Wireshark ? DNS and DHCP
Overview:
In the first Wireshark lab, you got acquainted with Wireshark, this type you will look at some DNS and DHCP traffic.
Summary of tasks:
1.	Start Wireshark
2.	Capture some DNS and DHCP data
3.	Submit your results and reflection.
What You Will Need
The physical machine you used for Lab 1 and 2.
Running Wireshark
When you run the Wireshark program, you?ll get a startup screen, as shown below:
 
Starting Wireshark
1.	Wireshark should already be installed.  If it isn't, see labs 1 and 2 for instructions to install it.
2.	Click the Start button.  In the Search box, type WIRE 
3.	At the top of the menu, a Wireshark item appears.  Right-click Wireshark and click "Run as Administrator".  If a User Account Control box appears, allow the program to run.
4.	From the Wireshark menu bar, click Capture, Interfaces.  If your computer has several network cards, you may see several items here.  Just look to see which one shows an increasing number of packers.  In the example shown below on this page, it's the NVIDIA interface.  On the line showing the increasing number of packets, click Options. 
 
5.	In the "Wireshark: Capture Options" box, type this into the "Capture Filter" box, as shown below: 
o	port 67 or port 68
 
6.	Click Start.  This filter will show only DHCP traffic?packets used to obtain an IP address automatically.
Renewing your IP Address
1.	In the Command Prompt window, type the following command, and then press the Enter key: 
o	IPCONFIG /RELEASE
2.	In the Command Prompt window, type the following command, and then press the Enter key: 
o	IPCONFIG /RENEW
Examining the Wireshark Capture of the DHCP Process
1.	From the Wireshark menu bar, click Capture, Stop. 
2.	From the Wireshark menu bar, click View, "Colorize Packet List", so it is unchecked.  That makes it easier to read the display. 
3.	If DHCP is working correctly on your system, you should see the whole process, as shown below on this page.  Examine the output and look for these items in the Info column: 
o	DHCP Release ? sent from your machine's original IP address, to the IP address of the DHCP Server.  This packet informs the server that your machine no longer wants that address and is freeing it up for some other machine to use.
o	DHCP Discover ? sent from your machine, with a Source IP address of 0.0.0.0 to the Broadcast address of 255.255.255.255.  This is a packet requesting an IP address.  It has a Source IP of 0.0.0.0 because your computer doesn't have an IP address at this point, and the Destination is 255.255.255.255 because your machine does not know where the DHCP server is.  This packet is a call to every machine that is nearby, asking for any available DHCP server to send a response.
o	DHCP Offer ? sent from the DHCP server to the Broadcast address of 255.255.255.255.  This is the server offering an IP address?but it cannot be targeted at your computer specifically because your computer still has no IP address. 
 
o	DHCP Request, DHCP ACK ? These packets complete the DHCP process?your computer accepts the IP address
4.	If DHCP is not working on your network, you will just see a series of DHCP Discover packets.  That's OK for this project?just keep going.
Examining a UDP Packet
1.	In the top pane of the Wireshark window, click a DHCP Discover packet. 
2.	In the center pane of the Wireshark window, click the + symbol next to User Datagram Protocol to show the UDP header fields, as shown below on this page.  If necessary, resize the center pane of the Wireshark window to make it taller.
3.	Find these items in the User Datagram Protocol section: 
o	Source Port ? UDP port 68 on your computer
o	Destination Port ? UDP port 67 on the DHCP server
o	Length ? size of the packet (may vary)
o	Checksum ? used to correct errors.   It may be flagged as incorrect--don't worry about that?it's a limitation of Wireshark.  Some outgoing packets are captured by Wireshark before the NIC adds the checksum, so they appear incorrect even when they will actually be transmitted on the network correctly (see link Ch 4a) 
 
Saving a Screen Image
1.	Make sure the four features listed above are visible: Source Port, Destination Port, Length, and Checksum.
2.	Click Start,"All Programs", Accessories, Paint.  In the untitled - Paint window, select Edit, Paste from the menu bar.  The desktop appears in the Paint window.
3.	In the untitled - Paint window, click File, Save.  Save the document in the My Pictures folder (or any other place you wish, such as a floppy disk) with the filename Your Name Lab3-DHCP.  Select a Save as type of JPEG.
Starting a New Packet Capture
1.	From the Wireshark menu bar, click Capture, Interfaces.  On the line showing the increasing number of packets, click Options.
2.	In the "Wireshark: Capture Options" box, type this into the "Capture Filter" box: 
o	port 53
3.	Click Start.  This filter will show only DNS traffic?packets used to convert domain names to IP Addresses.
Performing a DNS Lookup
1.	In the Command Prompt window, type the following command, and then press the Enter key: 
o	NSLOOKUP GRANTHAM.EDU
2.	The domain name is resolved to the IP address 204.52.223.174.
Examining the Wireshark Capture of the DNS Process
1.	From the Wireshark menu bar, click Capture, Stop. 
2.	You should see several packets, including a Standard query A GRANTHAM.EDU and a "Standard query response A".  Examine the lower pane and see that DNS uses UDP, just like DHCP.
Capturing the Screen Image
1.	Press
Reflection
1.	What
Turning in your Project
1.	Include these things with your file: 
o	A lab write up answering the questions in the reflection section.
o	The images you captured above, as an attachment
2.	Submit to the dropbox, save a save for yourself.