wiresharkDHCPDNS抓包分析.doc

DHCP & DNS ANALYSISUsing WireShark for DHCP capture and DNS capture09212821 09B04 l The configuration of the WireSharkThe WireShark interface in Linux is as above. The capture is done in the lab, in an caf house as well as in the dorm. The connection to cafe is wireless connection, in the lab the laptop is allocated to a public IP address and in dorm, where it is wired connection, the laptop is allocated to a private IP address, while the routers IP is .While with wired connection, the interface selected is eth0,with wireless connection, the interface selected is eth 2. When capturing DHCP packet, the configuration of capture is as follows:When capturing DNS message, the configuration is as follows:l The procedure of capture Click on the third button to While capturing, click the third start capture. button to stop. l DHCP analysisAfter input and in cmd , Release the link and rebuild the link using DHCP protocol.The five messages that the Wireshark packed are release, discover, offer, request and ACK. It can be inferred from the picture above that the source port number is 68 and the destination port number is 67. And the destination is a DHCP server as well as a router. The servers IP address is (which is a private IP address used by a router) and the hosts IP address is 00(which is also a private IP address).1. Discover messageThe client broadcasts messages on the physical subnet to discover available DHCP servers. Network administrators can configure a local router to forward DHCP packets to a DHCP server from a different subnet. This client-implementation creates a User Datagram Protocol (UDP) packet with the broadcast destination of 55 or the specific subnet broadcast address.fieldvaluemeaning1.Message type01from host to server2.Transaction IDan integerFor client to match response3.Client IP addressOnly field if the client is BOUND, REVEW, or REBIND, so its all 0.4.Your IP addressThe client is waiting to be assigned for an IP address, so this is all 0.5.Next server IP addressThe servers IP address is unknown.6.t=53DHCP type =DHCP discovery7.t=55Parameter request listCompare with the example in the lecturecaptureexample11601160f8fdea2e120Flags0Flags0000000000:1d:09: a2: 56:9fAA:EC:F9:23:44:19Except for the mac address and the transaction ID all fields are the same.2. Offer messageWhen a DHCP server receives an IP lease request from a client, it reserves an IP address for the client and extends an IP lease offer by sending a DHCPOFFER message to the client. This message contains the clients MAC address, the IP address that the server is offering, the subnet mask, the lease duration, and the IP address of the DHCP server making the offer.The server determines the configuration based on the clients hardware address as specified in the CHADDR (Client Hardware Address) field. Here the server, , specifies the IP address in the YIADDR (Your IP Address) field.fieldvaluemeaning1Message type02from server to host2Transaction IDan integerFor client to match response3Client IP addressOnly field if the client is BOUND, REVEW, or REBIND, so its all 0.4Your IP address00The client is offered with an IP address5Next server IP addressThe servers IP address is in option 546t=53DHCP type =DHCP offer7t=54Servers identifier is Compare with the example in the lecturecaptureexample21602160f8fdea2e120Flags0Flags00005080000:1d:09: a2: 56:9fAA:EC:F9:23:44:19535415312Except for the mac address, the next server IP address and the transaction ID all fields are the same. The next IP address that captured is all zero because the server IP is in the 54 flag. 3. Request messageIn response to the offer Client requests the server. The client replies DHCP request, unicast to the server, requesting the offered address. A client can receive DHCP offers from multiple servers, but it will accept only one DHCP offer. Based on the Transaction ID field in the request, servers are informed whose offer the client has accepted. When other DHCP servers receive this message, they withdraw any offers that they might have made to the client and return the offered address to the pool of available addresses. In some cases DHCP request message is broadcast, instead of being unicast to a particular DHCP server, because the DHCP client has still not received an IP address. Also, this way one message can let all other DHCP servers know that another server will be supplying the IP address without missing any of the servers with a series of unicast messages.fieldvaluemeaning1Message type01from host to server2Transaction IDan integerFor client to match response3Client IP addressOnly field if the client is BOUND, REVEW, or REBIND, so its all 0.4Your IP addressThe client is still waiting for an IP address so it is all 05Next server IP addressThe servers IP address is in option 546t=53DHCP type =DHCP request7t=54Servers identifier is 8t=50Re quested IP address is 009t=55Parameter request listCompare with the example in the lecturecaptureexample11601160f8fdea2e120Flags0Flags00000000000:1d:09: a2: 56:9fAA:EC:F9:23:44:19Except for the mac address and the transaction ID all fields are the same.4. ACK messageWhen the DHCP server receives the DHCPREQUEST message from the client, the configuration process enters its final phase. The acknowledgement phase involves sending a DHCPACK packet to the client. This packet includes the lease duration and any other configuration information that the client might have requested. At this point, the IP configuration process is completed.fieldvaluemeaning1Message type02from server to host2Transaction IDan integerFor client to match response3Client IP addressOnly field if the client is BOUND, REVEW, or REBIND, so its all 0.4Your IP address00The client is allocated with the address5Next server IP addressThe servers IP address is in option 546t=53DHCP type =DHCP request7t=54Servers identifier is 8t=1Subnet mask 9t=3Router is 10T=6Domain name serverThe servers IP address is in option 54Compare with the example in the lecturecaptureexample21602160f8fdea2e120Flags0Flags00005080000:1d:09: a2: 56:9fAA:EC:F9:23:44:1954531365315l compare field1234Message type01020102Transaction IDf8fdea2ef8fdea2ef8fdea2ef8fdea2eClient IP addressYour IP address0000Next server IP addressl DHCP sequencel DNS captureThe Domain Name System (DNS) is a hierarchical distributed naming system for computers, services, or any resource connected to the Internet or a private network. It associates various information with domain names assigned to each of the participating entities.A Domain Name Service translates queries for domain names (which are meaningful to humans) into IP addresses for the purpose of locating computer services and devices worldwide.Input in the broser There are 2 DNS messages, the host asks for and the server send back the address of server. 1. query1Frame address2Destination ip address51The IP address for China Unicom DNS3Port numberDNS port: 53src port: 48376The DNS port is 53 and the port of the host is a random number.4DNS ID4a 36Correlate queries with responses.5Flags01 00This is a message that the host send to server, so it is a quire. 6Question section1The number of available question is 1 (the question is at the end of the message)7Answer section0These three ars in answer section. This is a query message, so the three are all 0.8Authority section9Additional type a class incaptureexampleHeaderOpcode=squeryOpcode=squeryQuestionQNAME=QCLASS=IN, QYPE=AQNAME=SRI-ARPA, QCLASS=IN, QYPE=AAnswer sectionAuthority sectionAdditional section2. answer1Frame address2Destination ip address12The private IP in the local network that the router allocated it to