1 | Use tcpdump & wireshark to show DNS traffic |
---|
2 | |
---|
3 | 1. Tcpdump |
---|
4 | |
---|
5 | Open a NEW connection to your master.grpX machine (log in a second |
---|
6 | time), so that you can have both windows side-by-side. |
---|
7 | |
---|
8 | In the new window, run the following command (you must be 'root', that's |
---|
9 | why we use sudo): |
---|
10 | |
---|
11 | # sudo tcpdump -n -s 1500 udp and port 53 |
---|
12 | |
---|
13 | This shows all packets going in and out of your machine for UDP port 53 |
---|
14 | (DNS). |
---|
15 | |
---|
16 | Now go to another window and repeat some of the 'dig' queries from earlier. |
---|
17 | |
---|
18 | Look at the output of tcpdump, check the source and destination IP address |
---|
19 | of each packet: |
---|
20 | |
---|
21 | Explanation: |
---|
22 | |
---|
23 | -n Prevents tcpdump doing reverse DNS lookups on the packets it receives, |
---|
24 | which would generate additional (confusing) DNS traffic |
---|
25 | |
---|
26 | -s 1500 Read the entire packet (otherwise tcpdump only reads 96 bytes) |
---|
27 | |
---|
28 | udp and port 53 |
---|
29 | A filter which matches only packets to/from UDP port 53 |
---|
30 | |
---|
31 | 2. Tshark, Wireshark |
---|
32 | |
---|
33 | ** will be done as a demo ** |
---|