> For the complete documentation index, see [llms.txt](https://cybersecurity-cloud-and-it-notes.gitbook.io/kyles-cybersecurity-cloud-and-it-gitbook/llms.txt). Markdown versions of documentation pages are available by appending `.md` to page URLs; this page is available as [Markdown](https://cybersecurity-cloud-and-it-notes.gitbook.io/kyles-cybersecurity-cloud-and-it-gitbook/google-cybersecurity-professional-cert/3.-connect-and-protect-networks-and-network-security/module-3/activity-analyze-network-layer-communication.md).

# Activity Analyze network layer communication

Let’s break this down into a fun, **spy-themed adventure** to help you stay focused and tackle the **tcpdump analysis** step-by-step. We’ll imagine you’re a **cyber detective** trying to solve a case using the **tcpdump data**!

***

#### **Scenario Recap:**

Your **mission** is to investigate why customers can’t access **[www.yummyrecipesforme.com](http://www.yummyrecipesforme.com)** and are getting the error: "**destination port unreachable**." You used **tcpdump**, a network sniffing tool, to capture the data and figure out the issue. Let’s solve this mystery!

#### **Step 1: Break Down the tcpdump Log**

In this tcpdump log, we have a couple of **key pieces of information** to help us solve the case:

* **13:24:32.192571**: This is the **timestamp**—this shows when the packet was captured (1:24 PM).
* **192.51.100.15 > 203.0.113.2**: This is the **source IP** (your computer: 192.51.100.15) and **destination IP** (the DNS server: 203.0.113.2).
* **domain: 35084+ A? yummyrecipesforme.com.**: This is the DNS query asking, “Hey DNS server, what’s the IP address of yummyrecipesforme.com?”

Now, here’s the **response**:

* **ICMP 203.0.113.2 > 192.51.100.15**: Uh-oh, this is where it gets suspicious! The DNS server responds, not with the IP address, but with an **error**. The key part here is:
  * **udp port 53 unreachable**: The DNS server is saying, “I can’t access port 53!” Port 53 is used for DNS services.

#### **Step 2: What Happened?**

* Your computer sent a **DNS request** using **UDP** to find out the IP address of **yummyrecipesforme.com**. But the DNS server responded with an **ICMP error message** saying, "**Port 53 is unreachable**."
* This means there was no DNS service running on port 53 of the destination server—**yummyrecipesforme.com** couldn’t be resolved because the server wasn’t listening for DNS requests!

***

#### **Step 3: Connecting the Dots:**

Here’s the **fun detective work**:

1. **First Attempt**:
   * **Your browser** asked the DNS server: "Hey, what’s the IP address for **yummyrecipesforme.com**?"
   * **DNS Server Response**: "Sorry, no one's home at port 53—**UDP port unreachable**."
2. **Second Attempt**:
   * Same as above. Your browser tries again and gets the same **"port unreachable"** message.

#### **Step 4: What Does It Mean for Security?**

This error is a sign that either:

* The **DNS server is down**, or
* There’s a **misconfiguration** on the server that caused the DNS service to stop responding on **port 53**.

#### **How It Applies to Cyber Defense and Penetration Testing:**

* As a **cyber defense analyst**, your job is to **monitor for these errors**. In this case, the **service provider** might need to **restart their DNS server** or **reconfigure port 53** to listen for DNS queries again.
* As a **penetration tester**, this kind of information could be helpful for finding weaknesses. If a critical service like DNS goes down, that could be exploited by **DoS attacks** or other malicious activities!

***

#### **Step-by-Step Fun Detective Instructions:**

1. **Start the Investigation**:
   * Look at the **timestamps** to figure out when the issue occurred.
   * Check the **source and destination IPs** to see where the packet is coming from and where it’s going.
2. **Analyze the Logs**:
   * Notice the **query** to the DNS server: Your computer (192.51.100.15) is asking **203.0.113.2** (the DNS server) for the IP address of **yummyrecipesforme.com**.
   * The DNS server **fails** to respond and instead sends back an **ICMP error** saying, "**port 53 unreachable**."
3. **Draw Conclusions**:
   * Since the **DNS server isn’t responding** on port 53, the issue is likely related to the DNS service being **misconfigured** or **down**. As a cybersecurity analyst, you should flag this for the network engineers to resolve.

***

#### **Final Mission Report**:

* **Summary**: The issue preventing access to **yummyrecipesforme.com** is caused by a **DNS server misconfiguration** or downtime on port 53, which is preventing DNS requests from being processed.
* **Analysis**: Your **tcpdump log** shows repeated requests to the DNS server for the domain's IP address, and the server replies with "**ICMP port 53 unreachable**," indicating the DNS service is not functioning correctly.
* **Possible Cause**: The DNS service on **port 53** is likely down or not properly configured, causing DNS requests to fail.

***

You’ve cracked the case, agent! Now go forth and solve those **network mysteries** like the cyber detective you are!
