DNS and ARP Analyze in Wireshark
Today I will tell you how to analyze DNS and ARP in Wireshark.
Let’s look at DNS first.
What is DNS?
The Domain Name System (DNS) is a hierarchical and decentralized naming system for computers, services, or other resources connected to the internet or a private network.
To do DNS analysis in Wireshark, the nslookup command must be used.
What is nslookup?
nslookup is a network administration command-line tool available in many computer operating system for querying the Domain Name System (DNS) to obtain a domain name or IP address mapping, or other DNS records.
Now that we have learned the meanings of these terms, let’s examine the analysis steps in Wireshark.
- To analyze it, I first ran the nslookup command for wireshark.org in the terminal and viewed the site’s IP address and non-authoritative replies with the nslookup command.
nslookup wireshark.org
- Then when I ran the Wireshark traffic capture application and applied the DNS filter, the traffic I made in the terminal was displayed as follows.
When I looked at the first query, a small screen with information about the query appeared. The first feature here is below the link layer, the second and third is below the network layer, the fourth is below the transport layer, and the last feature is below the application layer.
- When I came to response and when I opened the section that says domain name system, I saw sub-features named transaction id, flags and answers.
The Answer RRs part in the response section is as many as the answers we see in the terminal, so 3. The characteristics of the answers can also be examined in the lower part. The Answer RRs part is 0 in the query part because there is no answer yet.
- When we open the flags section, we see that it says 0 in query and 1 in response. This first flag bit indicates whether it is a query or a response.
It also displays hexadecimal equivalents of destinations and sources. The first set of bits represents destination and the second set of bits represents source.
Now let’s look at ARP.
What is ARP?
The Address Resolution Protocol (ARP) is a communication protocol used for discovering the link-layer address, such as a MAC address, associated with a given internet layer address, typically an IPv4 address.
It is necessary to use the ping command to perform ARP analysis in Wireshark.
What is ping?
Ping is a computer network administration software utility used to test the reachability of a host on an Internet Protocol (IP) network.
Now that we have learned the meanings of these terms, let’s examine the analysis steps in Wireshark.
- Since it is necessary to ping the IP address to do arp analysis, this is done by typing ping and IP name in the terminal. I sent 8 packages here.
ping …IP address…
- Then I opened Wireshark and first viewed the request and reply with the harp filter. In the request section, you can see that the target mac address is not displayed. This is because the target mac address will come in the reply.
The hardware size part you see represents the ethernet address, so the ethernet address is 6 bytes. Protocol size part represents the IP address, so the IP address is 4 bytes.
- When I come to the answer part, you see that the target mac address has been obtained.
Now let’s view the pings I made.
- Here we see the request and response pairs for each ping I throw.
differently, there is a protocol called ICMP here, so what is ICMP?
What is ICMP?
The Internet Control Message Protocol (ICMP) is a supporting protocol in the Internet protocol suite. It is used by network devices, including routers, to send error messages and operational information indicating success or failure when communicating with another IP address.
So it displays the requests and replies here.
- The sum of the time difference between request and reply in ICMP and the time difference between request and reply in the arp protocol gives us approximately the ping time, this time is also displayed on the terminal, but when the delay time is added, there may be a little difference.
Here again, we can examine the hexadecimal equivalents of destination and sources and the properties I have explained before.
- And here I explained the ARP and ICMP requests and responses with a diagram.
See you until my next post.
