Wireshark/LLMNR

Wireshark is a free and open source packet analyzer used for network troubleshooting and analysis. These activities will show you how to use Wireshark to capture and analyze Link-Local Multicast Name Resolution (LLMNR) traffic.

Readings

 * Link-local Multicast Name Resolution

Preparation
To prepare for this activity:
 * 1) Start Windows.
 * 2) Log in if necessary.
 * 3)  Install Wireshark.

Activity 1 - Capture LLMNR Traffic
To capture LLMNR traffic:
 * 1)  Start a Wireshark capture.
 * 2)  Open a command prompt.
 * 3) Type ping  , where   is any unknown host name on your network.  An unknown host name is used for this activity because names resolved by DNS will not generate LLMNR traffic.
 * 4) Close the command prompt.
 * 5)  Stop the Wireshark capture.

Activity 2 - Analyze LLMNR IPv6 Traffic
To analyze LLMNR IPv6 traffic:
 * 1) Observe the traffic captured in the top Wireshark packet list pane.  To view only LLMNR traffic, type udp.port == 5355 (lower case) in the Filter box and press Enter.
 * 2) Select the first LLMNR packet labeled Standard query.
 * 3) Observe the packet details in the middle Wireshark packet details pane.  Notice that it is an Ethernet II / Internet Protocol Version 6 / User Datagram Protocol / Link-local Multicast Name Resolution (query) frame.
 * 4) Expand Ethernet II to view Ethernet details.
 * 5) Observe the Destination and Source fields.  The destination should be the LLMNR IPv6 multicast MAC address 33:33:00:01:00:03 and the source should be your MAC address.  You can use  ipconfig /all and  netsh interface ipv6 show neighbors to confirm.
 * 6) Expand Internet Protocol Version 6 to view IPv6 details.
 * 7) Observe the Source address.  Notice that the source address is your link-local IPv6 address.
 * 8) Observe the Destination address.  Notice that the destination address is the LLMNR multicast IPv6 address ff02::1:3.
 * 9) Expand User Datagram Protocol to view UDP details.
 * 10) Observe the Source port.  Notice that it is a dynamic port selected for this LLMNR query.
 * 11) Observe the Destination port.  Notice that it is llmnr (5355).
 * 12) Expand Link-local Multicast Name Resolution (query) to view LLMNR details.
 * 13) Expand Flags to view flags details.
 * 14) Expand Queries to view query details.
 * 15) Observe the query generated.

Activity 3 - Analyze LLMNR IPv4 Traffic
To analyze LLMNR IPv4 traffic:
 * 1) Observe the traffic captured in the top Wireshark packet list pane.  To view only LLMNR traffic, type udp.port == 5355 (lower case) in the Filter box and press Enter.
 * 2) Select the second LLMNR packet labeled Standard query.
 * 3) Observe the packet details in the middle Wireshark packet details pane.  Notice that it is an Ethernet II / Internet Protocol Version 4 / User Datagram Protocol / Link-local Multicast Name Resolution (query) frame.
 * 4) Expand Ethernet II to view Ethernet details.
 * 5) Observe the Destination and Source fields.  The destination should be the LLMNR IPv4 multicast MAC address 01:00:5e:00:00:fc and the source should be your MAC address.  You can use  ipconfig /all and  arp -a to confirm.
 * 6) Expand Internet Protocol Version 4 to view IPv4 details.
 * 7) Observe the Source address.  Notice that the source address is your IPv4 address.
 * 8) Observe the Destination address.  Notice that the destination address is the LLMNR multicast IPv4 address 224.0.0.252.
 * 9) Expand User Datagram Protocol to view UDP details.
 * 10) Observe the Source port.  Notice that it is a dynamic port selected for this LLMNR query.
 * 11) Observe the Destination port.  Notice that it is llmnr (5355).
 * 12) Expand Link-local Multicast Name Resolution (query) to view LLMNR details.
 * 13) Expand Flags to view flags details.
 * 14) Expand Queries to view query details.
 * 15) Observe the query generated.
 * 16) Close Wireshark to complete this activity.  Quit without Saving to discard the captured traffic.