Understanding How Windows XP ‘Finds’ Other Windows XP using Wireshark

Juli 8, 2009 pukul 10:36 am | Ditulis dalam Wireshark Experience | Tinggalkan komentar
Tag: belajar packet, name resolution, tutorial wireshark, windows xp, wireshark

Most of us are Windows XP fans, and almost every day we communicate to other computer doing file sharing, printer sharing, etc. Of course, it works easily without knowing what are happening behind this. And some of us are just enough with this. But to be honest, if we know how it works behind the scene, it will give us a very good understanding on the ‘packet level’ in how it works. Especially, if we are planning to migrate our network from L2 to VLAN L3 routing.

Before I wrote this article, I turned on my Wireshark, and just easily did a ‘Start > Run’ and then typed \\serverkoe, where serverkoe is basically my server sitting on the LAN and in the same subnet with me. Hopefully this small packet walkthrough will add small knowledge for you.

In this packet capture, my PC is 10.20.80.241 and SERVERKOE is 10.20.80.4, both in subnet 255.255.255.0.

The first packet shown above is my PC, issuing an “NetBios Name Service Query” to 10.20.80.255 (which is my broadcast address), asking the whole network about ‘who is SERVERKOE’ ?

The second packet, is also from my PC, asking to my DNS Server ( I removed the IP address ), with also the same question, but this time adding my domain. So in human language : “Hey My DNS, do you know what is the IP address of serverkoe.xxx.xxx ?”

The third packet, is coming from the ‘serverkoe’ side. SERVERKOE is asking back to the network, using ARP, who is 10.20.80.241. Until this third packet, basically my PC and SERVERKOE doesn’t know each other.

The fourth packet, my PC is responding to the third packet, where my PC is replying the ARP request, answering “Hey host 10.20.80.4, I am 10.20.80.241 with mac address of 00:1c:bf:6c:28:9a”. And after SERVERKOE understand who is 10.20.80.241, SERVERKOE is answering the “Netbios Name Query” with the packet in packet number 5 :

All above packets are UDP based packet.

The next packet will be the communication starting point between my PC and SERVERKOE. And as usual, my PC is using the TCP handshaking which is SYN, SYN+ACK and ACK. The rest packet is just showing us on the SMB(Server Message Block) process, which are outside the scope of this article.

If we look at packet 15 to 17, these are the reply from my DNS server, who is saying that my DNS server doesn’t know who is SERVERKOE.

The interesting thing that I was not aware before that my PC is also giving one ICMP ping to SERVERKOE, in packet 20 and packet 21.

In this case, where my PC and SERVERKOE is sitting in the same LAN, the successful method of my pc to search SERVERKOE ( name resolution process ) is using broadcast, which is the first packet, and answered in the 5^th packet. But, we must remember, if we are in a routing environment, all broadcast packet are dropped. So, we must use other method so that this name resolution process is successful. We can do it via WINS service(old method prior to Windows 2k) or DNS Service, which is the most popular method nowadays.

So, that’s it…..