Skip to content

Instantly share code, notes, and snippets.

@henvic

henvic/DNS.markdown

Last active August 29, 2015 14:15
Show Gist options
  • Save henvic/7f130a812d971f51603f to your computer and use it in GitHub Desktop.
Save henvic/7f130a812d971f51603f to your computer and use it in GitHub Desktop.
Download ZIP
Wireshark labs
Raw
DNS.markdown 
$ nslookup sony.jp
Server:		192.168.0.1
Address:	192.168.0.1#53

Non-authoritative answer:
Name:	sony.jp
Address: 72.246.56.107
Name:	sony.jp
Address: 72.246.56.128

$ nslookup -type=NS cam.ac.uk
Server:		192.168.0.1
Address:	192.168.0.1#53

Non-authoritative answer:
cam.ac.uk	nameserver = authdns0.csx.cam.ac.uk.
cam.ac.uk	nameserver = ns2.ic.ac.uk.
cam.ac.uk	nameserver = dns0.cl.cam.ac.uk.
cam.ac.uk	nameserver = authdns1.csx.cam.ac.uk.
cam.ac.uk	nameserver = dns0.eng.cam.ac.uk.
cam.ac.uk	nameserver = dns1.cl.cam.ac.uk.

Authoritative answers can be found from:
ns2.ic.ac.uk	internet address = 155.198.142.82

$ nslookup yahoo.com ns2.ic.ac.uk
Server:		ns2.ic.ac.uk
Address:	155.198.142.82#53

** server can't find yahoo.com.domain.name: REFUSED

Server refused, maybe because it's configured to only resolve names for its external network (uncommon).

  1. UDP

  2. both 53

  3. 8.8.8.8, 4.2.2.2

  4. A-type

  5. 3 IPs that resolves the name.

  6. Yeas, to one of the entries.

  7. No. It's cached.

  9. 8.8.8.8

  10. A-type

  11. 3 IPs that resolves the name.

  12. 128.238.29.22

  13. NS

  14. 18.72.0.3

  15. A

  16. type, class, name, TTL (time to live)

lo0: flags=8049<UP,LOOPBACK,RUNNING,MULTICAST> mtu 16384
	options=3<RXCSUM,TXCSUM>
	inet6 ::1 prefixlen 128
	inet 127.0.0.1 netmask 0xff000000
	inet6 fe80::1%lo0 prefixlen 64 scopeid 0x1
	nd6 options=1<PERFORMNUD>
gif0: flags=8010<POINTOPOINT,MULTICAST> mtu 1280
stf0: flags=0<> mtu 1280
en0: flags=8863<UP,BROADCAST,SMART,RUNNING,SIMPLEX,MULTICAST> mtu 1500
	ether 78:31:c1:ce:00:4c
	inet6 fe80::7a31:c1ff:fece:4c%en0 prefixlen 64 scopeid 0x4
	inet 192.168.0.198 netmask 0xffffff00 broadcast 192.168.0.255
	nd6 options=1<PERFORMNUD>
	media: autoselect
	status: active
p2p0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 2304
	ether 0a:31:c1:ce:00:4c
	media: autoselect
	status: inactive
awdl0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 1452
	ether b2:93:13:77:a8:4b
	inet6 fe80::b093:13ff:fe77:a84b%awdl0 prefixlen 64 scopeid 0x6
	nd6 options=1<PERFORMNUD>
	media: autoselect
	status: active
en1: flags=8963<UP,BROADCAST,SMART,RUNNING,PROMISC,SIMPLEX,MULTICAST> mtu 1500
	options=60<TSO4,TSO6>
	ether 72:00:03:07:ba:50
	media: autoselect <full-duplex>
	status: inactive
en2: flags=8963<UP,BROADCAST,SMART,RUNNING,PROMISC,SIMPLEX,MULTICAST> mtu 1500
	options=60<TSO4,TSO6>
	ether 72:00:03:07:ba:51
	media: autoselect <full-duplex>
	status: inactive
bridge0: flags=8863<UP,BROADCAST,SMART,RUNNING,SIMPLEX,MULTICAST> mtu 1500
	options=63<RXCSUM,TXCSUM,TSO4,TSO6>
	ether 7a:31:c1:ec:4c:00
	Configuration:
		id 0:0:0:0:0:0 priority 0 hellotime 0 fwddelay 0
		maxage 0 holdcnt 0 proto stp maxaddr 100 timeout 1200
		root id 0:0:0:0:0:0 priority 0 ifcost 0 port 0
		ipfilter disabled flags 0x2
	member: en1 flags=3<LEARNING,DISCOVER>
	        ifmaxaddr 0 port 7 priority 0 path cost 0
	member: en2 flags=3<LEARNING,DISCOVER>
	        ifmaxaddr 0 port 8 priority 0 path cost 0
	nd6 options=1<PERFORMNUD>
	media: <unknown type>
	status: inactive
utun0: flags=8051<UP,POINTOPOINT,RUNNING,MULTICAST> mtu 1380
	inet6 fe80::8dcc:588e:7613:9d9f%utun0 prefixlen 64 scopeid 0xa
	inet6 fdfa:5ab7:76d3:7804:8dcc:588e:7613:9d9f prefixlen 64
	nd6 options=1<PERFORMNUD>

Wireshark DNS

Raw
HTTP.markdown

  1. Browser: HTTP/1.1 Server: HTTP/1.1 Accept: none

  2. en-US, en, pt

  3. gaia.cs.umass.edu has address 128.119.245.12 Local IP 192.168.0.198 Behind NAT. Public IP 187.78.60.205`

  4. Status code: 200 (OK)

  5. Last-Modified: Fri, 20 Feb 2015 05:28:01 GMT

  6. Content-Length: 128

  7. None.

  8. No. Not even in cache.

  9. Yes. Status code = 200 and the response has a body.

  10. Yes. Date of last request.

  11. 304 Not Modified. No response body sent because client MUST use cached data.

  12. 1

  13. 5

  14. 200 OK

  15. No. Transparent.

  16. 4 to: 128.119.245.12, 165.192.140.14, 128.119.240.90, and 128.119.240.90.

  17. Parallel. They started about the same time, in parallel.

  18. 401 Authorization Required

  19. WWW-Authenticate: Basic realm="wireshark-students only"

Request:

/var/folders/9j/qvv7_n8d6qb76n0mz3_6m4sc0000gq/T//wireshark_pcapng_en0_20150220022721_uXg5lp 2226 total packets, 99 shown
   2171 95.080180      192.168.0.198         128.119.245.12        HTTP     GET /wireshark-
labs/HTTP-wireshark-file1.html HTTP/1.1
Frame 2171: 558 bytes on wire (4464 bits), 558 bytes captured (4464 bits) on interface 0
Ethernet II, Src: Apple_ce:00:4c (78:31:c1:ce:00:4c), Dst: D-Link_38:dd:f3 (00:1e:58:38:dd:f3)
Internet Protocol Version 4, Src: 192.168.0.198 (192.168.0.198), Dst: 128.119.245.12
(128.119.245.12)
Transmission Control Protocol, Src Port: 61354 (61354), Dst Port: 80 (80), Seq: 1, Ack: 1, Len:
492
Hypertext Transfer Protocol
    GET /wireshark-labs/HTTP-wireshark-file1.html HTTP/1.1\r\n
    Host: gaia.cs.umass.edu\r\n
    Connection: keep-alive\r\n
    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8\r\n
    User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_10_2) AppleWebKit/537.36 (KHTML, like
Gecko) Chrome/40.0.2214.111 Safari/537.36\r\n
    Accept-Encoding: gzip, deflate, sdch\r\n
    Accept-Language: en-US,en;q=0.8,pt;q=0.6\r\n
    If-None-Match: "8734d-80-4d50f340"\r\n
    If-Modified-Since: Fri, 20 Feb 2015 05:27:01 GMT\r\n
    \r\n
    [Full request URI: http://gaia.cs.umass.edu/wireshark-labs/HTTP-wireshark-file1.html]
    [HTTP request 1/1]
    [Response in frame: 2173]

Response:

/var/folders/9j/qvv7_n8d6qb76n0mz3_6m4sc0000gq/T//wireshark_pcapng_en0_20150220022721_uXg5lp 2226 total packets, 99 shown
   2173 95.248742      128.119.245.12        192.168.0.198         HTTP     HTTP/1.1 200 OK
(text/html)
Frame 2173: 494 bytes on wire (3952 bits), 494 bytes captured (3952 bits) on interface 0
Ethernet II, Src: D-Link_38:dd:f3 (00:1e:58:38:dd:f3), Dst: Apple_ce:00:4c (78:31:c1:ce:00:4c)
Internet Protocol Version 4, Src: 128.119.245.12 (128.119.245.12), Dst: 192.168.0.198
(192.168.0.198)
Transmission Control Protocol, Src Port: 80 (80), Dst Port: 61354 (61354), Seq: 1, Ack: 493,
Len: 428
Hypertext Transfer Protocol
    HTTP/1.1 200 OK\r\n
    Date: Fri, 20 Feb 2015 05:28:57 GMT\r\n
    Server: Apache/2.2.3 (CentOS)\r\n
    Last-Modified: Fri, 20 Feb 2015 05:28:01 GMT\r\n
    ETag: "8734d-80-50e47a40"\r\n
    Accept-Ranges: bytes\r\n
    Content-Length: 128\r\n
    Keep-Alive: timeout=10, max=100\r\n
    Connection: Keep-Alive\r\n
    Content-Type: text/html; charset=UTF-8\r\n
    \r\n
    [HTTP response 1/1]
    [Time since request: 0.168562000 seconds]
    [Request in frame: 2171]
Line-based text data: text/html

Wireshark HTTP

Raw
Intro.markdown

Protocols

  1. TCP, HTTP, HTTPS, SSL, QUIC
  2. 6.76s
$ host gaia.cs.umass.edu
gaia.cs.umass.edu has address 128.119.245.12
Local IP 192.168.0.198
Behind NAT. Public IP 187.78.60.205

$ curl 'http://gaia.cs.umass.edu/wireshark-labs/INTRO-wireshark-file1.html' -H 'Pragma: no-cache' -H 'Accept-Encoding: gzip, deflate, sdch' -H 'Accept-Language: en-US,en;q=0.8,pt;q=0.6' -H 'User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_10_2) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/40.0.2214.111 Safari/537.36' -H 'Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8' -H 'Cache-Control: no-cache' -H 'Connection: keep-alive' --compressed --verbose
* Hostname was NOT found in DNS cache
*   Trying 128.119.245.12...
* Connected to gaia.cs.umass.edu (128.119.245.12) port 80 (#0)
> GET /wireshark-labs/INTRO-wireshark-file1.html HTTP/1.1
> Host: gaia.cs.umass.edu
> Pragma: no-cache
> Accept-Encoding: gzip, deflate, sdch
> Accept-Language: en-US,en;q=0.8,pt;q=0.6
> User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_10_2) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/40.0.2214.111 Safari/537.36
> Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
> Cache-Control: no-cache
> Connection: keep-alive
>
< HTTP/1.1 200 OK
< Date: Fri, 20 Feb 2015 05:24:04 GMT
* Server Apache/2.2.3 (CentOS) is not blacklisted
< Server: Apache/2.2.3 (CentOS)
< Last-Modified: Fri, 20 Feb 2015 05:24:02 GMT
< ETag: "8734b-51-42a5a080"
< Accept-Ranges: bytes
< Content-Length: 81
< Keep-Alive: timeout=10, max=100
< Connection: Keep-Alive
< Content-Type: text/html; charset=UTF-8
<
<html>
Congratulations!  You've downloaded the first Wireshark lab file!
</html>
* Connection #0 to host gaia.cs.umass.edu left intact

Wireshark Intro

Raw
TCP.markdown
  1. 192.168.1.32:60333
  2. 128.119.245.12:80
  3. 128.119.245.12:5180
  4. 0
  5. 1
  6. Seg. 4, seq. 1. 8 - Tamanho dos primeiros segmentos foram 1460, enquanto o tamanho do ˙ltimo segmento foi 565 bytes. 9 - O montante minimo de janela de recepÁ„o recomendado no gaia.cs.umass.edu È 5840 bytes. A janela de recepÁ„o vai crescendo atÈ chegar em 62780 bytes. Seguindo esse padr„o o hospedeiro remetente nunca È advertido contra um possÌvel envio fora da janela. 10 - N„o h· segmentos retransmitidos, nÛs podemos chegar isso vendo os n˙meros de sequÍncia dos segmentos TCP. 11 - A diferenÁa entre o conhecimento dos n˙meros de sequÍncia de dois acks consecutivos indica o recebimento de dados entre esses dois ACKs. 12 - O c·lculo da taxa de transferÍncia TCP depende muito da seleÁ„o de perÌodo de tempo. Como o c·lculo de transferÍncia comum, nesta quest„o, selecionamos o perÌodo de tempo mÈdio de todo o tempo de conex„o. Ent„o, o rendimento mÈdio para esta conex„o TCP È calculado como a raz„o entre o total de dados de quantidade e total tempo de transmiss„o. Os dados transmitidos montante total pode ser calculada pela diferenÁa entre o n˙mero de seq¸Íncia do primeiro segmento TCP (ou seja, 1 byte para No. 4 segmento) e o n˙mero reconheceu sequÍncia do ˙ltimo ACK (164.091 bytes para No. 202 segmento).Portanto, os dados totais s„o 164.091-1 = 164090 bytes.Assim, a taxa de transferÍncia para a conex„o TCP È calculada como 164090/5,4294 = 30.222 KB/s.
  • Sess„o 4 - 13 - N„o podemos ver que o montante de dados aumenta rapidamente no inÌcio deste fluxo TCP; no entanto, nunca excede 8192 bytes. Portanto, podemos garantir que o tamanho da janela TCP È maior do que 8192 bytes. No entanto, nÛs N„o È possÌvel determinar o final da fase de arranque lento, e o inÌcio de evitar o congestionamento fase para este traÁo. A principal raz„o È que este TCP remetente n„o est· enviando dados agressivamente o suficiente para empurrar para o estado de congestionamento. 14 - Na pr·tica, o comportamento do TCP depende muito da aplicaÁ„o. Neste exemplo, quando o remetente TCP pode enviar dados, n„o h· dados disponÌveis para a transmiss„o. Na aplicaÁ„o web, alguns dos objetos da web tÍm tamanhos muito pequenos. Antes do final da fase de inÌcio lento, o transmiss„o È mais; portanto, a transmiss„o destes pequenos objectos web sofre da atraso desnecess·rio por causa da fase de inÌcio lento do TCP.
Raw
UDP.markdown
  1. 4 fields: source / destination ports, length, checksum.
  2. 2 bytes
  3. header: 20 bytes, total length: 63 - 20
  4. 2^16 - 1
  5. 65535
  6. 0X11: 17
  7. 16-bit one's complement
  8. sender source port <-> receiver destination port, vice-versa.

Wireshark UDP

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment