The system is running Windows 8.1 Pro, and it can send and receive ICMP packets.
The analysis tool is WireShark 1.10.8 Stable Version
Sending ICMP packets using the system’s Ping command.
Open CMD.exe and type:
ping www.oschina.net
The domain name will be automatically resolved, and 4 ICMP packets will be sent by default.
Launch Wireshark, select a valid network card, and start capturing packets.
Stop monitoring once the execution is completed in the console.
All captured packets are as follows:
In summary, there are two DNS packets (one domain name resolution) and 8 ICMP packets (four pings).
Let’s start analyzing the DNS working process:
Open the first packet:
It can be observed that DNS is an application-layer protocol, with the transport layer being UDP, the network layer being IP, and then Ethernet frames at the data link layer.
The focus should be on the application layer’s implementation, which is the DNS protocol itself.
Before that, some necessary information can be obtained from the lower layers:
In the UDP (User Datagram Protocol) packet: The destination port (Dst Port) for DNS is 53.
In the IPv4 (Internet Protocol Version 4) packet, the destination IP is 192.168.1.1 (local area network router).
Since IP packets are routed at the network layer, they are sent to routers one by one rather than directly to the DNS server. This is easy to understand,
the first packet is a request packet and cannot directly contain the DNS server address.
Expand the DNS data:
The first is the Transaction ID, which is a 2-byte identifier used to match DNS response packets with the corresponding request packet.
The second is the Flags field, 2 bytes, where each bit has a different meaning. You can refer to the above picture or look at the picture below:
QR: Query/Response, 1 is response, 0 is query
Opcode: Type of query or response, where 0 means standard, 1 means inverse, 2 means server status request
AA: Authoritative Answer, valid in response packets, will discuss later
TC: Truncated, 1 indicates over 512 bytes are truncated, 0 means no truncation occurred
RD: Recursion desired
RA: In response packets, 1 indicates recursive response received
Zero: Reserved field, all zeros
rcode: Return code, in response packets, meanings of different values:
0 – No error
1 – Format error
2 – Server failure
3 – Name error (non-existent domain)
4 – Not Implemented (query type not supported)
5 – Refused
6 ~ 15 Reserved
Immediately following the flags are
Questions (Number of questions), 2 bytes, usually 1
Answer RRs (Resource Record Count), Authority RRs (Authority Resource Record Count), Additional RRs (Additional Resource Record Count) are usually 0
The Queries field is the main portion of the query or response, divided into Name Type Class
Name (Query name): Here it is the argument after the ping, of variable length ending with 0
Type (Query type): 2 bytes, here it is the host A record. The meanings of different values are as follows:
Value Mnemonic Description
1 A IPv4 address.
2 NS Name server.
5 CNAME Canonical name. Alias for official hostname.
6 SOA Start of Authority. Marks the start of a zone.
11 WKS Well-known service. Network service offered by the host.
12 PTR Pointer. Maps IP address to a domain name.
13 HINFO Host information. Describes hardware and OS used by the host.
15 MX Mail exchange. Routes email to mail server.
28 AAAA IPv6 address.
252 AXFR Request to transfer entire zone.
255 ANY Request for all records.
Class (Class): 2 bytes, IN stands for Internet data, usually 1
The following is the captured second DNS packet:
Compared to the first request packet, the response packet includes an Answers field, while each bit in the Flags field is defined.
Check the Flags where Answer RRs is 4, indicating that the Answers field will contain four parsing results.
The Answers field can be seen as a List, where each item in the collection is a resource record, in addition to the previously mentioned Name, Type, Class, it also includes Time to Live, Data length, Addr.
Time to Live (TTL): Represents the lifespan of the resource record, the time from extracting the record to erasing the cache of the record, measured in seconds. Here it is 0x00 00 00 fd, totaling 253s.
Data length (Data length of resource): Measured in bytes, here 4 represents the length of the IP address is 4 bytes. That is, the length of the Addr field below.
Addr (Resource data): The returned IP address, which is the result we want.
There are four resource records, four different IP addresses, indicating that the domain www.oschina.net corresponds to four IP addresses, which are:
112.124.5.74
219.136.249.194
61.145.122.155
121.9.213.124
The first IP address is displayed in CMD. I tried accessing each of the above addresses directly at port 80 (http),
The first and second show 403 Forbidden
The third and fourth show 404 Not Found
Each address has a different server: oscali, oscdb, liubc, ep2, the first looks like an Alibaba Cloud server, the second seems like a database server, and the others are unknown…