Week 5: Application Layer – HTTP

Protocol - Revision
Objectives
1. Repeating Analysis of HTTP request and response headers.
2. Using HTTPWiresharkTrace.pcapng for experiment.

Student Lab Work (1 points)

1. Using Google Chrome, start a “new incognito window”.

2. Start up a Wireshark capture session to display only HTTP protocol.

3. Enter the URL http://{webserver_ip} in the browser address box.

4. After the browser has displayed the web page, stop the Wireshark packet capture and then
answer the following:

Note: Ignore the HTTP request/reply captured packets and related to favicon.

 Using Analyze Follow HTTP Stream, in Wireshark, find out the length of the
following with proof: (1 point)

a. HTTP request header (0.5 point)

 The request header length is 433

b. HTTP response header only (0.5 point)

 For the response header, the header size is simply found by clicking on
the response packet and selecting HTTP in the packet detail. The size
is provided at the bottom. (We don’t use Analyze in this situation
because it doesn’t provide the header size, rather, it gives the full
packet size).

Page 1 of 11
Week 5: Application Layer – DNS
Protocol
Objectives
1. Understand of the role of the DNS service.
2. Use of NSLookup command to interact with the DNS server.
3. Understand the role of DNS resource records and local DNS cache.
4. Analyze DNS protocol.

Hardware and Software Requirements

1. A personal computer with Windows 10 operating system.
2. Ethernet switch.
3. Ethernet Network cables – UTP.
4. DNS Server with a DNS table as shown in the appendix.
5. Wireshark Network Analyzer.
6. Disable IPv6 protocol stack.

Network Parameters
Below are the network parameters that should be configured in your computer:

IP Address: 172.16.71.x (where x is the computer number)

Subnet Mask: 255.255.0.0
Default Gateway: {keep blank}
Preferred DNS: {keep blank}
Alternate DNS: {keep blank}

Notes for Lab Handout

1. In every step of the lab experiment, include the procedure or command used, the output
result, proof about the output, as well as the interpretation and conclusion.
2. The proof can be a screen shot of the output recorded using a snipping tool, if applicable.
3. Include notes about the lab experiment in your lab work before submission.

Page 2 of 11
Student Notes (2 points)
Take useful and meaningful notes while the instructor is explaining the lab as well as important
points acquired during your lab work and report them down. Each note out of 0.3 point.

1. HTTP header size can be found in analyze->follow->http stream, and in the packet details by
selecting HTTP which will provide the size in the bottom.

2. TTL represents the expiry duration of the cached dns file.

3. Preferred and alternate dns ip addresses can be changed in control panel.

4. Nslookup can be used to create an interface to request dns queries and see results

5. ls -d [dns server name] is used to obtain all resource records

6. ls -t a [dns server name] is used to obtail records with type A.

7. ipconfig /displaydns is useful to obesrve cached dns files and see their TTL.

8. ipconfig /flushdns removes all cached dns files.

9. In wireshark, we can use packets with dns protocol to observe useful information such as the
protocol used within the DNS, reply code, TTL..etc.

10. Reply code with 0000 indicates that there is no error.

Page 3 of 11
Page 4 of 11
Student Lab Work (10 points)
1. Ping the IP address of your classmate’s computer and then report the following:

 Show the proof of the output with explanation. (0.5 point)

 The average trip time is 1ms with 0 loss of packets.

2. After clearing both the Preferred and Alternate DNS IP addresses, as shown above in the
Network Parameters section, ping the FQDN of the computer of your classmate (See the
appendix for the list of FQDNs). (Check Network Parameter Section above before
continuing)

 Show the command used. (0.25 point)

 nslookup
 host2.nwlab.edu

 Show the proof of the output. (0.25 point)

 Explain the obtained output. (0.5 point)

 The DNS ip address is not initialized.

Page 5 of 11
3. Configure your computer to act as a DNS client of the DNS server of the domain name
nwlab.edu (See Network Diagram for the IPv4 address of the nwlab.edu DNS server).

 Show the proof of your configuration. (0.25 point)

4. Using nslookup in interactive mode, resolve the FQDN of your classmate’s computer into its
IPv4 address

 Show the command used. (0.25 point)

 nslookup
 host2.nwlab.edu

 Show the proof of the output. (0.25 point)

 Explain the obtained output. (0.5 point)

 The DNS server obtained the requested domain name and converted it to an ip address.

Page 6 of 11
5. Using the nslookup in interactive mode to query the nwlab.edu DNS server table, list the
following:

 All resource records.

 Show the command used. (0.25 point)

 nslookup
 ls –d nwlab.edu

 Show the obtained output. (0.25 point)

 All resource records with type A.

 Show the command used. (0.25 point)

 ls –t a nwlab.edu

Page 7 of 11
  Show the obtained output. (0.25 point)

 Explain the A resource record. (0.25 point)

 The A resource record represents the ipv4.

 All resource records with type NS.

 Show the command used. (0.25 point)

 ls –t ns nwlab.edu

 Show the obtained output. (0.25 point)

 Explain the NS resource record. (0.25 point)

 The NS resource record represents the name of the server

Page 8 of 11
6. In this part, it is required to display the local DNS cache of your computer. First clear your
local machine DNS cache and then resolve the FQDN of your classmate’s computer into its
IPv4 address:

 Display the local DNS cache content.

 Show the command used. (0.25 point)

 Ipconfig /displaydns

 Show the output obtained that includes the queried FQDN. (0.25 point)

Page 9 of 11
  Explain the obtained output. (0.5 point)
 The output contain information such as TTL which determines how long the dns cached
file is stored and the ip addresses of both the dns and the FQDN address.

 Repeat re-displaying the local DNS cache and observe the change in the TTL value
related to the queried FQDN entry.

 What happens to the value of TTL? (0.25 point)

 It gets reduced every second.

 What happens when the TTL value reaches the value 0? (0.5 point)
 The cache will be flushed.

 What will happen in case you want to communicate with a computer whose entry details
(FQDN and IPv4 address) were flushed from your computer’s local DNS cache?

 Give Explanation with proof. (0.5 point)

 The server will generate a new cache which will have a specific TTL to determine the
length of the cache file.

7. Using Wireshark, capture DNS query and DNS response messages between your computer
and the nwlab.edu DNS server while resolving the FQDN of any computer in the lab into its
IPv4 address under nslookup in interactive mode (make sure you clear your local DNS
cache).
Find out the following:

 DNS Answer TTL value in seconds. (0.2 point)

 64 seconds

 DNS Answer Reply code. (0.2 point)

 0000 No error
 Transport layer protocol used by DNS protocol. (0.2 point)
 UDP protocol

 Show the proof of the above. (0.4 point)

Page 10 of 11
8. Using the same nwlab.edu DNS server as before, design and implement an experiment to
generate a DNS response following a DNS query to:

a. A non-existing FQDN under domain name nwlab.edu.

i. Show the command(s) used. (0.2 point)

 nslookup
 host30.nwlab.edu

ii. Proof of output. (0.2 point)

iii. Interpret the output based on the reply code. (0.6 point)
 It provides the domain name without the IP address since it doesn’t exist under the
domain.
b. A non-existing FQDN under a non-existent domain name.

i. Show the command(s) used. (0.2 point)

 nslookup
 google.pc.com

ii. Proof of output. (0.2 point)

iii. Interpret the output based on the reply code. (0.6 point)
 It can not find the domain nor the ip address since they don’t exist.

Page 11 of 11