文档库 最新最全的文档下载
当前位置:文档库 › wireshark练习及答案lab-ipv4

wireshark练习及答案lab-ipv4

wireshark练习及答案lab-ipv4
wireshark练习及答案lab-ipv4

Lab Exercise – IPv4

Objective

To learn about the details of IP (Internet Protocol). IP is the network layer protocol used throughout the Internet. We will examine IP version 4, since it is ubiquitously deployed, whilethe IP version 6 is partly deployed.

The trace is here: https://www.wendangku.net/doc/662741284.html,/~kevin/com320/labs/wireshark/trace-ipv4.pcap

The text file is here: https://www.wendangku.net/doc/662741284.html,/~kevin/com320/labs/wireshark/trace-ipv4.txt Requirements

Wireshark: This lab uses the Wireshark software tool to capture and examine a packet trace. A packet trace is a record of traffic at a location on the network, as if a snapshot was taken of all the bits that passed across a particular wire. The packet trace records a timestamp for each packet, along with the bits that make up the packet, from the lower-layer headers to the higher-layer contents. Wireshark runs on most operating systems, including Windows, Mac and Linux. It provides a graphical UI that shows the sequence of packets and the meaning of the bits when interpreted as protocol headers and data. It col-or-codes packets by their type, and has various ways to filter and analyze packets to let you investigate the behavior of network protocols. Wireshark is widely used to troubleshoot networks. You can down-load it from https://www.wendangku.net/doc/662741284.html, if it is not already installed on your computer. We highly recommend that you watch the short, 5 minute video “Introduction to Wireshark” that is on the site.

wget / curl: This lab uses wget (Linux and Windows) and curl (Mac) to fetch web resources. wget and curl are command-line programs that let you fetch a URL. Unlike a web browser, which fetches and executes entire pages, wget and curl give you control over exactly which URLs you fetch and when you fetch them. Under Linux, wget can be installed via your package manager. Under Windows, wget is available as a binary; look for download information on https://www.wendangku.net/doc/662741284.html,/software/wget/. Under Mac, curl comes installed with the OS. Both h ave many options (try “wget --help” or “curl --help” to see) but a URL can be fetched simply with “wget URL” or “curl URL”. traceroute / tracert: This lab uses “traceroute” to find the router level path from your computer to a remote Internet host. traceroute is a standard command-line utility for discovering the Internet paths that your computer uses. It is widely used for network troubleshooting. It comes pre-installed on Win-dow and Mac, and can be installed using your package manager on Linux. On Windows, it is called “tracert”. It has various options, but simply issuing the command “traceroute https://www.wendangku.net/doc/662741284.html,.au” will cause your computer to find and print the path to the remote computer (here https://www.wendangku.net/doc/662741284.html,.au).

Step 1: Capture a Trace

Proceed as follows to capture a trace assuming that your computer has IPv4 connectivity; alternatively, you may use a supplied trace.The trace we want to gather is a simple web fetch from a remote server, which will cause your computer to send and receive IP packets, followed by a traceroute to the re-mote server to find the path it uses over the Internet.

1.Pick a URL at a remote server, e.g., https://www.wendangku.net/doc/662741284.html,.au/ and check that you can fetch the

contents with wget or curl, e.g., “wget https://www.wendangku.net/doc/662741284.html,.au/” or “curl

https://www.wendangku.net/doc/662741284.html,.au/”. This will fetch the resource and either write it to a file (wget) or to the screen (curl). With wget, you want a single response with status code “200 OK”. If

the fetch does not work then try a different URL; keep in mind that you may be referring to a

URL by a shortcut for which browsers must do work to find the intended content, e.g.,

https://www.wendangku.net/doc/662741284.html, may really be https://www.wendangku.net/doc/662741284.html,/index.html. If no URLs seem to work then de-

bug your use of wget/curl or your Internet connectivity.

2.Perform a traceroute to the same remote server to check that you can discover information

about the network path.On Windows, type, e.g., “tracert https://www.wendangku.net/doc/662741284.html,.au”. On Linux / Mac, type, e.g., “traceroute https://www.wendangku.net/doc/662741284.html,.au”. If you are on Linux / Mac and behind a

NAT (as most home users or virtual machine users) then use the –I option (that was a capital i)

to traceroute, e.g., “traceroute –I https://www.wendangku.net/doc/662741284.html,.au”. This will cause traceroute to send ICMP probes like tracert instead of its usual UDP probes; ICMP probes are better able

to pass through NAT boxes. A successful example is shown below; save the output as you will

need it for later steps. Note that traceroute may take up to a minute to run. Each line shows information about the next IP hop from the computer running traceroute towards the tar-

get destination. T he lines with “*”s indicate that there was no response from the network to

identity that segment of the Internet path. Some unidentified segments are to be expected.

However, if traceroute is not working correctly then nearly all the path will be “*”s. In this

case, try a different remote server, experiment with traceroute, or use the supplied traces.

Figure 1: Running traceroute (as tracert on Windows)

https://www.wendangku.net/doc/662741284.html,unch Wireshark and start a capture with a filter of “tcp port 80“. Make sure to check

“enable network name resolution”.We use this filter to record only standard web traffic. Name resolution will translate the IP addresses of the computers sending and receiving packets into names. It will help you to recognize whether the packets are going to or from your computer.

Your capture window should be similar to the one pictured below, other than our highlighting.

Select the interface from which to capture as the main wired or wireless interface used by your computer to connect to the Internet. If unsure, guess and revisit this step later if your capture is not successful. Uncheck “capture packets in promiscuous mode”. This mode is useful to ove r-hear packets sent to/from other computers on broadcast networks. We only want to record packets sent to/from your computer. Leave other options at their default values. The capture filter, if present, is used to prevent the capture of other traffic your computer may send or re-ceive. On Wireshark 1.8, the capture filter box is present directly on the options screen, but on Wireshark 1.9, you set a capture filter by double-clicking on the interface.

Figure 2: Setting up the capture options

4.After the capture is started, repeat the wget/curl command above. This time, the packets will

also be recorded by Wireshark.

5.After the command is complete, return to Wireshark and stop the trace.You should now have a

short trace similar to that shown in the figure below, along with the output of a traceroute you ran earlier to the corresponding server.

Figure 3: Trace of wget/curl traffic showing the details of the IP header

Step 2: Inspect the Trace

Select any packet in the trace and expand the IP header fields (using the “+” expander or icon) to see the details. You can simply click on a packet to select it (in the top panel). You will see details of its structure (in the middle panel) and the bytes that make up the packet (in the bottom panel).Our interest is the IP header, and you may ignore the other higher and lower layer protocols. When you click on parts of the IP header, you will see the bytes that correspond to the part highlighted in the bottom panel. We have expanded the IP header and clicked on all the IP header fields in the figure above.

Let us go over the fields in turn:

?The version field is set t o 4. This is “IPv4” after all.

?Then there is the header length field. Observe by looking at the bytes selected in the packet da-ta that version and header length are both packed into a single byte.

?The Differentiated Services field contains bit flags to indicate whether the packet should be handled with quality of service and congestion indications at routers.

?Then there is the Total Length field.

?Next is the Identification field, which is used for grouping fragments, when a large IP packet is sent as multiple smaller pieces called fragments. It is followed by the Flags and the Fragment

offset fields, which also relate to fragmentation. Observe they share bytes.

?Then there is the Time to live or TTL field, followed by the Protocol field.

?Next comes the header checksum. Is your header checksum carrying 0 and flagged as incorrect for IP packets sent from your computer to the remote server? On some computers, the operat-ing system software leaves the header checksum blank (zero) for the NIC to compute and fill in as the packet is sent. This is called protocol offloading. It happens after Wireshark sees the

packet, which causes Wireshark to believe that the checksum is wrong and flag it with a differ-

ent color to signal a problem. A similar issue may happen for the TCP checksum. You can remove these false errors if they are occurring by telling Wireshark not to validate the checksums. Select “Preferences” from the Wireshark menus and expand the “Protocols” area. Look under the list until you come to IPv4. Uncheck “Validate checksum if possible”. Similarly, you may uncheck

checksum validation for TCP if applicable to your case.

?The last fields in the header are the normally the source and destination address. It is possible for there to be IP options, but these are unlikely in standard web traffic.

?The IP header is followed by the IP payload. This makes up the rest of the packet, starting with the next higher layer header, TCP in our case, but not including any link layer trailer (e.g., Ether-net padding).

Step 3: IP Packet Structure

To show your understanding of IP, sketch a figure of an IP packet you studied. It should show the position and size in bytes of the IP header fields as you can observe using Wireshark.Since you cannot easily de-termine sub-byte sizes, group any IP fields that are packed into the same bytes.Your figure can simply show the frame as a long, thin rectangle. Try not to look at the figure of an IPv4 packet in your text; check it afterwards to note and investigate any differences.

To work out sizes, observe that when you click on a protocol block in the middle panel (the block itself, not the “+” expander) Wireshark will highlight the corresponding bytes in the packet in the lower panel, and display the length at the bottom of the window. You may also use the overall packet size shown in the Length column or Frame detail block.Note that this method will not tell you sub-byte positions.

By looking at the IP packets in your trace, answer these questions:

1.What are the IP addresses of your computer and the remote server?

2.Does the Total Length field include the IP header plus IP payload, or just the IP payload?

3.How does the value of the Identification field change or stay the same for different packets? For

instance, does it hold the same value for all packets in a TCP connection or does it differ for each packet? Is it the same in both directions? Can you see any pattern if the value does change?

4.What is the initial value of the TTL field for packets sent from your computer? Is it the maximum

possible value, or some lower value?

5.How can you tell from looking at a packet that it has not been fragmented?Most often IP pack-

ets in normal operation are not fragmented. But the receiver must have a way to be sure. Hint: you may need to read your text to confirm a guess.

6.What is the length of the IP Header and how is this encoded in the header length field? Hint: no-

tice that only 4 bits are used for this field, as the version takes up the other 4 bits of the byte.

You may guess and check your text.

Step 4: Internet Paths

The source and destination IP addresses in an IP packet denote the endpoints of an Internet path, not the IP routers on the network path the packet travels from the source to the destination. traceroute is a utility for discovering this path. It works by eliciting responses (ICMP TTL Exceeded messages) from the router 1 hop away from the source towards the destination, then 2 hops away from the source, then 3 hops, and so forth until the destination is reached. The responses will identify the IP address of the router. The output from traceroute normally prints the information for one hop per line, including the measured round trip times and IP address and DNS names of the router. The DNS name is handy for working out the organization to which the router belongs. Since traceroute takes advantage of common router implementations, there is no guarantee that it will work for all routers along the path, and it is usual to see “*” responses when it fails for som e portions of the path.

Using the traceroute output, sketch a drawing of the network path. If you are using the supplied trace, note that we have provided the corresponding traceroute output as a separate file.Show your computer (lefthand side) and the remote server (righthand side), both with IP addresses, as well as the routers along the path between them numbered by their distance on hops from the start of the path. You can find the IP address of your computer and the remote server on the packets in the trace that you captured. The output of traceroute will tell you the hop number for each router.

To finish your drawing, label the routers along the path with the name of the real-world organization to which they belong. To do this, you will need to interpret the domain names of the routers given by tra-ceroute. If you are unsure, label the routers with the domain name of what you take to be the organi-zation. Ignore or leave blank any routers for which there is no domain name (or no IP address).

This is not an exact science, so we will give some examples. Suppose that traceroute identifies a rou-ter along the path by the domain name https://www.wendangku.net/doc/662741284.html,. Normally, we can ignore at least the first part of the name, since it identifies different computers in the same organization and not different organizations. Thus we can ignore at least “arouter” in the domain name. For generic top-level domains, like “.com” and “.edu”, the last two domains give the domain name of the organiz a-tion. So for our example, it is “https://www.wendangku.net/doc/662741284.html,”. To translate this domain name into the real-world name of an organization, we might search for it on the web. You will quickly find that washing-

https://www.wendangku.net/doc/662741284.html, is the University of Washington. This means that “cac” portion is an internal structure in the University of Washington, and not important for the organization name. You would write “University of Washington” on your figure for any routers with domain names of the form *https://www.wendangku.net/doc/662741284.html,.

Alternatively, consider a router with a domain name like https://www.wendangku.net/doc/662741284.html,.au. Again, we ignore at least the “arouter” part as indicating a computer within a specific organization. For country-code top-level domains like “.au” (for Australia) the last three domains in t he name will normally give the organization. In this case the organization’s domain name is https://www.wendangku.net/doc/662741284.html,.au. Using a web search, we find this domain represents AARNET, Australia’s research and education network. The “syd” po r-tion is internal structure, and a good guess is that it means the router is located in the Sydney part of AARNET. So for all routers with domain names of the form *https://www.wendangku.net/doc/662741284.html,.au, you would write

“AARNET” on your figure. While there are no guarantees, you should be able to reason simila rly and at least give the domain name of the organizations near the ends of the path.

Step 5: IP Header Checksum

We will nowlook at the IP header checksum calculation by validating a packet. The checksum algorithm adds the header bytes 16 bits at a time. It is computed so that re-computing the sum across the entire IP header (including the checksum value) will produce the result of zero. A complicating factor for us is that this is done using 1s complement arithmetic, rather than 2s complement arithmetic that is normally used for computing. The steps below explain how to perform the necessary computation.

From the trace, pick a packet sent from the remote server to your computer and check that you have a non-zero value in the checksum field. The checksum value sent over the network will be non-zero, so if you have a zero value it is because of the capture setup. Try a packet that has an IP header of 20 bytes, the minimum header size when there are no options, to make this exercise easier.

Follow these steps to check that the checksum value is correct:

1.Divide the header into 10 two byte (16 bit) words. Each word will be 4 hexadecimal digits shown

in the packet data panel in the bottom of the Wireshark window, e.g., 05 8c

2.Add these 10 words using regular addition. You may add them with a hexadecimal calculator

(Google to find one), or convert them to decimal, add them, and convert them back to hexade-cimal. Do whatever is easiest.

3.To compute the 1s complement sum from your addition so far, take any leading digits (beyond

the 4 digits of the word size) and add them back to the remainder. For example:5a432will be-

come a432 + 5= a437.

4.The end result should be 0xffff. This is actually zero in 1s complement form, or more precise-

ly 0xffff is -0 (negative zero) while 0x0000 is +0 (positive zero).

If you cannot get your sum to come out and are sure that the checksum must be wrong, you can get Wireshark to check it. See whether it says “*correct+” already. If it does not then use the menus to go to Preferences, expand Protocols, choose IPv4 from the list, and check “validate header checksum”. Now Wireshark will check the checksum and tell you if it is correct.

Extra - Explore on your own

We encourage you to explore IP on your own once you have completed this lab. Some ideas:

?Read about and experiment with IPv6. Modern operating systems already include support for IPv6, so you may be able to capture IPv6 traffic on your network. You can also “join the IPv6”

backbone by tunneling to an IPv6 provider.

?Learn about tunnels, which wrap an IP packet within another IP header.

?Read about IP geolocation. It is the process of assigning a geographical location to an IP address using measurements or clues from its name administrative databases. Try a geolocation service.

?Learn about IPsec or IP security. It provides confidentiality and authentication for IP packets, and is often used as part of VPNs.

按章节练习及答案全部1-11章

第二章网络通讯选择关于网络协议的正确陈述。(选择三项)正确答案应该是1 3 5 定义特定层PDU 的结构 规定实现协议层功能的方式 概述层与层之间通信所需的功能 限制了硬件兼容性 需要取决于协议层的封装过程 杜绝厂商之间的标准化 2下列哪些陈述正确指出了中间设备在网络中的作用?(选择三项) 确定数据传输路径 发起数据通信 重新定时和重新传输数据信号 发送数据流 管理数据流 数据流最后的终止点 3在封装过程中,数据链路层执行什么操作? 不添加地址。 添加逻辑地址。 添加物理地址。 添加进程的端口号。 4以下哪种特征正确代表了网络中的终端设备?

管理数据流 发送数据流 重新定时和重新传输数据信号 确定数据传输路径 5什么是PDU? 传输期间的帧损坏 在目的设备上重组的数据 因通信丢失而重新传输的数据包 特定层的封装 6 请参见图示。所示网络属于哪一类型? WAN MAN LAN WLAN

7通过检查网络层报头可以确定什么? 本地介质上的目的设备 用于到达目的主机的路径 将要通过介质传输的比特 创建数据的源应用程序或进程 8哪一层负责将数据段封装成数据包? 物理层 数据链路层 网络层 传输层 9封装的关键功能是什么?(选择三项) 供传输前修改原始数据 标识数据片段属于同一通信 为通信提供统一的网络路径 确保数据片段可以转发到正确的接收端设备 实现完整消息的重组 跟踪终端设备之间的延迟 10T CP/IP 网络接入层有何作用? 路径确定和数据包交换 数据表示、编码和控制

可靠性、流量控制和错误检测 详细规定构成物理链路的组件及其接入方法 将数据段划分为数据包 11下列哪三项陈述是对局域网(LAN) 最准确的描述?(选择三项) LAN 通常位于一个地域内。 此类网络由由一个组织管理。 LAN 中的不同网段之间一般通过租用连接的方式连接。 此类网络的安全和访问控制由服务提供商控制。 LAN 为同一个组织内的用户提供网络服务和应用程序访问。 此类网络的每个终端通常都连接到电信服务提供商(TSP)。 12 请参见图示。哪个术语正确判断出了包含于绿色区域中的设备类型? 源 终端 传输

Wireshark抓包实验报告.

第一次实验:利用Wireshark软件进行数据包抓取 1.3.2 抓取一次完整的网络通信过程的数据包实验 一,实验目的: 通过本次实验,学生能掌握使用Wireshark抓取ping命令的完整通信过程的数据包的技能,熟悉Wireshark软件的包过滤设置和数据显示功能的使用。 二,实验环境: 操作系统为Windows 7,抓包工具为Wireshark. 三,实验原理: ping是用来测试网络连通性的命令,一旦发出ping命令,主机会发出连续的测试数据包到网络中,在通常的情况下,主机会收到回应数据包,ping采用的是ICMP协议。 四,验步骤: 1.确定目标地址:选择https://www.wendangku.net/doc/662741284.html,作为目标地址。 2.配置过滤器:针对协议进行过滤设置,ping使用的是ICMP协议,抓包前使用捕捉过滤器,过滤设置为icmp,如图 1- 1

图 1-1 3.启动抓包:点击【start】开始抓包,在命令提示符下键入ping https://www.wendangku.net/doc/662741284.html,, 如图 1-2

图 1-2 停止抓包后,截取的数据如图 1-3 图 1-3 4,分析数据包:选取一个数据包进行分析,如图1- 4

图1-4 每一个包都是通过数据链路层DLC协议,IP协议和ICMP协议共三层协议的封装。DLC协议的目的和源地址是MAC地址,IP协议的目的和源地址是IP地址,这层主要负责将上层收到的信息发送出去,而ICMP协议主要是Type和Code来识别,“Type:8,Code:0”表示报文类型为诊断报文的请求测试包,“Type:0,Code:0”表示报文类型为诊断报文类型请正常的包。ICMP提供多种类型的消息为源端节点提供网络额故障信息反馈,报文类型可归纳如下: (1)诊断报文(类型:8,代码0;类型:0代码:0); (2)目的不可达报文(类型:3,代码0-15); (3)重定向报文(类型:5,代码:0--4); (4)超时报文(类型:11,代码:0--1); (5)信息报文(类型:12--18)。

wireshark练习及答案lab-tcp

Lab Exercise – TCP Objective To see the details of TCP (Transmission Control Protocol). TCP is the main transport layer protocol used in the Internet. The trace file is here: https://www.wendangku.net/doc/662741284.html,/~kevin/com320/labs/wireshark/trace-tcp.pcap Requirements Wireshark: This lab uses Wireshark to capture or examine a packet trace. A packet trace is a record of traffic at some location on the network, as if a snapshot was taken of all the bits that passed across a particular wire. The packet trace records a timestamp for each packet, along with the bits that make up the packet, from the low-layer headers to the higher-layer contents. Wireshark runs on most operating systems, including Windows, Mac and Linux. It provides a graphical UI that shows the sequence of pack-ets and the meaning of the bits when interpreted as protocol headers and data. The packets are color-coded to convey their meaning, and Wireshark includes various ways to filter and analyze them to let you investigate different aspects of behavior. It is widely used to troubleshoot networks. You can down-load Wireshark from https://www.wendangku.net/doc/662741284.html, if it is not already installed on your computer. We highly rec-ommend that you watch the short, 5 minute video “Introduction to Wireshark” that is on the site. wget / curl: This lab uses wget (Linux and Windows) and curl (Mac) to fetch web resources. wget and curl are command-line programs that let you fetch a URL. Unlike a web browser, which fetches and executes entire pages, wget and curl give you control over exactly which URLs you fetch and when you fetch them. Under Linux, wget can be installed via your package manager. Under Windows, wget is available as a binary at my site https://www.wendangku.net/doc/662741284.html,/~kevin/com320/labs/wget.exe or look for download information on https://www.wendangku.net/doc/662741284.html,/software/wget/. Both have many options (try “wget --help” or “curl --help” to see) but a URL can be fetched simply with “wget URL” or “curl URL”. Browser: This lab uses a web browser to find or fetch pages as a workload. Any web browser will do.

Wireshark使用教程详解,带实例

Wireshark教程带实例 第 1 章介绍 1.1. 什么是Wireshark Wireshark 是网络包分析工具。网络包分析工具的主要作用是尝试捕获网络包,并尝试显示包的尽可能详细的情况。 你可以把网络包分析工具当成是一种用来测量有什么东西从网线上进出的测量工具,就好像使电工用来测量进入电信的电量的电度表一样。(当然比那个更高级) 过去的此类工具要么是过于昂贵,要么是属于某人私有,或者是二者兼顾。 Wireshark出现以后,这种现状得以改变。Wireshark可能算得上是今天能使用的最好的开元网络分析软件。 1.1.1. 主要应用 下面是Wireshark一些应用的举例: ?网络管理员用来解决网络问题 ?网络安全工程师用来检测安全隐患 ?开发人员用来测试协议执行情况 ?用来学习网络协议 除了上面提到的,Wireshark还可以用在其它许多场合。 1.1. 2. 特性 ?支持UNIX和Windows平台 ?在接口实时捕捉包 ?能详细显示包的详细协议信息 ?可以打开/保存捕捉的包 ?可以导入导出其他捕捉程序支持的包数据格式 ?可以通过多种方式过滤包 ?多种方式查找包 ?通过过滤以多种色彩显示包 ?创建多种统计分析 ?…还有许多 不管怎么说,要想真正了解它的强大,您还得使用它才行

图 1.1. Wireshark捕捉包并允许您检视其内 1.1.3. 捕捉多种网络接口 Wireshark 可以捕捉多种网络接口类型的包,哪怕是无线局域网接口。想了解支持的所有网络接口类型,可以在我们的网站上找到https://www.wendangku.net/doc/662741284.html,/CaptureSetup/NetworkMedia. 1.1.4. 支持多种其它程序捕捉的文件 Wireshark可以打开多种网络分析软件捕捉的包,详见??? 1.1.5. 支持多格式输出 Wieshark可以将捕捉文件输出为多种其他捕捉软件支持的格式,详见??? 1.1.6. 对多种协议解码提供支持 可以支持许多协议的解码(在Wireshark中可能被称为解剖)??? 1.1.7. 开源软件 Wireshark是开源软件项目,用GPL协议发行。您可以免费在任意数量的机器上使用它,不用担心授权和付费问题,所有的源代码在GPL框架下都可以免费使用。因为以上原因,人们可以很容易在Wireshark上添加新的协议,或者将其作为插件整合到您的程序里,这种应用十分广泛。 1.1.8. Wireshark不能做的事 Wireshark不能提供如下功能 ?Wireshark不是入侵检测系统。如果他/她在您的网络做了一些他/她们不被允许的奇怪的事情,Wireshark不会警告您。但是如果发生了奇怪的事情,Wireshark可能对察看发生了什么会有所帮助。[3]?Wireshark不会处理网络事务,它仅仅是“测量”(监视)网络。Wireshark不会发送网络包或做其它交互性的事情(名称解析除外,但您也可以禁止解析)。 1.2. 系通需求

实验一-Wireshark的安装与使用

一、实验目的 1、熟悉并掌握Wireshark的基本使用; 2、了解网络协议实体间进行交互以及报文交换的情况。 二、实验环境 与因特网连接的计算机,操作系统为Windows,安装有Wireshark、IE等软件。 三、预备知识 要深入理解网络协议,需要观察它们的工作过程并使用它们,即观察两个协议实体之间交换的报文序列,探究协议操作的细节,使协议实体执行某些动作,观察这些动作及其影响。这种观察可以在仿真环境下或在因特网这样的真实网络环境中完成。 观察正在运行的协议实体间交换报文的基本工具被称为分组嗅探器(packet sniffer),又称分组捕获器。顾名思义,分组嗅探器捕获(嗅探)你的计算机发送和接收的报文。 图显示了一个分组嗅探器的结构。 图分组嗅探器的结构 图右边是计算机上正常运行的协议和应用程序(如:Web浏览器和FTP客户端)。分组嗅探器(虚线框中的部分)主要有两部分组成:第一是分组捕获器,其功能是捕获计算机发送和接收的每一个链路层帧的拷贝;第二个组成部分是分组分析器,其作用是分析并显示协议报文所有字段的内容(它能识别目前使用的各种网络协议)。 Wireshark是一种可以运行在Windows, UNIX, Linux等操作系统上的分组

嗅探器,是一个开源免费软件,可以从下载。 运行Wireshark 程序时,其图形用户界面如图所示。最初,各窗口中并无数据显示。Wireshark 的界面主要有五个组成部分: 命令和菜单 协议筛选框 捕获分组 列表 选定分组 首部明细 分组内容 左:十六进制 右:ASCII码 图 Wireshark 主界面 命令菜单(command menus):命令菜单位于窗口的最顶部,是标准的下拉式菜单。 协议筛选框(display filter specification):在该处填写某种协议的名称,Wireshark据此对分组列表窗口中的分组进行过滤,只显示你需要的分组。 捕获分组列表(listing of captured packets):按行显示已被捕获的分组内容,其中包括:分组序号、捕获时间、源地址和目的地址、协议类型、协议信息说明。单击某一列的列名,可以使分组列表按指定列排序。其中,协议类型是发送或接收分组的最高层协议的类型。 分组首部明细(details of selected packet header):显示捕获分组列表窗口中被选中分组的首部详细信息。包括该分组的各个层次的首部信息,需要查看哪层信息,双击对应层次或单击该层最前面的“+”即可。 分组内容窗口(packet content):分别以十六进制(左)和ASCII码(右)两种格式显示被捕获帧的完整内容。

wireshark抓包分析实验报告

Wireshark抓包分析实验 若惜年 一、实验目的: 1.学习安装使用wireshark软件,能在电脑上抓包。 2.对抓出包进行分析,分析得到的报文,并与学习到的知识相互印证。 二、实验内容: 使用抓包软件抓取HTTP协议通信的网络数据和DNS通信的网络数据,分析对应的HTTP、TCP、IP协议和DNS、UDP、IP协议。 三、实验正文: IP报文分析: 从图中可以看出: IP报文版本号为:IPV4 首部长度为:20 bytes 数据包长度为:40 标识符:0xd74b 标志:0x02 比特偏移:0 寿命:48 上层协议:TCP 首部校验和:0x5c12 源IP地址为:119.75.222.18 目的IP为:192.168.1.108

从图中可以看出: 源端口号:1891 目的端口号:8000 udp报文长度为:28 检验和:0x58d7 数据长度:20 bytes UDP协议是一种无需建立连接的协议,它的报文格式很简单。当主机中的DNS 应用程序想要惊醒一次查询时,它构造一个DNS查询报文段并把它给UDP,不需要UDP之间握手,UDP为报文加上首部字段,将报文段交给网络层。

第一次握手: 从图中看出: 源端口号:56770 目的端口号:80 序列号为:0 首部长为: 32 bytes SYN为1表示建立连接成功当fin为1时表示删除连接。

第二次握手: 从图中看出: 源端口号是:80 目的端口号为:56770 序列号为:0 ack为:1 Acknowledgement为1表示包含确认的报文Syn为1表示建立连接。

第三次握手: 从图中看出: 源端口:56770 目的端口:80 序列号为:1 ACK为:1 首部长为:20bytes Acknowledgement为1表示包含确认的报文 所以,看出来这是TCP连接成功了 Tcp是因特网运输层的面向连接的可靠的运输协议,在一个应用进程可以开始向另一个应用进程发送数据前,这两个进程必须先握手,即它们必须相互发送预备文段,建立确保传输的参数。

实验四wireshark教程

Wireshark教程 当前,互联网已经越来越成为人们生活中必不可少的组成部分。面对日益复杂的网络环境,网络管理员必须花费更很多的时间和精力,来了解网络设备的运作情况,以维持系统的正常运行。当网络趋于复杂,就必须借助于专业的工具了。因此,作为一个网络管理人员和网络从业者,熟练掌握和运用一套网络管理软件来对整个网络进行协议分析,是一个必不可少的技能。 当前较为流行的网络协议嗅探和分析软件—Wireshark 。通过使用抓包工具,来准确而快速地判断网络问题的所在,大大缩短寻找问题的时间。 网络管理人员的私人秘书—Wireshark 网络流量分析是指捕捉网络中流动的数据包,并通过查看包内部数据以及进行相关的协议、流量分析、统计等来发现网络运行过程中出现的问题,它是网络和系统管理人员进行网络故障和性能诊断的有效工具。通常,人们把网络分析总结为四种方式:基于流量镜像协议分析,基于 SNMP 的流量监测技术,基于网络探针( Probe )技术和基于流( flow )的流量分析。而我们下面要向大家介绍的 Wireshark 就是基于流量镜像协议分析。 流量镜像协议分析方式是把网络设备的某个端口(链路)流量镜像给协议分析仪,通过 7 层协议解码对网络流量进行监测。但该方法主要侧重于协议分析,而非用户流量访问统计和趋势分析,仅能在短时间内对流经接口的数据包进行分析,无法满足大流量、长期的抓包和趋势分析的要求。 Wireshark 的前身是著名的 Ethereal 。 Wireshark 是一款免费的网络协议检测程序。它具有设计完美的 GUI 和众多分类信息及过滤选项。下面是 Wireshark 的界面。 用户通过 Wireshark ,同时将网卡插入混合模式,可以用来监测所有在网络上被传送的包,并分析其内容。通过查看每一封包流向及其内容,用来检查网络的工作情况,或是用来发现网络程序的 bugs 。 Wireshark 是一个开放源码的网络分析系统,也是是目前最好的开放源码的网络协议分析器,支持 Unix Linux 和 Windows 平台。由于 Wireshark 是 Open Source ,更新快,支持的协议多,特别是数据包过滤功能灵活强大。 Wireshark 提供了对 TCP 、 UDP 、 SMB 、 telnet 和 ftp 等常用协议的支持。它在很多情况下可以代替价格昂贵的 Sniffer 。 安装好后,双击桌面上的 Wireshark 图标,运行软件。再捕捉数据包之前,首先要对捕获的条件进行设置。点击工具栏里的“Capture à Options”,(图一)或者直接点击快捷按钮(图二),打开选项设置页面(图三)。

wireshark练习及答案lab-protocol-layers

Lab Exercise – Protocol Layers Objective To learn how protocols and layering are represented in packets. They are key concepts for structuring networks that are covered in the text. The trace for this lab is here: https://www.wendangku.net/doc/662741284.html,/~kevin/com320/labs/wireshark/trace-protocol-layers.pcap (although the main trace you will look at is from a site you pick such as https://www.wendangku.net/doc/662741284.html, in the exam-ples which follow). Requirements Wireshark: This lab uses the Wireshark software tool to capture andexamine a packet trace. A packet trace is a record of traffic at a location on the network, as if a snapshot was taken of all the bits that passed across a particular wire. The packet trace records a timestamp for each packet, along with the bits that make up the packet, from the lower-layer headers to the higher-layer contents.Wireshark runs on most operating systems, including Windows, Mac and Linux. It provides a graphical UI that shows the sequence of packets and the meaning of the bits when interpreted as protocol headers and data. It col-or-codes packets by their type, and has various ways to filter and analyze packets to let you investigate the behavior of network protocols. Wireshark is widely used to troubleshoot networks. You can down-load it https://www.wendangku.net/doc/662741284.html, for your personal computer. It is an ideal packet analyzer for our labs –it is stable, has a large user base and well-documented support that includes a user-guide https://www.wendangku.net/doc/662741284.html,/docs/wsug_html_chunked), and a detailed FAQ, rich functionality that in-cludes the capability to analyze hundreds of protocols, and a well-designed user interface. It operates in computers using Ethernet, serial (PPP and SLIP), 802.11 wireless LANs, and many other link-layer tech-nologies (if the OS on which it is running allows Wireshark to do so). It is already installed in the labs. A quick help guide to Wireshark display filters is here: https://www.wendangku.net/doc/662741284.html,/wireshark_filters.php Wireshark is a core tool for any wireless ‘man in the middle’ or similar snooping attack. It is simply i n-dispensable for those who wish to examine packets being transferred over a network –good or bad…..

计算机网络实验Wireshark

计算机网络实验指导书

目录 实验一Wireshark的安装与使用 (3) 实验二使用Wireshark分析以太网帧与ARP协议 (7) 实验三使用Wireshark分析IP协议 (11) 实验四利用Wireshark分析ICMP (19) 实验五使用Wireshark分析UDP协议 (25) 实验六使用Wireshark分析TCP协议 (29) 实验七利用Wireshark分析协议HTTP (35) 实验八利用Wireshark分析DNS协议 (40) 实验九使用Wireshark分析FTP协议(选作) (44) 实验十使用Wireshark分析SMTP与POP3协议(选作) (48)

实验一Wireshark的安装与使用 一、实验目的 1、熟悉并掌握Wireshark的基本使用; 2、了解网络协议实体间进行交互以及报文交换的情况。 二、实验环境 与因特网连接的计算机,操作系统为Windows,安装有Wireshark、IE等软件。 三、预备知识 要深入理解网络协议,需要观察它们的工作过程并使用它们,即观察两个协议实体之间交换的报文序列,探究协议操作的细节,使协议实体执行某些动作,观察这些动作及其影响。这种观察可以在仿真环境下或在因特网这样的真实网络环境中完成。 观察正在运行的协议实体间交换报文的基本工具被称为分组嗅探器(packet sniffer),又称分组捕获器。顾名思义,分组嗅探器捕获(嗅探)您的计算机发送与接收的报文。 图1显示了一个分组嗅探器的结构。 图1 图1右边就是计算机上正常运行的协议与应用程序(如:Web浏览器与FTP客户端)。分组嗅探器(虚线框中的部分)主要有两部分组成:第一就是分组捕获器,其功能就是捕获计算机发送与接收的每一个链路层帧的拷贝;第二个组成部分就是分组分析器,其作用就是分析并显示协议报文所有字段的内容(它能识别目前使用的各种网络协议)。 Wireshark就是一种可以运行在Windows, UNIX, Linux等操作系统上的分组嗅探器,就是一个开源免费软件,可以从、wireshark、org下载。

Wireshark使用教程(精品)

Wireshark使用教程 第 1 章介绍 1.1. 什么是Wireshark Wireshark 是网络包分析工具。网络包分析工具的主要作用是尝试捕获网络包,并尝试显示包的尽可能详细的情况。 你可以把网络包分析工具当成是一种用来测量有什么东西从网线上进出的测量工具,就好像使电工用来测量进入电信的电量的电度表一样。(当然比那个更高级) 过去的此类工具要么是过于昂贵,要么是属于某人私有,或者是二者兼顾。 Wireshark出现以后,这种现状得以改变。Wireshark可能算得上是今天能使用的最好的开元网络分析软件。 1.1.1. 主要应用 下面是Wireshark一些应用的举例: ?网络管理员用来解决网络问题 ?网络安全工程师用来检测安全隐患 ?开发人员用来测试协议执行情况 ?用来学习网络协议 除了上面提到的,Wireshark还可以用在其它许多场合。 1.1. 2. 特性 ?支持UNIX和Windows平台 ?在接口实时捕捉包 ?能详细显示包的详细协议信息 ?可以打开/保存捕捉的包 ?可以导入导出其他捕捉程序支持的包数据格式 ?可以通过多种方式过滤包 ?多种方式查找包 ?通过过滤以多种色彩显示包 ?创建多种统计分析 ?…还有许多 不管怎么说,要想真正了解它的强大,您还得使用它才行

图 1.1. Wireshark捕捉包并允许您检视其内 1.1.3. 捕捉多种网络接口 Wireshark 可以捕捉多种网络接口类型的包,哪怕是无线局域网接口。想了解支持的所有网络接口类型,可以在我们的网站上找到https://www.wendangku.net/doc/662741284.html,/CaptureSetup/NetworkMedia. 1.1.4. 支持多种其它程序捕捉的文件 Wireshark可以打开多种网络分析软件捕捉的包,详见??? 1.1.5. 支持多格式输出 Wieshark可以将捕捉文件输出为多种其他捕捉软件支持的格式,详见??? 1.1.6. 对多种协议解码提供支持 可以支持许多协议的解码(在Wireshark中可能被称为解剖)??? 1.1.7. 开源软件 Wireshark是开源软件项目,用GPL协议发行。您可以免费在任意数量的机器上使用它,不用担心授权和付费问题,所有的源代码在GPL框架下都可以免费使用。因为以上原因,人们可以很容易在Wireshark上添加新的协议,或者将其作为插件整合到您的程序里,这种应用十分广泛。 1.1.8. Wireshark不能做的事 Wireshark不能提供如下功能 ?Wireshark不是入侵检测系统。如果他/她在您的网络做了一些他/她们不被允许的奇怪的事情,Wireshark不会警告您。但是如果发生了奇怪的事情,Wireshark可能对察看发生了什么会有所帮助。[3]?Wireshark不会处理网络事务,它仅仅是“测量”(监视)网络。Wireshark不会发送网络包或做其它交互性的事情(名称解析除外,但您也可以禁止解析)。 1.2. 系通需求

思科章节练习第二章到第七章试题及答案

思科章节练习第二章到第七章试题及答案 第二章 1.下列哪些陈述正确指出了中间设备在网络中的作用?(选择三项) (135) 确定数据传输路径 发起数据通信 重新定时和重新传输数据信号 发送数据流 管理数据流 数据流最后的终止点 2.请选择关于网络协议的正确陈述。(选择三项。135) 定义特定层 PDU 的结构 规定实现协议层功能的方式 概述层与层之间通信所需的功能 限制了对硬件兼容性的需要 需要取决于协议层的封装过程 杜绝厂商之间的标准化 3.封装的两个功能是什么?(45选择两项) 跟踪终端设备之间的延迟 为通信提供统一的网络路径 在传输前可以修改原始数据 标识属于同一通信的数据片段 确保数据片段可以转发到正确的接收端设备 4.数据链路层封装添加的报尾信息有何主要功能?1 支持差错校验 确保数据按照顺序到达 确保送达正确目的 标识本地网络中的设备 帮助中间设备进行处理和路径选择 5.OSI 模型哪两层的功能与 TCP/IP 模型的网络接入层相同?(选择两项34)网络层 传输层 物理层 数据链路层 会话层 6.什么是 PDU?4 传输期间的帧损坏 在目的设备上重组的数据 因通信丢失而重新传输的数据包 特定层的封装 7.以下哪种特征正确代表了网络中的终端设备? 2 管理数据流 发送数据流 重新定时和重新传输数据信号

确定数据传输路径 8.IP 地址为 10.0.0.34 的“手机A”已经与 IP 地址为 172.16.1.103 的“IP 电话1”建立了 IP 会话。请根据图示回答,下列哪个设备类型是对无线设备“手机A”功能的最准确描述? 2 目的设备 终端设备 中间设备 介质设备 9.下列哪三个标签正确标识了图示网段的网络类型?(236选择三项) 网络 A -- WAN 网络 B -- WAN 网络 C -- LAN 网络 B -- MAN 网络 C -- WAN 网络 A -- LAN 10.下列哪三项陈述是对局域网 (LAN) 最准确的描述?(选择三项125) LAN 通常位于一个地域内。 此类网络由由一个组织管理。 LAN 中的不同网段之间一般通过租用连接的方式连接。 此类网络的安全和访问控制由服务提供商控制。 LAN 为同一个组织内的用户提供网络服务和应用程序访问。 此类网络的每个终端通常都连接到电信服务提供商 (TSP)。 11. 哪个网络术语描述了图中所示的数据交替发送过程?4 通道 PDU 流传输 多路复用 封装 12第 4 层端口指定的主要作用是什么?5 标识本地介质中的设备 标识源设备和目的设备之间的跳数 向中间设备标识通过该网络的最佳路径 标识正在通信的源终端设备和目的终端设备 标识终端设备内正在通信的进程或服务 13. 哪种设备被视为中间设备? 5 文件服务器 IP 电话 笔记本电脑 打印机 交换机 14.哪个术语正确判断出了包含于区域 B 中的设备类型? 4 源设备 终端设备

wireshark捕获器使用教程

Wireshark的捕捉过滤器和显示过滤器 Wireshark两种过滤器使用的语法是完全不同的。我们将在接下来的几页中对它们进行介绍: 1. 捕捉过滤器 捕捉过滤器的语法与其它使用Lipcap(Linux)或者Winpcap(Windows)库开发的软件一样,比如著名的TCPdump。捕捉过滤器必须在开始捕捉前设置完毕,这一点跟显示过滤器是不同的。 设置捕捉过滤器的步骤是: - 选择capture -> options。 - 填写"capture filter"栏或者点击"capture filter"按钮为您的过滤器起一个名字并保存,以便 在今后的捕捉中继续使用这个过滤器。 - 点击开始(Start)进行捕捉。

语法: 例子:tcp dst 10.1.1.1 80 and tcp dst 10.2.2.2 3128 Protocol(协议): 可能的值: ether, fddi, ip, arp, rarp, decnet, lat, sca, moprc, mopdl, tcp and udp. 如果没有特别指明是什么协议,则默认使用所有支持的协议。 Direction(方向): 可能的值: src, dst, src and dst, src or dst 如果没有特别指明来源或目的地,则默认使用"src or dst" 作为关键字。 例如,"host 10.2.2.2"与"src or dst host 10.2.2.2"是一样的。Host(s): 可能的值:net, port, host, portrange. 如果没有指定此值,则默认使用"host"关键字。

实验一 wireshark抓包工具使用

实验一wireshark抓包工具使用[实验目的] 学习wireshark抓包工具的使用 了解wireshark抓包工具的功能 通过学习,进一步理解协议及网络体系结构思想 [实验原理] Wireshark是网络包分析工具。网络包分析工具的主要作用是尝试捕获网络包,并尝试显示包的尽可能详细的情况。 主要应用: 网络管理员用来解决网络问题 网络安全工程师用来检测安全隐患 开发人员用来测试协议执行情况 用来学习网络协议 [实验内容] 下载WIRESHARK,学习工具的使用和功能。

Wireshark 是网络包分析工具。网络包分析工具的主要作用是尝试捕获网络包,并尝试显示包的尽可能详细的情况。 你可以把网络包分析工具当成是一种用来测量有什么东西从网线上进出的测量工具,就好像使电工用来测量进入电信的电量的电度表一样。(当然比那个更高级) 过去的此类工具要么是过于昂贵,要么是属于某人私有,或者是二者兼顾。 Wireshark出现以后,这种现状得以改变。 Wireshark可能算得上是今天能使用的最好的开元网络分析软件。 工作流程 (1)确定Wireshark的位置。如果没有一个正确的位置,启动Wireshark后会花费很长的时间捕获一些与自己无关的数据。 (2)选择捕获接口。一般都是选择连接到Internet网络的接口,这样才可以捕获到与网络相关的数据。否则,捕获到的其它数据对自己也没有任何帮助。 (3)使用捕获过滤器。通过设置捕获过滤器,可以避免产生过大的捕获文件。这样用户在分析数据时,也不会受其它数据干扰。而且,还可以为用户节约大量的时间。 (4)使用显示过滤器。通常使用捕获过滤器过滤后的数据,往往还是很复杂。为了使过滤的数据包再更细致,此时使用显示过滤器进行过滤。 (5)使用着色规则。通常使用显示过滤器过滤后的数据,都是有用的数据包。如果想更加突出的显示某个会话,可以使用着色规则高亮显示。 (6)构建图表。如果用户想要更明显的看出一个网络中数据的变化情况,使用图表的 形式可以很方便的展现数据分布情况。

Wireshark使用教程

第 1 章介绍 1.1. 什么是Wireshark Wireshark 是网络包分析工具。网络包分析工具的主要作用是尝试捕获网络包,并尝试显示包的尽可能详细的情况。 你可以把网络包分析工具当成是一种用来测量有什么东西从网线上进出的测量工具,就好像使电工用来测量进入电信的电量的电度表一样。(当然比那个更高级) 过去的此类工具要么是过于昂贵,要么是属于某人私有,或者是二者兼顾。 Wireshark出现以后,这种现状得以改变。Wireshark可能算得上是今天能使用的最好的开元网络分析软件。 1.1.1. 主要应用 下面是Wireshark一些应用的举例: ?网络管理员用来解决网络问题 ?网络安全工程师用来检测安全隐患 ?开发人员用来测试协议执行情况 ?用来学习网络协议 除了上面提到的,Wireshark还可以用在其它许多场合。 1.1. 2. 特性 ?支持UNIX和Windows平台 ?在接口实时捕捉包 ?能详细显示包的详细协议信息 ?可以打开/保存捕捉的包 ?可以导入导出其他捕捉程序支持的包数据格式 ?可以通过多种方式过滤包 ?多种方式查找包 ?通过过滤以多种色彩显示包 ?创建多种统计分析 ?…还有许多 不管怎么说,要想真正了解它的强大,您还得使用它才行 图 1.1. Wireshark捕捉包并允许您检视其内

1.1.3. 捕捉多种网络接口 Wireshark 可以捕捉多种网络接口类型的包,哪怕是无线局域网接口。想了解支持的所有网络接口类型,可以在我们的网站上找到https://www.wendangku.net/doc/662741284.html,/CaptureSetup/NetworkMedia. 1.1.4. 支持多种其它程序捕捉的文件 Wireshark可以打开多种网络分析软件捕捉的包,详见??? 1.1.5. 支持多格式输出 Wieshark可以将捕捉文件输出为多种其他捕捉软件支持的格式,详见??? 1.1.6. 对多种协议解码提供支持 可以支持许多协议的解码(在Wireshark中可能被称为解剖)??? 1.1.7. 开源软件 Wireshark是开源软件项目,用GPL协议发行。您可以免费在任意数量的机器上使用它,不用担心授权和付费问题,所有的源代码在GPL框架下都可以免费使用。因为以上原因,人们可以很容易在Wireshark上添加新的协议,或者将其作为插件整合到您的程序里,这种应用十分广泛。 1.1.8. Wireshark不能做的事 Wireshark不能提供如下功能 ?Wireshark不是入侵检测系统。如果他/她在您的网络做了一些他/她们不被允许的奇怪的事情,Wireshark不会警告您。但是如果发生了奇怪的事情,Wireshark可能对察看发生了什么会有所帮助。[3]?Wireshark不会处理网络事务,它仅仅是“测量”(监视)网络。Wireshark不会发送网络包或做其它交互性的事情(名称解析除外,但您也可以禁止解析)。 1.2. 系通需求 想要安装运行Wireshark需要具备的软硬件条件... 1.2.1. 一般说明 ?给出的值只是最小需求,在大多数网络中可以正常使用,但不排除某些情况下不能使用。[4] ?在繁忙的网络中捕捉包将很容塞满您的硬盘!举个简单的例子:在100MBIT/s全双工以太网中捕捉数据将会产生750MByties/min的数据!在此类网络中拥有高速的CPU,大量的内存和足够的磁盘空间是十分有必要的。 ?如果Wireshark运行时内存不足将会导致异常终止。可以在 https://www.wendangku.net/doc/662741284.html,/KnownBugs/OutOfMemory察看详细介绍以及解决办法。 ?Wireshark作为对处理器时间敏感任务,在多处理器/多线程系统环境工作不会比单独处理器有更快的速度,例如过滤包就是在一个处理器下线程运行,除了以下情况例外:在捕捉包时“实时更新包列表”,此时捕捉包将会运行在一个处理下,显示包将会运行在另一个处理器下。此时多处理或许会有所帮助。[5] 1.2.2. Microsoft Windows ?Windows 2000,XP Home版,XP Pro版,XP Tablet PC,XP Media Center, Server 2003 or Vista(推荐在XP下使用) ?32-bit奔腾处理器或同等规格的处理器(建议频率:400MHz或更高),64-bit处理器在WoW64仿真环境下-见一般说明 ?128MB系统内存(建议256Mbytes或更高) ?75MB可用磁盘空间(如果想保存捕捉文件,需要更多空间) 800*600(建议1280*1024或更高)分辨率最少65536(16bit)色,(256色旧设备安装时需要选择”legacy GTK1”) ?网卡需求: o以太网:windows支持的任何以太网卡都可以 o无线局域网卡:见MicroLogix support list, 不捕捉802.11包头和无数据桢。 o其它接口见:https://www.wendangku.net/doc/662741284.html,/CaptureSetup/NetworkMedia

wireshark练习及答案lab-dns.doc

Lab Exercise – DNS Objective DNS (Domain Name System) is the system & protocol that translates domain names to IP addresses . Step 1: Analyse the supplied DNS Trace Here we examine the supplied trace of a browser making DNS requests as follows. The trace is here: https://www.wendangku.net/doc/662741284.html,/~kevin/com320/labs/wireshark/trace-dns.pcap https://www.wendangku.net/doc/662741284.html,unch Wireshark and start a capture with a filter of “udp port 53”.We use this filterbe- cause there is no shorthand for DNS, but DNS is normally carried on UDP port 53. Figure 3: Setting up the capture options

Step 2: Inspect the Trace To explore the details of DNS packets, select a DNS query expand its Domain Name System block (by us-ing the “+” expander or icon). Your display should be similar to the one shown in our figure, with a series of packets with protocol DNS.. We have selected the first DNS message. Figure 3: Trace of DNStraffic showing the details of the DNS header Look for the following details: ?The DNS block follows the IP and UDP blocks. This is because DNS messages are carried in UDP segments within IP packets. You will see that the UDP port used by a nameserver is 53. ?The DNS header starts with a Transaction ID that is used to link a request and the corresponding reply – they both carry the same Transaction ID. ?Next come a set of flags that you can expand. They indicate whether the DNS message is a query or response, amongst other details. ?Then comethe number of query, answer, authority and additional records. These fields conclude the header.

相关文档