Wireshark/LLMNR

Wireshark is a free and open source packet analyzer used for network troubleshooting and analysis. These activities will show you how to use Wireshark to capture and analyze Link-Local Multicast Name Resolution (LLMNR) traffic.

• Wikipedia: Link-local Multicast Name Resolution

To prepare for this activity:

1. Start Windows.
2. Log in if necessary.
3. Install Wireshark.

To capture LLMNR traffic:

1. Start a Wireshark capture.
2. Open a command prompt.
3. Type ping <unknown>, where <unknown> is any unknown host name on your network. An unknown host name is used for this activity because names resolved by DNS will not generate LLMNR traffic.
4. Close the command prompt.
5. Stop the Wireshark capture.

To analyze LLMNR IPv6 traffic:

1. Observe the traffic captured in the top Wireshark packet list pane. To view only LLMNR traffic, type udp.port == 5355 (lower case) in the Filter box and press Enter.
2. Select the first LLMNR packet labeled Standard query.
3. Observe the packet details in the middle Wireshark packet details pane. Notice that it is an Ethernet II / Internet Protocol Version 6 / User Datagram Protocol / Link-local Multicast Name Resolution (query) frame.
4. Expand Ethernet II to view Ethernet details.
5. Observe the Destination and Source fields. The destination should be the LLMNR IPv6 multicast MAC address 33:33:00:01:00:03 and the source should be your MAC address. You can use ipconfig /all and netsh interface ipv6 show neighbors to confirm.
6. Expand Internet Protocol Version 6 to view IPv6 details.
7. Observe the Source address. Notice that the source address is your link-local IPv6 address.
8. Observe the Destination address. Notice that the destination address is the LLMNR multicast IPv6 address ff02::1:3.
9. Expand User Datagram Protocol to view UDP details.
10. Observe the Source port. Notice that it is a dynamic port selected for this LLMNR query.
11. Observe the Destination port. Notice that it is llmnr (5355).
12. Expand Link-local Multicast Name Resolution (query) to view LLMNR details.
13. Expand Flags to view flags details.
14. Expand Queries to view query details.
15. Observe the query generated.

To analyze LLMNR IPv4 traffic:

1. Observe the traffic captured in the top Wireshark packet list pane. To view only LLMNR traffic, type udp.port == 5355 (lower case) in the Filter box and press Enter.
2. Select the second LLMNR packet labeled Standard query.
3. Observe the packet details in the middle Wireshark packet details pane. Notice that it is an Ethernet II / Internet Protocol Version 4 / User Datagram Protocol / Link-local Multicast Name Resolution (query) frame.
4. Expand Ethernet II to view Ethernet details.
5. Observe the Destination and Source fields. The destination should be the LLMNR IPv4 multicast MAC address 01:00:5e:00:00:fc and the source should be your MAC address. You can use ipconfig /all and arp -a to confirm.
6. Expand Internet Protocol Version 4 to view IPv4 details.
7. Observe the Source address. Notice that the source address is your IPv4 address.
8. Observe the Destination address. Notice that the destination address is the LLMNR multicast IPv4 address 224.0.0.252.
9. Expand User Datagram Protocol to view UDP details.
10. Observe the Source port. Notice that it is a dynamic port selected for this LLMNR query.
11. Observe the Destination port. Notice that it is llmnr (5355).
12. Expand Link-local Multicast Name Resolution (query) to view LLMNR details.
13. Expand Flags to view flags details.
14. Expand Queries to view query details.
15. Observe the query generated.
16. Close Wireshark to complete this activity. Quit without Saving to discard the captured traffic.

• Wireshark: User's Guide