadditional +noquestion +nocomments +nocmd +nostats google.com. @8.8.4.4
  • Query the PTR record type; PTR is the pointer used for reverse DNS lookups:
    bash# nslookup -type=ptr google.com 8.8.4.4
bash# dig PTR +noadditional +noquestion +nocomments +nocmd +nostats google.com. @8.8.4.4
  • Query the SOA record type. SOA is used to provide authoritative information such as nameserver and e-mail:
    bash# nslookup -type=soa google.com 8.8.4.4
bash# dig SOA +noadditional +noquestion +nocomments +nocmd +nostats +multiline google.com. @8.8.4.4
  • Query the TXT record type; this refers to the text record:
    bash# nslookup -type=txt google.com 8.8.4.4
bash# dig TXT +noadditional +noquestion +nocomments +nocmd +nostats google.com. @8.8.4.4
  • Query AAAA (also referred to as the quad-A record type); this will display the IPv6 address of the given hostname:
    bash# nslookup -type=aaaa google.com 8.8.4.4
bash# nslookup -type=aaaa ipv6.google.com 8.8.4.4
bash# dig AAAA +noadditional +noquestion +nocomments +nocmd +nostats ipv6.google.com. @8.8.4.4
  • Query the ANY record type; this returns all record types:
    bash# nslookup -type=any google.com 8.8.4.4
bash# dig ANY +noadditional +noquestion +nocomments +nocmd +nostats google.com. @8.8.4.4