Lab - Using Wireshark to Examine a UDP DNS Capture

Name: Seidygali Daryn

Group: IT1-2107

Part 1: Record a PC’s IP Configuration Information

In Part 1, you will use the ipconfig /all command on your local PC to find and
record the MAC and IP addresses of your PC network interface card (NIC), the
IP address of the specified default gateway, and the DNS server IP address
specified for the PC. Record this information in the table provided. The
information will be used in parts of this lab with packet analysis.

IP address
192.168.1.4
MAC address
10:b5:88:74:96:d5
Default gateway IP address
192.168.1.1
DNS server IP address
192.168.1.1
Part 2: Use Wireshark to Capture DNS Queries and Responses
In Part 2, you will set up Wireshark to capture DNS query and response packets
to demonstrate the use of the UDP transport protocol while communicating with
a DNS server.

a) Click the Windows Start button and navigate to the Wireshark program.
b) Select an interface for Wireshark to capture packets. Select (highlight) the
active capturing interface.

c) After selecting the desired interface, click Start to capture the packets.
d) Open a web browser and type www.google.com. Press Enter to continue.
 e) Click Stop to stop the Wireshark capture when you see the Google home
page.

Part 3: Analyze Captured DNS or UDP Packets

In Part 3, you will examine the UDP packets that were generated when
communicating with a DNS server for the IP addresses for www.google.com.

Step 1: Filter DNS packets.

a) In the Wireshark main window, type dns in the entry area of the Filter
toolbar and press Enter.

Note: If you do not see any results after the DNS filter was applied, close the web
browser. In the command prompt window, type ipconfig /flushdns to remove all
previous DNS results. Restart the Wireshark capture and repeat the instructions
in Part 2b –2e. If this does not resolve the issue, type nslookup www.google.com
in the command prompt window as an alternative to the web browser.
 b) In the packet list pane (top section) of the main window, locate the packet
that includes Standard query and A www.google.com. See frame 15 as
an example.

Step 2: Examine a UDP segment using DNS query.

Examine the UDP by using a DNS query for www.google.com as captured by
Wireshark. In this example, Wireshark capture frame 15 in the packet list pane is
selected for analysis. The protocols in this query are displayed in the packet
details pane (middle section) of the main window. The protocol entries are
highlighted in gray.

a) In the first line in the packet details pane, frame 2043 had 74 bytes of data
on the wire. This is the number of bytes to send a DNS query to a name
server requesting the IP addresses of www.google.com.

b) The Ethernet II line displays the source and destination MAC addresses.
The source MAC address is from your local PC because your local PC
originated the DNS query. The destination MAC address is from the default
gateway because this is the last stop before this query exits the local
network.
a)

b)
Is the source MAC address the same as the one recorded from Part 1 for the local
PC?

Answer: The answer should be yes.

c) In the Internet Protocol Version 4 line, the IP packet Wireshark capture

indicates that the source IP address of this DNS query is 192.168.1.4 and
the destination IP address is 192.168.1.1. In this example, the destination
address is the default gateway. The router is the default gateway in this
network.

Can you identify the IP and MAC addresses for the source and destination
devices?

Device IP Address MAC Address

Local PC 192.168.1.4 10:b5:88:74:96:d5

Default Gateway 192.168.1.1 10:b5:88:74:96:d5

The IP packet and header encapsulates the UDP segment. The UDP segment
contains the DNS query as the data.
 d) A UDP header only has four fields: source port, destination port, length,
and checksum. Each field in a UDP header is only 16 bits as depicted
below.

Expand the User Datagram Protocol in the packet details pane by clicking the
plus (+) sign. Notice that there are only four fields. The source port number in
this example is 62887. The source port was randomly generated by the local PC
using port numbers that are not reserved. The destination port is 53. Port 53 is a
well-known port reserved for use with DNS. DNS servers listen on port 53 for
DNS queries from clients.
Record your Wireshark results in the table below:

Frame size 74 bytes

Source MAC address 10:b5:88:74:96:d5

Destination MAC address cc:be:59:e6:46:29)

Source IP address 192.168.1.4

Destination IP address 192.168.1.1

Source port 62887

Destination port 53

Is the source IP address the same as the local PC IP address you recorded in Part
1?

Answer: Yes.

Is the destination IP address the same as the default gateway noted in Part 1?

Answer: Yes, if the default gateway 192.168.1.1 is also performing DNS

192.168.1.

Step 3: Examine a UDP using DNS response.

In this step, you will examine the DNS response packet and verify that the DNS
response packet also uses the UDP.
a) frame 2062 is the corresponding DNS response packet. Notice the number
of bytes on the wire is 90. It is a larger packet compared to the DNS query
packet.

b) In the Ethernet II frame for the DNS response, what device is the source
MAC address and what device is the destination MAC address?

Answer: The source MAC address is the default gateway and the destination
MAC address is the VM.

c) Notice the source and destination IP addresses in the IP packet. What is the
destination IP address? What is the source IP address?

Answer:

Destination IP address: 192.168.1.4

Source IP address: 192.168.1.1
 d) In the UDP segment, the role of the port numbers has also reversed. The
destination port number is 63816. Port number 63816 is the same port that
was generated by the local PC when the DNS query was sent to the DNS
server. Your local PC listens for a DNS response on this port.

The source port number is 53. The DNS server listens for a DNS query on port
53 and then sends a DNS response with a source port number of 53 back to
the originator of the DNS query.

Reflection

What are the benefits of using UDP instead of TCP as a transport protocol for
DNS?

Answer:

UDP, as a transport protocol, offers swift session initialization, rapid responses,

low overhead, eliminates the need for retransmissions, bypasses segment
reassembly, and lacks acknowledgments for received packets.