Track2Agenda: 02-dns-tcpdump-wireshark-v2.2.txt

File 02-dns-tcpdump-wireshark-v2.2.txt, 3.7 KB (added by Yoshiaki Kasahara, 6 years ago)
Line 
1Use tcpdump & wireshark to show DNS traffic
2
31. Tcpdump
4
5    Open a NEW connection to your resolv.grpX machine (log in a second
6    time), so that you can have both windows side-by-side.
7
8    In the first window, you will be logged in to "auth1"
9
10    In the second window, you will be logged in to "resolv"
11
12    In the second window, run the following command (you must be 'root', that's
13    why we use sudo):
14
15$ sudo tcpdump -n -s 1500 udp and port 53
16
17    This shows all packets going in and out of your machine for UDP port 53
18    (DNS).
19   
20    Now in the first window (auth1), repeat some of the 'dig' queries from
21    earlier:
22
23    $ dig @resolv.grpXX.dns.nsrc.org www.MYTLD.
24    $ dig @resolv.grpXX.dns.nsrc.org www.OTHER_DOMAIN_IN_THE_CLASS.
25
26    (for example)
27
28    Look at the output of tcpdump, check the source and destination IP address
29    of each packet:
30
31Explanation:
32
33    -n  Prevents tcpdump doing reverse DNS lookups on the packets it receives,
34        which would generate additional (confusing) DNS traffic
35
36    -s 1500 Read the entire packet (otherwise tcpdump only reads 96 bytes)
37
38    udp and port 53
39        A filter which matches only packets to/from UDP port 53
40
412. Tshark
42
43    Let's try the same thing, but using tshark
44
45    If required, stop the above tcpdump (CTRL+C), then run:
46
47$ sudo tshark -n -s 1500 udp and port 53
48
49    Try to run a few queries using dig from another window:
50   
51    $ dig @resolv.grpXX.dns.nsrc.org www.MYTLD.
52    $ dig @resolv.grpXX.dns.nsrc.org www.OTHER_DOMAIN_IN_THE_CLASS.
53
54    etc...
55
56    stop tshark (CTRL+C), and run it with different options:
57
58$ sudo tshark -V -n -s 1500 udp and port 53
59
60    Run some queries again, as above.
61    Do you see how much data is now being printed ?
62
63
643. Wireshark
65
66    Let's try this with the graphical interface, wireshark.
67
68    ----
69    Before start, you need to install wireshark (and couple other packages)
70    and start D-BUS service daemon for wireshark starting correctly:
71
72    $ sudo pkg install wireshark
73    (You'll be asked a couple of questions, just answer 'y' and hit enter)
74
75    edit /etc/rc.conf to add:
76
77    dbus_enable="YES"
78   
79    and start dbus daemon:
80
81    $ sudo service dbus start
82    ----
83
84    First, let's create a remote desktop instance:
85
86$ vncserver
87
88    You will be asked to create a password - use the same as in class!
89
90    At this point, you will need to get a VNC client to connect
91    to your remote desktop. For example:
92
93    Windows: http://www.realvnc.com/cgi-bin/download.cgi
94        (Choose Installer or ZIP for the Standalone viewer)
95
96    Linux: Ubuntu / Debian: apt-get install xvnc4viewer
97
98    MacOS X: http://sourceforge.net/projects/cotvnc/files/latest/download
99
100    Follow the instructions to install your client, then connect to:
101
102    resolv.grpX.dns.nsrc.org:1
103
104    ... where X is the number of your group.
105
106    When asked for a password, type in the password you provided earlier
107
108    Normally, a desktop with a terminal (xterm) window should appear.
109
110    If not, ask the instructor for assistance
111
112    Now, run wireshark:
113
114$ sudo wireshark
115
116    A warning will pop up about running as root - just click ok!
117
118    Now, start a capture - press CTRL+K
119
120    At the top, choose `eth0` as your interface.
121
122    In the Capture Filter field below, type:
123
124port 53
125
126    (we only want to see DNS traffic)
127
128    Start the capture by pressing Start at the bottom.
129
130    From your auth1 server run some `dig` commands like you did earlier:
131
132    $ dig @resolv.grpXX.dns.nsrc.org www.MYTLD.
133    $ dig @resolv.grpXX.dns.nsrc.org www.OTHER_DOMAIN_IN_THE_CLASS.
134
135    You should start to see packets appear in the wireshark window.
136
137    To stop the capture, press the red "Stop" button (4th from the
138    left on the list of buttons at the top).
139
140    Now, you can explore the packet capture, save it, decode it, etc...
141