| 1 | Use tcpdump & wireshark to show DNS traffic |
|---|
| 2 | |
|---|
| 3 | 1. Tcpdump |
|---|
| 4 | |
|---|
| 5 | Open a NEW connection to your resolv.grpX machine (log in a second |
|---|
| 6 | time), so that you can have both windows side-by-side. |
|---|
| 7 | |
|---|
| 8 | In the first window, you will be logged in to "auth1" |
|---|
| 9 | |
|---|
| 10 | In the second window, you will be logged in to "resolv" |
|---|
| 11 | |
|---|
| 12 | In the second window, run the following command (you must be 'root', that's |
|---|
| 13 | why we use sudo): |
|---|
| 14 | |
|---|
| 15 | $ sudo tcpdump -n -s 1500 udp and port 53 |
|---|
| 16 | |
|---|
| 17 | This shows all packets going in and out of your machine for UDP port 53 |
|---|
| 18 | (DNS). |
|---|
| 19 | |
|---|
| 20 | Now in the first window (auth1), repeat some of the 'dig' queries from |
|---|
| 21 | earlier: |
|---|
| 22 | |
|---|
| 23 | $ dig @resolv.grpXX.dns.nsrc.org www.MYTLD. |
|---|
| 24 | $ dig @resolv.grpXX.dns.nsrc.org www.OTHER_DOMAIN_IN_THE_CLASS. |
|---|
| 25 | |
|---|
| 26 | (for example) |
|---|
| 27 | |
|---|
| 28 | Look at the output of tcpdump, check the source and destination IP address |
|---|
| 29 | of each packet: |
|---|
| 30 | |
|---|
| 31 | Explanation: |
|---|
| 32 | |
|---|
| 33 | -n Prevents tcpdump doing reverse DNS lookups on the packets it receives, |
|---|
| 34 | which would generate additional (confusing) DNS traffic |
|---|
| 35 | |
|---|
| 36 | -s 1500 Read the entire packet (otherwise tcpdump only reads 96 bytes) |
|---|
| 37 | |
|---|
| 38 | udp and port 53 |
|---|
| 39 | A filter which matches only packets to/from UDP port 53 |
|---|
| 40 | |
|---|
| 41 | 2. Tshark |
|---|
| 42 | |
|---|
| 43 | Let's try the same thing, but using tshark |
|---|
| 44 | |
|---|
| 45 | If required, stop the above tcpdump (CTRL+C), then run: |
|---|
| 46 | |
|---|
| 47 | $ sudo tshark -n -s 1500 udp and port 53 |
|---|
| 48 | |
|---|
| 49 | Try to run a few queries using dig from another window: |
|---|
| 50 | |
|---|
| 51 | $ dig @resolv.grpXX.dns.nsrc.org www.MYTLD. |
|---|
| 52 | $ dig @resolv.grpXX.dns.nsrc.org www.OTHER_DOMAIN_IN_THE_CLASS. |
|---|
| 53 | |
|---|
| 54 | etc... |
|---|
| 55 | |
|---|
| 56 | stop tshark (CTRL+C), and run it with different options: |
|---|
| 57 | |
|---|
| 58 | $ sudo tshark -V -n -s 1500 udp and port 53 |
|---|
| 59 | |
|---|
| 60 | Run some queries again, as above. |
|---|
| 61 | Do you see how much data is now being printed ? |
|---|
| 62 | |
|---|
| 63 | |
|---|
| 64 | 3. Wireshark |
|---|
| 65 | |
|---|
| 66 | Let's try this with the graphical interface, wireshark. |
|---|
| 67 | |
|---|
| 68 | ---- |
|---|
| 69 | Before start, you need to install wireshark (and couple other packages) |
|---|
| 70 | and start D-BUS service daemon for wireshark starting correctly: |
|---|
| 71 | |
|---|
| 72 | $ sudo pkg install wireshark |
|---|
| 73 | (You'll be asked a couple of questions, just answer 'y' and hit enter) |
|---|
| 74 | |
|---|
| 75 | edit /etc/rc.conf to add: |
|---|
| 76 | |
|---|
| 77 | dbus_enable="YES" |
|---|
| 78 | |
|---|
| 79 | and start dbus daemon: |
|---|
| 80 | |
|---|
| 81 | $ sudo service dbus start |
|---|
| 82 | ---- |
|---|
| 83 | |
|---|
| 84 | First, let's create a remote desktop instance: |
|---|
| 85 | |
|---|
| 86 | $ vncserver |
|---|
| 87 | |
|---|
| 88 | You will be asked to create a password - use the same as in class! |
|---|
| 89 | |
|---|
| 90 | At this point, you will need to get a VNC client to connect |
|---|
| 91 | to your remote desktop. For example: |
|---|
| 92 | |
|---|
| 93 | Windows: http://www.realvnc.com/cgi-bin/download.cgi |
|---|
| 94 | (Choose Installer or ZIP for the Standalone viewer) |
|---|
| 95 | |
|---|
| 96 | Linux: Ubuntu / Debian: apt-get install xvnc4viewer |
|---|
| 97 | |
|---|
| 98 | MacOS X: http://sourceforge.net/projects/cotvnc/files/latest/download |
|---|
| 99 | |
|---|
| 100 | Follow the instructions to install your client, then connect to: |
|---|
| 101 | |
|---|
| 102 | resolv.grpX.dns.nsrc.org:1 |
|---|
| 103 | |
|---|
| 104 | ... where X is the number of your group. |
|---|
| 105 | |
|---|
| 106 | When asked for a password, type in the password you provided earlier |
|---|
| 107 | |
|---|
| 108 | Normally, a desktop with a terminal (xterm) window should appear. |
|---|
| 109 | |
|---|
| 110 | If not, ask the instructor for assistance |
|---|
| 111 | |
|---|
| 112 | Now, run wireshark: |
|---|
| 113 | |
|---|
| 114 | $ sudo wireshark |
|---|
| 115 | |
|---|
| 116 | A warning will pop up about running as root - just click ok! |
|---|
| 117 | |
|---|
| 118 | Now, start a capture - press CTRL+K |
|---|
| 119 | |
|---|
| 120 | At the top, choose `eth0` as your interface. |
|---|
| 121 | |
|---|
| 122 | In the Capture Filter field below, type: |
|---|
| 123 | |
|---|
| 124 | port 53 |
|---|
| 125 | |
|---|
| 126 | (we only want to see DNS traffic) |
|---|
| 127 | |
|---|
| 128 | Start the capture by pressing Start at the bottom. |
|---|
| 129 | |
|---|
| 130 | From your auth1 server run some `dig` commands like you did earlier: |
|---|
| 131 | |
|---|
| 132 | $ dig @resolv.grpXX.dns.nsrc.org www.MYTLD. |
|---|
| 133 | $ dig @resolv.grpXX.dns.nsrc.org www.OTHER_DOMAIN_IN_THE_CLASS. |
|---|
| 134 | |
|---|
| 135 | You should start to see packets appear in the wireshark window. |
|---|
| 136 | |
|---|
| 137 | To stop the capture, press the red "Stop" button (4th from the |
|---|
| 138 | left on the list of buttons at the top). |
|---|
| 139 | |
|---|
| 140 | Now, you can explore the packet capture, save it, decode it, etc... |
|---|
| 141 | |
|---|