| 1 | Use tcpdump & wireshark to show DNS traffic |
|---|
| 2 | |
|---|
| 3 | 1. Tcpdump |
|---|
| 4 | |
|---|
| 5 | Open a NEW connection to your master.grpX machine (log in a second |
|---|
| 6 | time), so that you can have both windows side-by-side. |
|---|
| 7 | |
|---|
| 8 | In the new window, run the following command (you must be 'root', that's |
|---|
| 9 | why we use sudo): |
|---|
| 10 | |
|---|
| 11 | # sudo tcpdump -n -s 1500 udp and port 53 |
|---|
| 12 | |
|---|
| 13 | This shows all packets going in and out of your machine for UDP port 53 |
|---|
| 14 | (DNS). |
|---|
| 15 | |
|---|
| 16 | Now go to another window and repeat some of the 'dig' queries from earlier. |
|---|
| 17 | |
|---|
| 18 | Look at the output of tcpdump, check the source and destination IP address |
|---|
| 19 | of each packet: |
|---|
| 20 | |
|---|
| 21 | Explanation: |
|---|
| 22 | |
|---|
| 23 | -n Prevents tcpdump doing reverse DNS lookups on the packets it receives, |
|---|
| 24 | which would generate additional (confusing) DNS traffic |
|---|
| 25 | |
|---|
| 26 | -s 1500 Read the entire packet (otherwise tcpdump only reads 96 bytes) |
|---|
| 27 | |
|---|
| 28 | udp and port 53 |
|---|
| 29 | A filter which matches only packets to/from UDP port 53 |
|---|
| 30 | |
|---|
| 31 | 2. Tshark, Wireshark |
|---|
| 32 | |
|---|
| 33 | ** will be done as a demo ** |
|---|