Filtering DNS Packet Capture with Wireshark (3538)

Scenario

In this lab, you will learn how to filter DNS packets using Wireshark. This includes filtering by Fully Qualified Domain Name (FQDN), filtering by partial names, and exporting the filtered packets for further analysis.

Estimate Completion Time

15 to 20 minutes

Requirements

• Wireshark installed on your machine

Task 1: Filtering DNS Packets

Download the packet capture file 3538-capture.pcap to your computer and open it in Wireshark. Apply a filter to show only DNS packets.

Task 2: Filter by FQDN

Refine the DNS filter to show only packets related to a specific Fully Qualified Domain Name (FQDN).

Task 3: Filter by Partial Name

Modify the filter to display DNS packets that contain a partial name match.

Task 4: Export Filtered Packets

Export the filtered packets to a new file for further analysis.

Solutions

Task 1 Solution: Filtering DNS Packets

To open Wireshark on the Jump-desktop VM and filter only DNS packets, follow these steps:

1. Download the 3538-capture.pcap file and save it to a location on your computer.

2. Launch Wireshark on your machine.

   • Windows: Click on the Start menu, scroll down to Wireshark in the list of installed programs, and click on it to launch the application. Alternatively, you can search for "Wireshark" in the Start menu search bar and select it from the results.

   • macOS: Open Finder, go to the Applications folder, and double-click on Wireshark.

   • Linux: Depending on your distribution, you can find Wireshark in the applications menu or open a terminal and type wireshark followed by Enter.

3. In Wireshark, click File → Open and navigate to the location where you saved the 3538-capture.pcap file.

4. Select 3538-capture.pcap and click Open.

5. In the filter bar at the top, type dns and press ENTER.

This filter will display only DNS packets.

Task 2 Solution: Filter by FQDN

To filter DNS packets by a specific Fully Qualified Domain Name (FQDN), follow these steps:

1. Ensure you have the DNS filter applied.

2. In the filter bar, modify the filter to dns.qry.name == "www.infoblox.com" and press ENTER.

This filter will display DNS packets matching the specified Fully Qualified Domain Name.

Task 3 Solution: Filter by Partial Name

To filter DNS packets by a partial name match, follow these steps:

1. Ensure you have the DNS filter applied.

2. In the filter bar, modify the filter to dns.qry.name contains "infoblox" and press ENTER.

This filter will display DNS packets containing the word infoblox. You may notice more matches than in Task 2, as this filter lists any DNS packets that contain the partial name "infoblox" rather than the exact FQDN.

Task 4 Solution: Export Filtered Packets

To export the filtered packets to a new file, follow these steps:

1. Ensure you have applied the desired filter.

2. Click File → Export Specified Packets.

   

3. In the dialog box, ensure that Displayed is selected under Packet Range.

   

4. Choose a location and filename for the new file, and click Save. This will export the currently displayed (filtered) packets to a new file.

5. Open the new file in Wireshark to verify that it only contains the filtered packets:

   • In Wireshark, click File → Open and navigate to the location of the saved file.

   • Select the new file and click Open.

Verify that the packets in the new file match the filtered packets from the original capture.