| 1 | Use tcpdump & wireshark to show DNS traffic |
|---|
| 2 | |
|---|
| 3 | 1. Tcpdump |
|---|
| 4 | |
|---|
| 5 | Open a NEW connection to your auth1.grpX machine (log in a second |
|---|
| 6 | time), so that you can have both windows side-by-side. |
|---|
| 7 | |
|---|
| 8 | In the new window, run the following command (you must be 'root', that's |
|---|
| 9 | why we use sudo): |
|---|
| 10 | |
|---|
| 11 | $ sudo tcpdump -n -s 1500 udp and port 53 |
|---|
| 12 | |
|---|
| 13 | This shows all packets going in and out of your machine for UDP port 53 |
|---|
| 14 | (DNS). |
|---|
| 15 | |
|---|
| 16 | Now go to another window and repeat some of the 'dig' queries from earlier. |
|---|
| 17 | |
|---|
| 18 | Look at the output of tcpdump, check the source and destination IP address |
|---|
| 19 | of each packet: |
|---|
| 20 | |
|---|
| 21 | Explanation: |
|---|
| 22 | |
|---|
| 23 | -n Prevents tcpdump doing reverse DNS lookups on the packets it receives, |
|---|
| 24 | which would generate additional (confusing) DNS traffic |
|---|
| 25 | |
|---|
| 26 | -s 1500 Read the entire packet (otherwise tcpdump only reads 96 bytes) |
|---|
| 27 | |
|---|
| 28 | udp and port 53 |
|---|
| 29 | A filter which matches only packets to/from UDP port 53 |
|---|
| 30 | |
|---|
| 31 | 2. Tshark |
|---|
| 32 | |
|---|
| 33 | Let's try the same thing, but using tshark |
|---|
| 34 | |
|---|
| 35 | If required, stop the above tcpdump (CTRL+C), then run: |
|---|
| 36 | |
|---|
| 37 | $ sudo tshark -n -s 1500 udp and port 53 |
|---|
| 38 | |
|---|
| 39 | Try to run a few queries using dig from another window, then |
|---|
| 40 | stop tshark (CTRL+C), and run it with different options: |
|---|
| 41 | |
|---|
| 42 | $ sudo tshark -V -n -s 1500 udp and port 53 |
|---|
| 43 | |
|---|
| 44 | Run a few queries - do you see how much data is now being printed ? |
|---|
| 45 | |
|---|
| 46 | |
|---|
| 47 | 3. Wireshark |
|---|
| 48 | |
|---|
| 49 | Let's try this with the graphical interface, wireshark. |
|---|
| 50 | |
|---|
| 51 | First, let's create a remote desktop instance: |
|---|
| 52 | |
|---|
| 53 | $ vncserver |
|---|
| 54 | |
|---|
| 55 | You will be asked to create a password - use the same as in class! |
|---|
| 56 | |
|---|
| 57 | At this point, you will need to get a VNC client to connect |
|---|
| 58 | to your remote desktop. For example: |
|---|
| 59 | |
|---|
| 60 | Windows: http://www.realvnc.com/cgi-bin/download.cgi |
|---|
| 61 | (Choose Installer or ZIP for the Standalone viewer) |
|---|
| 62 | |
|---|
| 63 | Linux: Ubuntu / Debian: apt-get install xvnc4viewer |
|---|
| 64 | |
|---|
| 65 | MacOS X: http://sourceforge.net/projects/cotvnc/files/latest/download |
|---|
| 66 | |
|---|
| 67 | Follow the instructions to install your client, then connect to: |
|---|
| 68 | |
|---|
| 69 | auth1.grpX.dns.nsrc.org:1 |
|---|
| 70 | |
|---|
| 71 | ... where X is the number of your group. |
|---|
| 72 | |
|---|
| 73 | When asked for a password, type in the password you provided earlier |
|---|
| 74 | |
|---|
| 75 | Normally, a desktop with a terminal (xterm) window should appear. |
|---|
| 76 | |
|---|
| 77 | If not, ask the instructor for assistance |
|---|
| 78 | |
|---|
| 79 | Now, run wireshark: |
|---|
| 80 | |
|---|
| 81 | $ sudo wireshark |
|---|
| 82 | |
|---|
| 83 | A warning will pop up about running as root - just click ok! |
|---|
| 84 | |
|---|
| 85 | Now, start a capture - press CTRL+K |
|---|
| 86 | |
|---|
| 87 | In the Capture Filter field, type: |
|---|
| 88 | |
|---|
| 89 | not port 5901 |
|---|
| 90 | |
|---|
| 91 | (we'll explain later) |
|---|
| 92 | |
|---|
| 93 | Start the capture by pressing OK |
|---|
| 94 | |
|---|
| 95 | Try and run some dig commands from a terminal window. |
|---|
| 96 | |
|---|
| 97 | You should start to see packets appear in the wireshark window. |
|---|
| 98 | |
|---|
| 99 | To stop the capture, press the red "Stop" button (4th from the |
|---|
| 100 | left on the list of buttons at the top). |
|---|
| 101 | |
|---|
| 102 | Now, you can explore the packet capture, save it, decode it, etc... |
|---|
| 103 | |
|---|
