Preface
A packet example from the Sharkfest Packet Challenge. Sharkfest is an annual conference organized by Wireshark, dedicated to sharing knowledge, experience, and best practices among Wireshark developers and user communities . I remember that it was held once a year in the early days, but in recent years it has become twice a year, one in the United States and one in other regions, such as Europe or Asia. Packet Challenge is one of the more interesting activities in the conference. Through a series of packet examples, participants can perform analysis challenges and test their comprehensive analysis capabilities.
Topic Information
This case is the first question PAY ME NOW in the Sharkfest 2015 Packet Challenge , and the packet trace file is dnsing.pcapng .
The main description is as follows:
- What IP address(es) are resolved for www.paypal.com?
- What is the largest DNS TTL value seen in the trace file?
- Which DNS response transaction ID contained the largest number of Answer RRs?
- What is the largest DNS response time seen in this trace file?
- What company distributes many of PayPal’s web pages?
Packet information
The basic information of the packet trace file is as follows:
λ capinfos dnsing.pcapng
File name: dnsing.pcapng
File type: Wireshark/... - pcapng
File encapsulation: Ethernet
File timestamp precision: microseconds (6)
Packet size limit: file hdr: (not set)
Number of packets: 141
File size: 20 kB
Data size: 15 kB
Capture duration: 272.440501 seconds
First packet time: 2015-06-12 02:59:06.996843
Last packet time: 2015-06-12 03:03:39.437344
Data byte rate: 56 bytes/s
Data bit rate: 449 bits/s
Average packet size: 108.52 bytes
Average packet rate: 0 packets/s
SHA256: 76da7e5f9b7b8bb1b12e1896b1f410a6726d8b18f726e496cd5e5a3ca637eb53
RIPEMD160: 3abd681195e97b8ead28eab62d49707392400a56
SHA1: 0cc7839258fc08dcc50ff30ba3a23b46a2fd2fee
Strict time order: True
Capture oper-sys: 64-bit Windows 8, build 9200
Capture application: Dumpcap 1.10.5 (SVN Rev 54262 from /trunk-1.10)
Number of interfaces in file: 1
Interface #0 info:
Name = \Device\NPF_{F2C7F0C8-39E6-4933-8DAF-3ACFD62516E7}
Encapsulation = Ethernet (1 - ether)
Capture length = 65535
Time precision = microseconds (6)
Time ticks per second = 1000000
Time resolution = 0x06
Operating system = 64-bit Windows 8, build 9200
Number of stat entries = 1
Number of packets = 141
λ
Captured directly via Wireshark on a Windows 8 system, without truncation, the number of captured packets was 141, the capture duration was 272.4 seconds, and the average rate was 449 bps.
Packet Analysis
Expand the data packet file information, as shown below. You can see that they are basically DNS protocol packets, or you can dns
simply filter out 125 DNS protocol packets by displaying the filter expression.
1. What IP address(es) are resolved for www.paypal.com?
You need to find out the IP address that http://www.paypal.com resolves to.
Analysis steps
Because the DNS response packet usually contains Queries
and Answers
, that is, the queried domain name and the IP information of the response domain name.
You can filter by the following display filter expressions.
(dns.qry.name == "www.paypal.com") && dns.a
Display the filtered data frame Info
column information:
Of course, Tshark can also complete the above work:
λ tshark -r dnsing.pcapng -Y '(dns.qry.name == "www.paypal.com") and dns.a' -T fields -e frame.number -e dns.qry.name -e dns.a
9 www.paypal.com 23.13.82.234
12 www.paypal.com 23.196.228.157
42 www.paypal.com 23.196.228.157
90 www.paypal.com 23.196.228.157
113 www.paypal.com 23.13.82.234
125 www.paypal.com 23.196.228.157
Analyze the answer
http://www.paypal.comThe resolved IPs are: 23.13.82.234 and 23.196.228.157
2. What is the largest DNS TTL value seen in the trace file?
Find the maximum DNS TTL value in the packet trace file.
Analysis steps
The DNS TTL value also exists in the DNS response data packet Answers
information. Due to CNAME, there will be multiple TTL values in the same data frame.
You can filter by displaying filter expressions. Of course, Wireshark only filters out packets with this value. How do you determine the maximum value? This may be more intuitive through Tshark.
dns.resp.ttl
Filter out all packets with DNS TTL value.
λ tshark -r dnsing.pcapng -Y "dns.a" -T fields -e frame.number -e dns.resp.ttl
3 176,7196,16
6 737,119,119,119
9 15,16,276,16,533,18
12 58,1,124,1,58,1
15 3025,77,107,2
24 35,35,35,35,35,35,35,35,35,35
27 3106,208,18
34 396,396
35 3002,49,82,13
36 255,317,15
39 3596
42 51,24,117,24,51,14
45 60
48 567,7187,1
55 7182,42,42,42,42
56 268,1
57 233,233,233,233,233
60 171,171,171,171,171,171,171,171,171,171
63 1092,7180,1
66 6576,2726
69 92,175,175,175,175
73 608,56,56,56,56
76 311,1998,5
79 270,270,270,270,270,270
81 425,48
87 2243,23,17
90 1,2,61,2,1,1
95 6404,1786,158,100
98 291,291,291,291,291,291,291,291,291,291,291
100 897,4,26,1
103 219,55,55
106 865,865,865,865,865,865,865,865,865,865
109 1045,172,7
113 1,1,26,1,77,4
116 2186,27,21
123 2844,202,254,9
124 957,84,3
125 203,1,267,1,502,5
λ
Processing, deduplication, sorting, etc.
λ tshark -r dnsing.pcapng -Y "dns.a" -T fields -e dns.resp.ttl | awk 'BEGIN{ RS=","; } { print $0 }' | sort -rn | uniq
7196
7187
7182
7180
6576
6404
3596
3106
3025
3002
2844
2726
2243
2186
1998
1786
1092
1045
957
...
λ
Analyze the answer
Maximum DNS TTL value in packet trace files: 7196.
3. Which DNS response transaction ID contained the largest number of Answer RRs?
Find the DNS response transaction ID that contains the largest number of Answer RRs.
Analysis steps
Both the DNS response Transaction ID
and Answer RRs
field values can be found in the information below.
You can add two columns, and , Packet List
in the view . The fields are as follows:Transaction ID
Answer RRs
dns.id
dns.count.answers
Reorder Answer RRs
columns, largest to smallest
The above work can also be done using Tshark:
λ tshark -r dnsing.pcapng -Y "dns.a" -T fields -e dns.id -e dns.count.answers | sort -rn -k2
0x9ab9 11
0xc24b 10
0x9265 10
0x2208 10
0xc8c8 6
0xaf9f 6
0x8579 6
0x7964 6
0x5644 6
0x4fa0 6
0x0f39 6
0x86eb 5
0x5d50 5
0x50d6 5
0x2ba5 5
0xc9f2 4
0x869a 4
0x6d3f 4
0x67b9 4
0x3bec 4
0x2f0e 4
0xd655 3
0xbfa7 3
0xbe32 3
0xb7e4 3
0xafcf 3
0x9fbb 3
0x93bb 3
0x80ba 3
0x7224 3
0x26ca 3
0x03f8 3
0xa64a 2
0x833e 2
0x3a1e 2
0x16a5 2
0x9837 1
0x673d 1
λ
Analyze the answer
The DNS response transaction ID containing the largest number of Answer RRs is 0x9ab9.
4. What is the largest DNS response time seen in this trace file?
What is the maximum DNS response time in the packet trace file.
Analysis steps
DNS response duration is the time interval between query and response, and is generally used as a DNS performance indicator. This field dns.time
does not actually exist in the data packet, but is identified by Wireshark context parsing and is represented by [ ].
You can Packet List
add DNSTime
columns to the view, with fields dns.time
as follows:
The DNS query packets in this packet
trace file are retransmitted, so the maximum response time mentioned above is the time difference associated with the first request packet.
Analyze the answer
Maximum DNS response time in the packet trace file: 3.044056000 seconds.
5. What company distributes many of PayPal’s web pages?
Which company distributes many of the PayPal Web pages?
Analysis steps
From the DNS response, it can be seen that there are many CNAME resolutions, using CDN related technologies. Simply (dns.qry.name contains "paypal" ) && (dns.flags.response == 1)
filter out the values with paypal related words in the response data packet through the display filter expression, and then dns.resp.name
process according to the field value, mainly as follows:
λ tshark -r dnsing.pcapng -Y '(dns.qry.name contains "paypal" ) && (dns.flags.response == 1)' -T fields -e dns.resp.name | awk 'BEGIN{ RS=","; } { print
$0 }' | sort | uniq
b.stats.paypal.com
c.paypal.com
c.paypal.com.edgekey.net
e4517.g.akamaiedge.net
e6166.a.akamaiedge.net
paypal.112.2o7.net
paypal.d1.sc.omtrdc.net
paypalmanager.paypal.com
ppdirect.paypal.com.akadns.net
slc.stats.paypal.com
t.paypal.com
t.paypal.com.edgekey.net
wlb.paypal.com.akadns.net
www.paypal.com
www.paypal.com.akadns.net
www.paypal.com.edgekey.net
www.paypalobjects.com
www.paypalobjects.com.akadns.net
www.paypalobjects.com.edgekey.net
λ
I haven’t done much research on foreign CDNs. Combining the results shown above, I searched on Baidu and found that the CDN used should be Akamai ‘s CDN.
I don’t have a deep understanding of this problem, and I’m not sure whether it needs further processing or there is a better way.
Analyze the answer
Which company distributes many of the PayPal Web pages: Akamai.