Jump to content

Wireshark/UDP

From Wikiversity

Wireshark is a free and open source packet analyzer used for network troubleshooting and analysis. These activities will show you how to use Wireshark to capture and analyze User Datagram Protocol (UDP) traffic.

Readings

[edit | edit source]

Preparation

[edit | edit source]

To prepare for this activity:

  1. Start Windows.
  2. Log in if necessary.
  3. Install Wireshark.

Activity 1 - Capture UDP Traffic

[edit | edit source]

To capture UDP traffic:

  1. Start a Wireshark capture.
  2. Open a command prompt.
  3. Type ipconfig /renew and press Enter to renew your DHCP assigned IP address. If you have a static address, this will not generate any UDP traffic.
  4. Type ipconfig /flushdns and press Enter to clear your DNS name cache.
  5. Type nslookup 8.8.8.8 and press Enter to look up the hostname for IP address 8.8.8.8.
  6. Close the command prompt.
  7. Stop the Wireshark capture.

Activity 2 - Analyze UDP DHCP Traffic

[edit | edit source]

To analyze UDP DHCP traffic:

  1. Observe the traffic captured in the top Wireshark packet list pane. To view only UDP traffic related to the DHCP renewal, type udp.port == 68 (lower case) in the Filter box and press Enter.
  2. Select the first DHCP packet, labeled DHCP Request.
  3. Observe the packet details in the middle Wireshark packet details pane. Notice that it is an Ethernet II / Internet Protocol Version 4 / User Datagram Protocol / Bootstrap Protocol frame.
  4. Expand Ethernet II to view Ethernet details.
  5. Observe the Destination and Source fields. The destination should be your DHCP server's MAC address and the source should be your MAC address. You can use ipconfig /all to confirm.
  6. Expand Internet Protocol Version 4 to view IP details.
  7. Observe the Source address. Notice that the source address is your IP address.
  8. Observe the Destination address. Notice that the destination address is the DHCP server IP address.
  9. Expand User Datagram Protocol to view UDP details.
  10. Observe the Source port. Notice that it is bootpc (68), the bootp client port.
  11. Observe the Destination port. Notice that it is bootps (67), the bootp server port.
  12. In the top Wireshark packet list pane, select the second DHCP packet, labeled DHCP ACK.
  13. Observe the packet details in the middle Wireshark packet details pane. Notice that it is an Ethernet II / Internet Protocol Version 4 / User Datagram Protocol / Bootstrap Protocol frame.
  14. Expand Ethernet II to view Ethernet details.
  15. Observe the Destination and Source fields. The destination should be your MAC address and the source should be your DHCP server's MAC address.
  16. Expand Internet Protocol Version 4 to view IP details.
  17. Observe the Source address. Notice that the source address is the DHCP server IP address.
  18. Observe the Destination address. Notice that the destination address is your IP address.
  19. Expand User Datagram Protocol to view UDP details.
  20. Observe the Source port. Notice that it is bootps (67), the bootp server port.
  21. Observe the Destination port. Notice that it is bootpc (68), the bootp client port.

Activity 3 - Analyze UDP DNS Traffic

[edit | edit source]

To analyze UDP DNS traffic:

  1. Observe the traffic captured in the top Wireshark packet list pane. To view only UDP traffic related to the DHCP renewal, type udp.port == 53 (lower case) in the Filter box and press Enter.
  2. Select the first DNS packet, labeled Standard query.
  3. Observe the packet details in the middle Wireshark packet details pane. Notice that it is an Ethernet II / Internet Protocol Version 4 / User Datagram Protocol / Domain Name System (query) frame.
  4. Expand Ethernet II to view Ethernet details.
  5. Observe the Destination and Source fields. The destination should be your DNS server's MAC address if it is local, or your default gateway's MAC address if the DNS server is remote. The source should be your MAC address. You can use ipconfig /all to confirm.
  6. Expand Internet Protocol Version 4 to view IP details.
  7. Observe the Source address. Notice that the source address is your IP address.
  8. Observe the Destination address. Notice that the destination address is the DNS server IP address.
  9. Expand User Datagram Protocol to view UDP details.
  10. Observe the Source port. Notice that it is a dynamic port selected for this DNS query.
  11. Observe the Destination port. Notice that it is domain (53), the DNS server port.
  12. In the top Wireshark packet list pane, select the second DNS packet, labeled Standard query response.
  13. Observe the packet details in the middle Wireshark packet details pane. Notice that it is an Ethernet II / Internet Protocol Version 4 / User Datagram Protocol / Domain Name System (response) frame.
  14. Expand Ethernet II to view Ethernet details.
  15. Observe the Destination and Source fields. The destination should be your MAC address and the source should be your DNS server's MAC address if it is local, or your default gateway's MAC address if the DNS server is remote.
  16. Expand Internet Protocol Version 4 to view IP details.
  17. Observe the Source address. Notice that the source address is the DNS server IP address.
  18. Observe the Destination address. Notice that the destination address is your IP address.
  19. Expand User Datagram Protocol to view UDP details.
  20. Observe the Source port. Notice that it is domain (53) the DNS server port.
  21. Observe the Destination port. Notice that it is the same dynamic port used to make the DNS query in the first packet.
  22. Close Wireshark to complete this activity. Quit without Saving to discard the captured traffic.

References

[edit | edit source]