SlideShare a Scribd company logo

Wireshark Lab IP v6.0 Supplement to Computer Networking.docx

Download as DOCX, PDF
A
alanfhall8953

Wireshark Lab: IP v6.0 Supplement to Computer Networking: A Top-Down Approach, 6th ed., J.F. Kurose and K.W. Ross “Tell me and I forget. Show me and I remember. Involve me and I understand.” Chinese proverb © 2005-21012, J.F Kurose and K.W. Ross, All Rights Reserved In this lab, we’ll investigate the IP protocol, focusing on the IP datagram. We’ll do so by analyzing a trace of IP datagrams sent and received by an execution of the traceroute program (the traceroute program itself is explored in more detail in the Wireshark ICMP lab). We’ll investigate the various fields in the IP datagram, and study IP fragmentation in detail. Before beginning this lab, you’ll probably want to review sections 1.4.3 in the text1 and section 3.4 of RFC 2151 [ftp://ftp.rfc-editor.org/in-notes/rfc2151.txt] to update yourself on the operation of the traceroute program. You’ll also want to read Section 4.4 in the text, and probably also have RFC 791 [ftp://ftp.rfc-editor.org/in-notes/rfc791.txt] on hand as well, for a discussion of the IP protocol. 1. Capturing packets from an execution of traceroute In order to generate a trace of IP datagrams for this lab, we’ll use the traceroute program to send datagrams of different sizes towards some destination, X. Recall that traceroute operates by first sending one or more datagrams with the time-to-live (TTL) field in the IP header set to 1; it then sends a series of one or more datagrams towards the same destination with a TTL value of 2; it then sends a series of datagrams towards the same destination with a TTL value of 3; and so on. Recall that a router must decrement the TTL in each received datagram by 1 (actually, RFC 791 says that the router must decrement the TTL by at least one). If the TTL reaches 0, the router returns an ICMP message (type 11 – TTL-exceeded) to the sending host. As a result of this behavior, a datagram with a TTL of 1 (sent by the host executing traceroute) will cause the router one hop away from the sender to send an ICMP TTL-exceeded message back to the sender; the datagram sent with a TTL of 2 will cause the router two hops 1 References to figures and sections are for the 6th edition of our text, Computer Networks, A Top-down Approach, 6th ed., J.F. Kurose and K.W. Ross, Addison-Wesley/Pearson, 2012. away to send an ICMP message back to the sender; the datagram sent with a TTL of 3 will cause the router three hops away to send an ICMP message back to the sender; and so on. In this manner, the host executing traceroute can learn the identities of the routers between itself and destination X by looking at the source IP addresses in the datagrams containing the ICMP TTL-exceeded messages. We’ll want to run traceroute and have it send datagrams of various lengths. • Windows. The tracert program (used for our ICMP Wireshark lab) provided with Windows does not allow one to c.

Education
1 of 33
Wireshark Lab: IP v6.0 Supplement to Computer Networking: A Top-Down Approach, 6th ed., J.F. Kurose and K.W. Ross “Tell me and I forget. Show me and I remember. Involve me and I understand.” Chinese proverb © 2005-21012, J.F Kurose and K.W. Ross, All Rights Reserved In this lab, we’ll investigate the IP protocol, focusing on the IP datagram. We’ll do so by analyzing a trace of IP datagrams sent and received by an execution of the traceroute program (the traceroute program itself is explored in more detail in the Wireshark ICMP lab). We’ll investigate the various fields in the IP datagram, and study IP fragmentation in detail. Before beginning this lab, you’ll probably want to review sections 1.4.3 in the text1 and section 3.4 of RFC 2151 [ftp://ftp.rfc-editor.org/in- notes/rfc2151.txt] to update yourself on the operation of the traceroute program. You’ll also want to read Section 4.4 in
the text, and probably also have RFC 791 [ftp://ftp.rfc- editor.org/in-notes/rfc791.txt] on hand as well, for a discussion of the IP protocol. 1. Capturing packets from an execution of traceroute In order to generate a trace of IP datagrams for this lab, we’ll use the traceroute program to send datagrams of different sizes towards some destination, X. Recall that traceroute operates by first sending one or more datagrams with the time-to-live (TTL) field in the IP header set to 1; it then sends a series of one or more datagrams towards the same destination with a TTL value of 2; it then sends a series of datagrams towards the same destination with a TTL value of 3; and so on. Recall that a router must decrement the TTL in each received datagram by 1 (actually, RFC 791 says that the router must decrement the TTL by at least one). If the TTL reaches 0, the router returns an ICMP message (type 11 – TTL-exceeded) to the sending host. As a result of this behavior, a datagram with a TTL of 1 (sent by the host executing traceroute) will cause the router one hop away from the sender to send an ICMP TTL-exceeded message back to the sender; the datagram sent with a TTL of 2 will cause the router two hops 1 References to figures and sections are for the 6th edition of our text, Computer Networks, A Top-down Approach, 6th ed., J.F. Kurose and K.W. Ross, Addison-
Wesley/Pearson, 2012. away to send an ICMP message back to the sender; the datagram sent with a TTL of 3 will cause the router three hops away to send an ICMP message back to the sender; and so on. In this manner, the host executing traceroute can learn the identities of the routers between itself and destination X by looking at the source IP addresses in the datagrams containing the ICMP TTL-exceeded messages. We’ll want to run traceroute and have it send datagrams of various lengths. • Windows. The tracert program (used for our ICMP Wireshark lab) provided with Windows does not allow one to change the size of the ICMP echo request (ping) message sent by the tracert program. A nicer Windows traceroute program is pingplotter, available both in free version and shareware versions at http://www.pingplotter.com. Download and install pingplotter, and test it out by performing a few traceroutes to your favorite sites. The size of the ICMP echo request message can be explicitly set in pingplotter by selecting the menu item Edit-> Options->Packet Options and then filling in the Packet Size field. The default packet size is 56 bytes. Once pingplotter has sent a series of packets with
the increasing TTL values, it restarts the sending process again with a TTL of 1, after waiting Trace Interval amount of time. The value of Trace Interval and the number of intervals can be explicitly set in pingplotter. • Linux/Unix/MacOS. With the Unix/MacOS traceroute command, the size of the UDP datagram sent towards the destination can be explicitly set by indicating the number of bytes in the datagram; this value is entered in the traceroute command line immediately after the name or address of the destination. For example, to send traceroute datagrams of 2000 bytes towards gaia.cs.umass.edu, the command would be: %traceroute gaia.cs.umass.edu 2000 Do the following: • Start up Wireshark and begin packet capture (Capture->Start) and then press OK on the Wireshark Packet Capture Options screen (we’ll not need to select any options here). • If you are using a Windows platform, start up pingplotter and enter the name of a target destination in the “Address to Trace Window.” Enter 3 in the “# of times to Trace” field, so you don’t gather too much data. Select the menu item Edit- >Advanced Options->Packet Options and enter a value of 56 in the Packet Size
field and then press OK. Then press the Trace button. You should see a pingplotter window that looks something like this: Next, send a set of datagrams with a longer length, by selecting Edit->Advanced Options->Packet Options and enter a value of 2000 in the Packet Size field and then press OK. Then press the Resume button. Finally, send a set of datagrams with a longer length, by selecting Edit- >Advanced Options->Packet Options and enter a value of 3500 in the Packet Size field and then press OK. Then press the Resume button. Stop Wireshark tracing. • If you are using a Unix or Mac platform, enter three traceroute commands, one with a length of 56 bytes, one with a length of 2000 bytes, and one with a length of 3500 bytes. Stop Wireshark tracing.
If you are unable to run Wireshark on a live network connection, you can download a packet trace file that was captured while following the steps above on one of the author’s Windows computers2. You may well find it valuable to download this trace even if you’ve captured your own trace and use it, as well as your own trace, when you explore the questions below. 2 Download the zip file http://gaia.cs.umass.edu/wireshark- labs/wireshark-traces.zip and extract the file ip- ethereal-trace-1. The traces in this zip file were collected by Wireshark running on one of the author’s computers, while performing the steps indicated in the Wireshark lab. Once you have downloaded the trace, you can load it into Wireshark and view the trace using the File pull down menu, choosing Open, and then selecting the ip-ethereal-trace-1 trace file. 2. A look at the captured trace In your trace, you should be able to see the series of ICMP Echo Request (in the case of Windows machine) or the UDP segment (in the case of Unix) sent by your computer and the ICMP TTL-exceeded messages returned to your computer by the intermediate routers. In the questions below, we’ll assume you are using a Windows machine; the corresponding questions for the case of a Unix machine should be clear. Whenever
possible, when answering a question below you should hand in a printout of the packet(s) within the trace that you used to answer the question asked. When you hand in your assignment, annotate the output so that it’s clear where in the output you’re getting the information for your answer (e.g., for our classes, we ask that students markup paper copies with a pen, or annotate electronic copies with text in a colored font).To print a packet, use File->Print, choose Selected packet only, choose Packet summary line, and select the minimum amount of packet detail that you need to answer the question. 1. Select the first ICMP Echo Request message sent by your computer, and expand the Internet Protocol part of the packet in the packet details window. What is the IP address of your computer? 2. Within the IP packet header, what is the value in the upper layer protocol field? 3. How many bytes are in the IP header? How many bytes are in the payload of the IP datagram? Explain how you determined the number of payload bytes. 4. Has this IP datagram been fragmented? Explain how you determined whether or not the datagram has been fragmented.
Next, sort the traced packets according to IP source address by clicking on the Source column header; a small downward pointing arrow should appear next to the word Source. If the arrow points up, click on the Source column header again. Select the first ICMP Echo Request message sent by your computer, and expand the Internet Protocol portion in the “details of selected packet header” window. In the “listing of captured packets” window, you should see all of the subsequent ICMP messages (perhaps with additional interspersed packets sent by other protocols running on your computer) below this first ICMP. Use the down arrow to move through the ICMP messages sent by your computer. 5. Which fields in the IP datagram always change from one datagram to the next within this series of ICMP messages sent by your computer? 6. Which fields stay constant? Which of the fields must stay constant? Which fields must change? Why? 7. Describe the pattern you see in the values in the Identification field of the IP datagram Next (with the packets still sorted by source address) find the
series of ICMP TTL- exceeded replies sent to your computer by the nearest (first hop) router. 8. What is the value in the Identification field and the TTL field? 9. Do these values remain unchanged for all of the ICMP TTL- exceeded replies sent to your computer by the nearest (first hop) router? Why? Fragmentation Sort the packet listing according to time again by clicking on the Time column. 10. Find the first ICMP Echo Request message that was sent by your computer after you changed the Packet Size in pingplotter to be 2000. Has that message been fragmented across more than one IP datagram? [Note: if you find your packet has not been fragmented, you should download the zip file http://gaia.cs.umass.edu/wireshark-labs/wireshark-traces.zip and extract the ip- ethereal-trace-1packet trace. If your computer has an Ethernet interface, a packet size of 2000 should cause fragmentation.3] 11. Print out the first fragment of the fragmented IP datagram. What information in the IP header indicates that the datagram been fragmented? What information in the IP header indicates whether this is the first fragment versus
a latter fragment? How long is this IP datagram? 3 The packets in the ip-ethereal-trace-1 trace file in http://gaia.cs.umass.edu/wireshark-labs/wireshark- traces.zip are all less that 1500 bytes. This is because the computer on which the trace was gathered has an Ethernet card that limits the length of the maximum IP packet to 1500 bytes (40 bytes of TCP/IP header data and 1460 bytes of upper-layer protocol payload). This 1500 byte value is the standard maximum length allowed by Ethernet. If your trace indicates a datagram longer 1500 bytes, and your computer is using an Ethernet connection, then Wireshark is reporting the wrong IP datagram length; it will likely also show only one large IP datagram rather than multiple smaller datagrams.. This inconsistency in reported lengths is due to the interaction between the Ethernet driver and the Wireshark software. We recommend that if you have this inconsistency, that you perform this lab using the ip-ethereal-trace-1 trace file. 12. Print out the second fragment of the fragmented IP datagram. What information in the IP header indicates that this is not the first datagram fragment? Are the more fragments? How can you tell? 13. What fields change in the IP header between the first and second fragment? Now find the first ICMP Echo Request message that was sent by your computer after you
changed the Packet Size in pingplotter to be 3500. 14. How many fragments were created from the original datagram? 15. What fields change in the IP header among the fragments? Wireshark Lab: ICMP v6.0 Supplement to Computer Networking: A Top-Down Approach, 6th ed., J.F. Kurose and K.W. Ross “Tell me and I forget. Show me and I remember. Involve me and I understand.” Chinese proverb © 2005-21012, J.F Kurose and K.W. Ross, All Rights Reserved In this lab, we’ll explore several aspects of the ICMP protocol: • ICMP messages generating by the Ping program; • ICMP messages generated by the Traceroute program; • the format and contents of an ICMP message.
Before attacking this lab, you’re encouraged to review the ICMP material in section 4.4.3 of the text1. We present this lab in the context of the Microsoft Windows operating system. However, it is straightforward to translate the lab to a Unix or Linux environment. 1. ICMP and Ping Let’s begin our ICMP adventure by capturing the packets generated by the Ping program. You may recall that the Ping program is simple tool that allows anyone (for example, a network administrator) to verify if a host is live or not. The Ping program in the source host sends a packet to the target IP address; if the target is live, the Ping program in the target host responds by sending a packet back to the source host. As you might have guessed (given that this lab is about ICMP), both of these Ping packets are ICMP packets. Do the following2: 1 References to figures and sections are for the 6th edition of our text, Computer Networks, A Top-down Approach, 6th ed., J.F. Kurose and K.W. Ross, Addison- Wesley/Pearson, 2012. 2 If you are unable to run Wireshark live on a computer, you can download the zip file http://gaia.cs.umass.edu/wireshark-labs/wireshark-traces.zip and extract the file ICMP-ethereal-trace-1. The traces in this zip file were collected by Wireshark running
on one of the author’s computers, while performing the steps indicated in the Wireshark lab. Once you have downloaded the trace, you can load it into Wireshark and view the trace using the File pull down menu, choosing Open, and then selecting the ICMP-ethereal-trace-1 trace file. You can then use this trace file to answer the questions below. • Let’s begin this adventure by opening the Windows Command Prompt application (which can be found in your Accessories folder). • Start up the Wireshark packet sniffer, and begin Wireshark packet capture. • The ping command is in c:windowssystem32, so type either “ping –n 10 hostname” or “c:windowssystem32ping –n 10 hostname” in the MS-DOS command line (without quotation marks), where hostname is a host on another continent. If you’re outside of Asia, you may want to enter www.ust.hk for the Web server at Hong Kong University of Science and Technology. The argument “-n 10” indicates that 10 ping messages should be sent. Then run the Ping program by typing return. • When the Ping program terminates, stop the packet capture in Wireshark. At the end of the experiment, your Command Prompt Window
should look something like Figure 1. In this example, the source ping program is in Massachusetts and the destination Ping program is in Hong Kong. From this window we see that the source ping program sent 10 query packets and received 10 responses. Note also that for each response, the source calculates the round-trip time (RTT), which for the 10 packets is on average 375 msec. Figure 1 Command Prompt window after entering Ping command. Figure 2 provides a screenshot of the Wireshark output, after “icmp” has been entered into the filter display window. Note that the packet listing shows 20 packets: the 10 Ping queries sent by the source and the 10 Ping responses received by the source. Also note that the source’s IP address is a private address (behind a NAT) of the form 192.168/12; the destination’s IP address is that of the Web server at HKUST. Now let’s zoom in on the first packet (sent by the client); in the figure below, the packet contents area provides information about this packet. We see that the IP datagram within this packet has protocol number 01, which is the protocol number for ICMP. This means that the payload
of the IP datagram is an ICMP packet. Figure 2 Wireshark output for Ping program with Internet Protocol expanded. Figure 3 focuses on the same ICMP but has expanded the ICMP protocol information in the packet contents window. Observe that this ICMP packet is of Type 8 and Code 0 - a so-called ICMP “echo request” packet. (See Figure 4.23 of text.) Also note that this ICMP packet contains a checksum, an identifier, and a sequence number. Figure 3 Wireshark capture of ping packet with ICMP packet expanded. What to Hand In: You should hand in a screen shot of the Command Prompt window similar to Figure 1 above. Whenever possible, when answering a question below, you should hand in a printout of the packet(s) within the trace that you used to answer the question asked. Annotate the printout3 to explain your answer. To print a packet, use File->Print, choose Selected packet only, choose Packet summary line, and select the minimum amount of
packet detail that you need to answer the question. You should answer the following questions: 3 What do we mean by “annotate”? If you hand in a paper copy, please highlight where in the printout you’ve found the answer and add some text (preferably with a colored pen) noting what you found in what you ‘ve highlight. If you hand in an electronic copy, it would be great if you could also highlight and annotate. 1. What is the IP address of your host? What is the IP address of the destination host? 2. Why is it that an ICMP packet does not have source and destination port numbers? 3. Examine one of the ping request packets sent by your host. What are the ICMP type and code numbers? What other fields does this ICMP packet have? How many bytes are the checksum, sequence number and identifier fields? 4. Examine the corresponding ping reply packet. What are the ICMP type and code numbers? What other fields does this ICMP packet have? How many bytes are the checksum, sequence number and identifier fields?
2. ICMP and Traceroute Let’s now continue our ICMP adventure by capturing the packets generated by the Traceroute program. You may recall that the Traceroute program can be used to figure out the path a packet takes from source to destination. Traceroute is discussed in Section 1.4 and in Section 4.4 of the text. Traceroute is implemented in different ways in Unix/Linux/MacOS and in Windows. In Unix/Linux, the source sends a series of UDP packets to the target destination using an unlikely destination port number; in Windows, the source sends a series of ICMP packets to the target destination. For both operating systems, the program sends the first packet with TTL=1, the second packet with TTL=2, and so on. Recall that a router will decrement a packet’s TTL value as the packet passes through the router. When a packet arrives at a router with TTL=1, the router sends an ICMP error packet back to the source. In the following, we’ll use the native Windows tracert program. A shareware version of a much nice Windows Traceroute program is pingplotter (www.pingplotter.com). We’ll use pingplotter in our Wireshark IP lab since it provides additional functionality that we’ll need there.
Do the following4: • Let’s begin by opening the Windows Command Prompt application (which can be found in your Accessories folder). • Start up the Wireshark packet sniffer, and begin Wireshark packet capture. • The tracert command is in c:windowssystem32, so type either “tracert hostname” or “c:windowssystem32tracert hostname” in the MS-DOS command line (without quotation marks), where hostname is a host on another continent. 4 If you are unable to run Wireshark live on a computer, you can download the zip file http://gaia.cs.umass.edu/wireshark-labs/wireshark-traces.zip and extract the file ICMP-ethereal-trace-2. The traces in this zip file were collected by Wireshark running on one of the author’s computers, while performing the steps indicated in the Wireshark lab. Once you have downloaded the trace, you can load it into Wireshark and view the trace using the File pull down menu, choosing Open, and then selecting the ICMP-ethereal-trace-2 trace file. You can then use this trace file to answer the questions below. (Note that on a Windows machine, the command is “tracert” and not “traceroute”.) If you’re outside of Europe, you may want to
enter www.inria.fr for the Web server at INRIA, a computer science research institute in France. Then run the Traceroute program by typing return. • When the Traceroute program terminates, stop packet capture in Wireshark. At the end of the experiment, your Command Prompt Window should look something like Figure 4. In this figure, the client Traceroute program is in Massachusetts and the target destination is in France. From this figure we see that for each TTL value, the source program sends three probe packets. Traceroute displays the RTTs for each of the probe packets, as well as the IP address (and possibly the name) of the router that returned the ICMP TTL-exceeded message. Figure 4 Command Prompt window displays the results of the Traceroute program. Figure 5 displays the Wireshark window for an ICMP packet returned by a router. Note that this ICMP error packet contains many more fields than the Ping ICMP messages.
Figure 5 Wireshark window of ICMP fields expanded for one ICMP error packet. What to Hand In: For this part of the lab, you should hand in a screen shot of the Command Prompt window. Whenever possible, when answering a question below, you should hand in a printout of the packet(s) within the trace that you used to answer the question asked. Annotate the printout to explain your answer. To print a packet, use File->Print, choose Selected packet only, choose Packet summary line, and select the minimum amount of packet detail that you need to answer the question. Answer the following questions: 5. What is the IP address of your host? What is the IP address of the target destination host? 6. If ICMP sent UDP packets instead (as in Unix/Linux), would the IP protocol number still be 01 for the probe packets? If not, what would it be? 7. Examine the ICMP echo packet in your screenshot. Is this different from the
ICMP ping query packets in the first half of this lab? If yes, how so? 8. Examine the ICMP error packet in your screenshot. It has more fields than the ICMP echo packet. What is included in those fields? 9. Examine the last three ICMP packets received by the source host. How are these packets different from the ICMP error packets? Why are they different? 10. Within the tracert measurements, is there a link whose delay is significantly longer than others? Refer to the screenshot in Figure 4, is there a link whose delay is significantly longer than others? On the basis of the router names, can you guess the location of the two routers on the end of this link? 3. Extra Credit For one of the programming assignments you created a UDP client ping program. This ping program, unlike the standard ping program, sends UDP probe packets rather than ICMP probe packets. Use the client program to send a UDP packet with an unusual destination port number to some live host. At the same time, use Wireshark to capture any response from the target host. Provide aWireshark screenshot for the response as well as an analysis of the response.
Wireshark Lab: Ethernet and ARP v6.01 Supplement to Computer Networking: A Top-Down Approach, 6th ed., J.F. Kurose and K.W. Ross “Tell me and I forget. Show me and I remember. Involve me and I understand.” Chinese proverb © 2005-21012, J.F Kurose and K.W. Ross, All Rights Reserved In this lab, we’ll investigate the Ethernet protocol and the ARP protocol. Before beginning this lab, you’ll probably want to review sections 5.4.1 (link-layer addressing and ARP) and 5.4.2 (Ethernet) in the text1. RFC 826 (ftp://ftp.rfc-editor.org/in- notes/std/std37.txt) contains the gory details of the ARP protocol, which is used by an IP device to determine the IP address of a remote interface whose Ethernet address is known. 1. Capturing and analyzing Ethernet frames Let’s begin by capturing a set of Ethernet frames to study. Do the following2:
• First, make sure your browser’s cache is empty. To do this under Mozilla Firefox V3, select Tools->Clear Recent History and check the box for Cache. For Internet Explorer, select Tools->Internet Options->Delete Files. Start up the Wireshark packet sniffer • Enter the following URL into your browser http://gaia.cs.umass.edu/wireshark-labs/HTTP-ethereal-lab- file3.html Your browser should display the rather lengthy US Bill of Rights. 1 References to figures and sections are for the 6th edition of our text, Computer Networks, A Top-down Approach, 6th ed., J.F. Kurose and K.W. Ross, Addison- Wesley/Pearson, 2012. 2 If you are unable to run Wireshark live on a computer, you can download the zip file http://gaia.cs.umass.edu/wireshark-labs/wireshark-traces.zip and extract the file ethernet--ethereal-trace-1. The traces in this zip file were collected by Wireshark running on one of the author’s computers, while performing the steps indicated in the Wireshark lab. Once you have downloaded the trace, you can load it into Wireshark and view the trace using the File pull down menu, choosing Open, and then selecting the ethernet-ethereal-trace-1 trace file. You can then use this trace file to answer the questions below.
• Stop Wireshark packet capture. First, find the packet numbers (the leftmost column in the upper Wireshark window) of the HTTP GET message that was sent from your computer to gaia.cs.umass.edu, as well as the beginning of the HTTP response message sent to your computer by gaia.cs.umass.edu. You should see a screen that looks something like this (where packet 4 in the screen shot below contains the HTTP GET message) • Since this lab is about Ethernet and ARP, we’re not interested in IP or higher- layer protocols. So let’s change Wireshark’s “listing of captured packets” window so that it shows information only about protocols below IP. To have Wireshark do this, select Analyze->Enabled Protocols. Then uncheck the IP box and select OK. You should now see an Wireshark window that looks like: In order to answer the following questions, you’ll need to look into the packet details and packet contents windows (the middle and lower display windows in Wireshark). Select the Ethernet frame containing the HTTP GET message.
(Recall that the HTTP GET message is carried inside of a TCP segment, which is carried inside of an IP datagram, which is carried inside of an Ethernet frame; reread section 1.5.2 in the text if you find this encapsulation a bit confusing). Expand the Ethernet II information in the packet details window. Note that the contents of the Ethernet frame (header as well as payload) are displayed in the packet contents window. Answer the following questions, based on the contents of the Ethernet frame containing the HTTP GET message. Whenever possible, when answering a question you should hand in a printout of the packet(s) within the trace that you used to answer the question asked. Annotate the printout3 to explain your answer. To print a packet, use File->Print, choose Selected packet only, choose Packet summary line, and select the minimum amount of packet detail that you need to answer the question. 1. What is the 48-bit Ethernet address of your computer? 2. What is the 48-bit destination address in the Ethernet frame? Is this the Ethernet address of gaia.cs.umass.edu? (Hint: the answer is no). What device has this as its Ethernet address? [Note: this is an important question, and one that students sometimes get wrong. Re-read pages 468-469 in the text and
make sure you understand the answer here.] 3. Give the hexadecimal value for the two-byte Frame type field. What upper layer protocol does this correspond to? 4. How many bytes from the very start of the Ethernet frame does the ASCII “G” in “GET” appear in the Ethernet frame? Next, answer the following questions, based on the contents of the Ethernet frame containing the first byte of the HTTP response message. 5. What is the value of the Ethernet source address? Is this the address of your computer, or of gaia.cs.umass.edu (Hint: the answer is no). What device has this as its Ethernet address? 6. What is the destination address in the Ethernet frame? Is this the Ethernet address of your computer? 7. Give the hexadecimal value for the two-byte Frame type field. What upper layer protocol does this correspond to? 8. How many bytes from the very start of the Ethernet frame does the ASCII “O” in “OK” (i.e., the HTTP response code) appear in the Ethernet frame?
3 What do we mean by “annotate”? If you hand in a paper copy, please highlight where in the printout you’ve found the answer and add some text (preferably with a colored pen) noting what you found in what you ‘ve highlight. If you hand in an electronic copy, it would be great if you could also highlight and annotate. 2. The Address Resolution Protocol In this section, we’ll observe the ARP protocol in action. We strongly recommend that you re-read section 5.4.1 in the text before proceeding. ARP Caching Recall that the ARP protocol typically maintains a cache of IP- to-Ethernet address translation pairs on your comnputer The arp command (in both MSDOS and Linux/Unix) is used to view and manipulate the contents of this cache. Since the arp command and the ARP protocol have the same name, it’s understandably easy to confuse them. But keep in mind that they are different - the arp command is used to view and manipulate the ARP cache contents, while the ARP protocol defines the format and meaning of the messages sent and received, and defines the actions taken on message transmission and receipt.
Let’s take a look at the contents of the ARP cache on your computer: • MS-DOS. The arp command is in c:windowssystem32, so type either “arp” or “c:windowssystem32arp” in the MS-DOS command line (without quotation marks). • Linux/Unix/MacOS. The executable for the arp command can be in various places. Popular locations are /sbin/arp (for linux) and /usr/etc/arp (for some Unix variants). The Windows arp command with no arguments will display the contents of the ARP cache on your computer. Run the arp command. 9. Write down the contents of your computer’s ARP cache. What is the meaning of each column value? In order to observe your computer sending and receiving ARP messages, we’ll need to clear the ARP cache, since otherwise your computer is likely to find a needed IP-Ethernet address translation pair in its cache and consequently not need to send out an ARP message.
• MS-DOS. The MS-DOS arp –d * command will clear your ARP cache. The –d flag indicates a deletion operation, and the * is the wildcard that says to delete all table entries. • Linux/Unix/MacOS. The arp –d * will clear your ARP cache. In order to run this command you’ll need root privileges. If you don’t have root privileges and can’t run Wireshark on a Windows machine, you can skip the trace collection part of this lab and just use the trace discussed in the earlier footnote. Observing ARP in action Do the following4: • Clear your ARP cache, as described above. • Next, make sure your browser’s cache is empty. To do this under Mozilla Firefox V3, select Tools->Clear Recent History and check the box for Cache. For Internet Explorer, select Tools->Internet Options->Delete Files. • Start up the Wireshark packet sniffer • Enter the following URL into your browser http://gaia.cs.umass.edu/wireshark-labs/HTTP-wireshark-lab-
file3.html Your browser should again display the rather lengthy US Bill of Rights. • Stop Wireshark packet capture. Again, we’re not interested in IP or higher-layer protocols, so change Wireshark’s “listing of captured packets” window so that it shows information only about protocols below IP. To have Wireshark do this, select Analyze->Enabled Protocols. Then uncheck the IP box and select OK. You should now see an Wireshark window that looks like: 4 The ethernet-ethereal-trace-1 trace file in http://gaia.cs.umass.edu/wireshark-labs/wireshark-traces.zip was created using the steps below (in particular after the ARP cache had been flushed). In the example above, the first two frames in the trace contain ARP messages (as does the 6th message). The screen shot above corresponds to the trace referenced in footnote 1. Answer the following questions: 10. What are the hexadecimal values for the source and destination addresses in the Ethernet frame containing the ARP request message?
11. Give the hexadecimal value for the two-byte Ethernet Frame type field. What upper layer protocol does this correspond to? 12. Download the ARP specification from ftp://ftp.rfc-editor.org/in-notes/std/std37.txt. A readable, detailed discussion of ARP is also at http://www.erg.abdn.ac.uk/users/gorry/course/inet- pages/arp.html. a) How many bytes from the very beginning of the Ethernet frame does the ARP opcode field begin? b) What is the value of the opcode field within the ARP-payload part of the Ethernet frame in which an ARP request is made? c) Does the ARP message contain the IP address of the sender? d) Where in the ARP request does the “question” appear – the Ethernet address of the machine whose corresponding IP address is being queried? 13. Now find the ARP reply that was sent in response to the ARP request. a) How many bytes from the very beginning of the Ethernet frame does the ARP opcode field begin? b) What is the value of the opcode field within the ARP-payload part of the
Ethernet frame in which an ARP response is made? c) Where in the ARP message does the “answer” to the earlier ARP request appear – the IP address of the machine having the Ethernet address whose corresponding IP address is being queried? 14. What are the hexadecimal values for the source and destination addresses in the Ethernet frame containing the ARP reply message? 15. Open the ethernet-ethereal-trace-1 trace file in http://gaia.cs.umass.edu/wireshark-labs/wireshark-traces.zip. The first and second ARP packets in this trace correspond to an ARP request sent by the computer running Wireshark, and the ARP reply sent to the computer running Wireshark by the computer with the ARP-requested Ethernet address. But there is yet another computer on this network, as indicated by packet 6 – another ARP request. Why is there no ARP reply (sent in response to the ARP request in packet 6) in the packet trace? Extra Credit EX-1. The arp command: arp -s InetAddr EtherAddr allows you to manually add an entry to the ARP cache that resolves the IP address
InetAddr to the physical address EtherAddr. What would happen if, when you manually added an entry, you entered the correct IP address, but the wrong Ethernet address for that remote interface? EX-2. What is the default amount of time that an entry remains in your ARP cache before being removed. You can determine this empirically (by monitoring the cache contents) or by looking this up in your operation system documentation. Indicate how/where you determined this value.

Recommended

Wireshark ip sept_15_2009
Wireshark ip sept_15_2009Wireshark ip sept_15_2009
Wireshark ip sept_15_2009wab030
 
Wireshark Lab IP v6.0Supplement to Computer Networking A Top-D.docx
Wireshark Lab IP v6.0Supplement to Computer Networking A Top-D.docxWireshark Lab IP v6.0Supplement to Computer Networking A Top-D.docx
Wireshark Lab IP v6.0Supplement to Computer Networking A Top-D.docxalanfhall8953
 
HS1011 Data Communication and Networks 13 August 2015 HS101.docx
HS1011 Data Communication and Networks 13 August 2015 HS101.docxHS1011 Data Communication and Networks 13 August 2015 HS101.docx
HS1011 Data Communication and Networks 13 August 2015 HS101.docxadampcarr67227
 
Wireshark Lab TCP v6.0 Supplement to Computer Networking.docx
Wireshark Lab TCP v6.0 Supplement to Computer Networking.docxWireshark Lab TCP v6.0 Supplement to Computer Networking.docx
Wireshark Lab TCP v6.0 Supplement to Computer Networking.docxalanfhall8953
 
Wireshark Lab Ethernet and ARP v7.0 Supplement to Comp.docx
Wireshark Lab Ethernet and ARP v7.0 Supplement to Comp.docxWireshark Lab Ethernet and ARP v7.0 Supplement to Comp.docx
Wireshark Lab Ethernet and ARP v7.0 Supplement to Comp.docxambersalomon88660
 
TCPIP
TCPIPTCPIP
TCPIPsangusajjan
 
Lab Exercise #4 IPv4 Dr. Anne Kohnke 1 Obj.docx
Lab Exercise #4 IPv4 Dr. Anne Kohnke 1 Obj.docxLab Exercise #4 IPv4 Dr. Anne Kohnke 1 Obj.docx
Lab Exercise #4 IPv4 Dr. Anne Kohnke 1 Obj.docxsmile790243
 
How does the internet work converted General (Your) Affiliate Link: https://w...
How does the internet work converted General (Your) Affiliate Link: https://w...How does the internet work converted General (Your) Affiliate Link: https://w...
How does the internet work converted General (Your) Affiliate Link: https://w...YonasBayu1
 

Recommended

Wireshark ip sept_15_2009
Wireshark ip sept_15_2009Wireshark ip sept_15_2009
Wireshark ip sept_15_2009wab030
 
Wireshark Lab IP v6.0Supplement to Computer Networking A Top-D.docx
Wireshark Lab IP v6.0Supplement to Computer Networking A Top-D.docxWireshark Lab IP v6.0Supplement to Computer Networking A Top-D.docx
Wireshark Lab IP v6.0Supplement to Computer Networking A Top-D.docxalanfhall8953
 
HS1011 Data Communication and Networks 13 August 2015 HS101.docx
HS1011 Data Communication and Networks 13 August 2015 HS101.docxHS1011 Data Communication and Networks 13 August 2015 HS101.docx
HS1011 Data Communication and Networks 13 August 2015 HS101.docxadampcarr67227
 
Wireshark Lab TCP v6.0 Supplement to Computer Networking.docx
Wireshark Lab TCP v6.0 Supplement to Computer Networking.docxWireshark Lab TCP v6.0 Supplement to Computer Networking.docx
Wireshark Lab TCP v6.0 Supplement to Computer Networking.docxalanfhall8953
 
Wireshark Lab Ethernet and ARP v7.0 Supplement to Comp.docx
Wireshark Lab Ethernet and ARP v7.0 Supplement to Comp.docxWireshark Lab Ethernet and ARP v7.0 Supplement to Comp.docx
Wireshark Lab Ethernet and ARP v7.0 Supplement to Comp.docxambersalomon88660
 
TCPIP
TCPIPTCPIP
TCPIPsangusajjan
 
Lab Exercise #4 IPv4 Dr. Anne Kohnke 1 Obj.docx
Lab Exercise #4 IPv4 Dr. Anne Kohnke 1 Obj.docxLab Exercise #4 IPv4 Dr. Anne Kohnke 1 Obj.docx
Lab Exercise #4 IPv4 Dr. Anne Kohnke 1 Obj.docxsmile790243
 
How does the internet work converted General (Your) Affiliate Link: https://w...
How does the internet work converted General (Your) Affiliate Link: https://w...How does the internet work converted General (Your) Affiliate Link: https://w...
How does the internet work converted General (Your) Affiliate Link: https://w...YonasBayu1
 
ECET 465 help Making Decisions/Snaptutorial
ECET 465 help Making Decisions/SnaptutorialECET 465 help Making Decisions/Snaptutorial
ECET 465 help Making Decisions/Snaptutorialpinck2329
 
What are the specific ICMP errors that are generated during a tracero.docx
What are the specific ICMP errors that are generated during a tracero.docx What are the specific ICMP errors that are generated during a tracero.docx
What are the specific ICMP errors that are generated during a tracero.docxajoy21
 
Pears
PearsPears
Pearsthips
 
Ecet 465  Enthusiastic Study / snaptutorial.com
Ecet 465  Enthusiastic Study / snaptutorial.comEcet 465  Enthusiastic Study / snaptutorial.com
Ecet 465  Enthusiastic Study / snaptutorial.comStephenson39
 
ECET 465 Technology levels--snaptutorial.com
ECET 465 Technology levels--snaptutorial.comECET 465 Technology levels--snaptutorial.com
ECET 465 Technology levels--snaptutorial.comsholingarjosh104
 
Ecet 465 Massive Success / snaptutorial.com
Ecet 465 Massive Success / snaptutorial.comEcet 465 Massive Success / snaptutorial.com
Ecet 465 Massive Success / snaptutorial.comHarrisGeorgz
 
Wireshark Lab Getting Started v6.0 Supplement to Co.docx
Wireshark Lab Getting Started v6.0 Supplement to Co.docxWireshark Lab Getting Started v6.0 Supplement to Co.docx
Wireshark Lab Getting Started v6.0 Supplement to Co.docxambersalomon88660
 
3.7.10 Lab Use Wireshark to View Network Traffic
3.7.10 Lab Use Wireshark to View Network Traffic3.7.10 Lab Use Wireshark to View Network Traffic
3.7.10 Lab Use Wireshark to View Network TrafficRio Ap
 
Ecet 465 Success Begins / snaptutorial.com
Ecet 465 Success Begins / snaptutorial.comEcet 465 Success Begins / snaptutorial.com
Ecet 465 Success Begins / snaptutorial.comWilliamsTaylorzo
 
Internet Protocol Version 4
Internet Protocol Version 4Internet Protocol Version 4
Internet Protocol Version 4Purushottam Kamble
 
Understanding Internet Protocol (IPv4)
Understanding Internet Protocol (IPv4)Understanding Internet Protocol (IPv4)
Understanding Internet Protocol (IPv4)Nicole Gaehle, MSIST
 
Internet Protocol
Internet ProtocolInternet Protocol
Internet ProtocolGhaffar Khan
 
Comparative study of IPv4 & IPv6 Point to Point Architecture on various OS pl...
Comparative study of IPv4 & IPv6 Point to Point Architecture on various OS pl...Comparative study of IPv4 & IPv6 Point to Point Architecture on various OS pl...
Comparative study of IPv4 & IPv6 Point to Point Architecture on various OS pl...IOSR Journals
 
IP Datagram Structure
IP Datagram StructureIP Datagram Structure
IP Datagram StructureHitesh Mohapatra
 
Wireshark udp
Wireshark udpWireshark udp
Wireshark udperombapu
 
Ch 19 Network-layer protocols - section 2
Ch 19 Network-layer protocols - section 2Ch 19 Network-layer protocols - section 2
Ch 19 Network-layer protocols - section 2Hossam El-Deen Osama
 
ICMPV4
ICMPV4ICMPV4
ICMPV4rajshreemuthiah
 
Network Layer
Network LayerNetwork Layer
Network LayerGhaffar Khan
 
Chapter 3. sensors in the network domain
Chapter 3. sensors in the network domainChapter 3. sensors in the network domain
Chapter 3. sensors in the network domainPhu Nguyen
 
Ip protocol
Ip protocolIp protocol
Ip protocolH K
 
With regards to this article, I agree and disagree on certain leve.docx
With regards to this article, I agree and disagree on certain leve.docxWith regards to this article, I agree and disagree on certain leve.docx
With regards to this article, I agree and disagree on certain leve.docxalanfhall8953
 
WIT Financial Accounting Test Ch.docx
WIT Financial Accounting Test Ch.docxWIT Financial Accounting Test Ch.docx
WIT Financial Accounting Test Ch.docxalanfhall8953
 

More Related Content

Similar to Wireshark Lab IP v6.0 Supplement to Computer Networking.docx

ECET 465 help Making Decisions/Snaptutorial
ECET 465 help Making Decisions/SnaptutorialECET 465 help Making Decisions/Snaptutorial
ECET 465 help Making Decisions/Snaptutorialpinck2329
 
What are the specific ICMP errors that are generated during a tracero.docx
What are the specific ICMP errors that are generated during a tracero.docx What are the specific ICMP errors that are generated during a tracero.docx
What are the specific ICMP errors that are generated during a tracero.docxajoy21
 
Pears
PearsPears
Pearsthips
 
Ecet 465  Enthusiastic Study / snaptutorial.com
Ecet 465  Enthusiastic Study / snaptutorial.comEcet 465  Enthusiastic Study / snaptutorial.com
Ecet 465  Enthusiastic Study / snaptutorial.comStephenson39
 
ECET 465 Technology levels--snaptutorial.com
ECET 465 Technology levels--snaptutorial.comECET 465 Technology levels--snaptutorial.com
ECET 465 Technology levels--snaptutorial.comsholingarjosh104
 
Ecet 465 Massive Success / snaptutorial.com
Ecet 465 Massive Success / snaptutorial.comEcet 465 Massive Success / snaptutorial.com
Ecet 465 Massive Success / snaptutorial.comHarrisGeorgz
 
Wireshark Lab Getting Started v6.0 Supplement to Co.docx
Wireshark Lab Getting Started v6.0 Supplement to Co.docxWireshark Lab Getting Started v6.0 Supplement to Co.docx
Wireshark Lab Getting Started v6.0 Supplement to Co.docxambersalomon88660
 
3.7.10 Lab Use Wireshark to View Network Traffic
3.7.10 Lab Use Wireshark to View Network Traffic3.7.10 Lab Use Wireshark to View Network Traffic
3.7.10 Lab Use Wireshark to View Network TrafficRio Ap
 
Ecet 465 Success Begins / snaptutorial.com
Ecet 465 Success Begins / snaptutorial.comEcet 465 Success Begins / snaptutorial.com
Ecet 465 Success Begins / snaptutorial.comWilliamsTaylorzo
 
Understanding Internet Protocol (IPv4)
Understanding Internet Protocol (IPv4)Understanding Internet Protocol (IPv4)
Understanding Internet Protocol (IPv4)Nicole Gaehle, MSIST
 
Comparative study of IPv4 & IPv6 Point to Point Architecture on various OS pl...
Comparative study of IPv4 & IPv6 Point to Point Architecture on various OS pl...Comparative study of IPv4 & IPv6 Point to Point Architecture on various OS pl...
Comparative study of IPv4 & IPv6 Point to Point Architecture on various OS pl...IOSR Journals
 
Wireshark udp
Wireshark udpWireshark udp
Wireshark udperombapu
 
Ch 19 Network-layer protocols - section 2
Ch 19 Network-layer protocols - section 2Ch 19 Network-layer protocols - section 2
Ch 19 Network-layer protocols - section 2Hossam El-Deen Osama
 
Chapter 3. sensors in the network domain
Chapter 3. sensors in the network domainChapter 3. sensors in the network domain
Chapter 3. sensors in the network domainPhu Nguyen
 
Ip protocol
Ip protocolIp protocol
Ip protocolH K
 

Similar to Wireshark Lab IP v6.0 Supplement to Computer Networking.docx (20)

ECET 465 help Making Decisions/Snaptutorial
ECET 465 help Making Decisions/SnaptutorialECET 465 help Making Decisions/Snaptutorial
ECET 465 help Making Decisions/Snaptutorial
 
What are the specific ICMP errors that are generated during a tracero.docx
What are the specific ICMP errors that are generated during a tracero.docx What are the specific ICMP errors that are generated during a tracero.docx
What are the specific ICMP errors that are generated during a tracero.docx
 
Pears
PearsPears
Pears
 
Ecet 465  Enthusiastic Study / snaptutorial.com
Ecet 465  Enthusiastic Study / snaptutorial.comEcet 465  Enthusiastic Study / snaptutorial.com
Ecet 465  Enthusiastic Study / snaptutorial.com
 
ECET 465 Technology levels--snaptutorial.com
ECET 465 Technology levels--snaptutorial.comECET 465 Technology levels--snaptutorial.com
ECET 465 Technology levels--snaptutorial.com
 
Ecet 465 Massive Success / snaptutorial.com
Ecet 465 Massive Success / snaptutorial.comEcet 465 Massive Success / snaptutorial.com
Ecet 465 Massive Success / snaptutorial.com
 
Wireshark Lab Getting Started v6.0 Supplement to Co.docx
Wireshark Lab Getting Started v6.0 Supplement to Co.docxWireshark Lab Getting Started v6.0 Supplement to Co.docx
Wireshark Lab Getting Started v6.0 Supplement to Co.docx
 
3.7.10 Lab Use Wireshark to View Network Traffic
3.7.10 Lab Use Wireshark to View Network Traffic3.7.10 Lab Use Wireshark to View Network Traffic
3.7.10 Lab Use Wireshark to View Network Traffic
 
Ecet 465 Success Begins / snaptutorial.com
Ecet 465 Success Begins / snaptutorial.comEcet 465 Success Begins / snaptutorial.com
Ecet 465 Success Begins / snaptutorial.com
 
Internet Protocol Version 4
Internet Protocol Version 4Internet Protocol Version 4
Internet Protocol Version 4
 
Understanding Internet Protocol (IPv4)
Understanding Internet Protocol (IPv4)Understanding Internet Protocol (IPv4)
Understanding Internet Protocol (IPv4)
 
Internet Protocol
Internet ProtocolInternet Protocol
Internet Protocol
 
Comparative study of IPv4 & IPv6 Point to Point Architecture on various OS pl...
Comparative study of IPv4 & IPv6 Point to Point Architecture on various OS pl...Comparative study of IPv4 & IPv6 Point to Point Architecture on various OS pl...
Comparative study of IPv4 & IPv6 Point to Point Architecture on various OS pl...
 
IP Datagram Structure
IP Datagram StructureIP Datagram Structure
IP Datagram Structure
 
Wireshark udp
Wireshark udpWireshark udp
Wireshark udp
 
Ch 19 Network-layer protocols - section 2
Ch 19 Network-layer protocols - section 2Ch 19 Network-layer protocols - section 2
Ch 19 Network-layer protocols - section 2
 
ICMPV4
ICMPV4ICMPV4
ICMPV4
 
Network Layer
Network LayerNetwork Layer
Network Layer
 
Chapter 3. sensors in the network domain
Chapter 3. sensors in the network domainChapter 3. sensors in the network domain
Chapter 3. sensors in the network domain
 
Ip protocol
Ip protocolIp protocol
Ip protocol
 

More from alanfhall8953

With regards to this article, I agree and disagree on certain leve.docx
With regards to this article, I agree and disagree on certain leve.docxWith regards to this article, I agree and disagree on certain leve.docx
With regards to this article, I agree and disagree on certain leve.docxalanfhall8953
 
WIT Financial Accounting Test Ch.docx
WIT Financial Accounting Test Ch.docxWIT Financial Accounting Test Ch.docx
WIT Financial Accounting Test Ch.docxalanfhall8953
 
Windows Server Deployment ProposalOverviewEach student will .docx
Windows Server Deployment ProposalOverviewEach student will .docxWindows Server Deployment ProposalOverviewEach student will .docx
Windows Server Deployment ProposalOverviewEach student will .docxalanfhall8953
 
Willowbrook SchoolBackgroundWillowbrook School is a small, pri.docx
Willowbrook SchoolBackgroundWillowbrook School is a small, pri.docxWillowbrook SchoolBackgroundWillowbrook School is a small, pri.docx
Willowbrook SchoolBackgroundWillowbrook School is a small, pri.docxalanfhall8953
 
Wind PowerUsed For Millennia Variations in alb.docx
Wind PowerUsed For Millennia Variations in alb.docxWind PowerUsed For Millennia Variations in alb.docx
Wind PowerUsed For Millennia Variations in alb.docxalanfhall8953
 
winter 2013 235 CREATE A CONTRACTInstructionsI will giv.docx
winter 2013 235 CREATE A CONTRACTInstructionsI will giv.docxwinter 2013 235 CREATE A CONTRACTInstructionsI will giv.docx
winter 2013 235 CREATE A CONTRACTInstructionsI will giv.docxalanfhall8953
 
WinEst As 1. Es2. Tassignment stInfo (Esti.docx
WinEst As 1. Es2. Tassignment stInfo (Esti.docxWinEst As 1. Es2. Tassignment stInfo (Esti.docx
WinEst As 1. Es2. Tassignment stInfo (Esti.docxalanfhall8953
 
Wiley Plus Brief Exercise 6 –Accounting 100Brief Exercise 6-1B.docx
Wiley Plus Brief Exercise 6 –Accounting 100Brief Exercise 6-1B.docxWiley Plus Brief Exercise 6 –Accounting 100Brief Exercise 6-1B.docx
Wiley Plus Brief Exercise 6 –Accounting 100Brief Exercise 6-1B.docxalanfhall8953
 
Winter 2011 • Morality in Education 35Workplace Bullying .docx
Winter 2011 • Morality in Education 35Workplace Bullying .docxWinter 2011 • Morality in Education 35Workplace Bullying .docx
Winter 2011 • Morality in Education 35Workplace Bullying .docxalanfhall8953
 
With the competitive advantage that Crocs’ supply chain holds, the.docx
With the competitive advantage that Crocs’ supply chain holds, the.docxWith the competitive advantage that Crocs’ supply chain holds, the.docx
With the competitive advantage that Crocs’ supply chain holds, the.docxalanfhall8953
 
Windows Server 2012 R2 Essentials Windows Server 2012.docx
Windows Server 2012 R2 Essentials Windows Server 2012.docxWindows Server 2012 R2 Essentials Windows Server 2012.docx
Windows Server 2012 R2 Essentials Windows Server 2012.docxalanfhall8953
 
Wind power resources on the eastern U.S. continental shelf are est.docx
Wind power resources on the eastern U.S. continental shelf are est.docxWind power resources on the eastern U.S. continental shelf are est.docx
Wind power resources on the eastern U.S. continental shelf are est.docxalanfhall8953
 
WilliamStearman_Java301build.xml Builds, tests, and ru.docx
WilliamStearman_Java301build.xml Builds, tests, and ru.docxWilliamStearman_Java301build.xml Builds, tests, and ru.docx
WilliamStearman_Java301build.xml Builds, tests, and ru.docxalanfhall8953
 
Wilco Corporation has the following account balances at December 3.docx
Wilco Corporation has the following account balances at December 3.docxWilco Corporation has the following account balances at December 3.docx
Wilco Corporation has the following account balances at December 3.docxalanfhall8953
 
Wilson Majee Technology Diffusion, S-Curve, and Innovation.docx
Wilson Majee Technology Diffusion, S-Curve, and Innovation.docxWilson Majee Technology Diffusion, S-Curve, and Innovation.docx
Wilson Majee Technology Diffusion, S-Curve, and Innovation.docxalanfhall8953
 
WinARM - Simulating Advanced RISC Machine Architecture .docx
WinARM - Simulating Advanced RISC Machine Architecture .docxWinARM - Simulating Advanced RISC Machine Architecture .docx
WinARM - Simulating Advanced RISC Machine Architecture .docxalanfhall8953
 
William PennWhat religion was William PennWilliam Pen was fr.docx
William PennWhat religion was William PennWilliam Pen was fr.docxWilliam PennWhat religion was William PennWilliam Pen was fr.docx
William PennWhat religion was William PennWilliam Pen was fr.docxalanfhall8953
 
William PennOne of the most memorable people in United States re.docx
William PennOne of the most memorable people in United States re.docxWilliam PennOne of the most memorable people in United States re.docx
William PennOne of the most memorable people in United States re.docxalanfhall8953
 
WILL THE REAL BRANDON SMITHPLEASE STAND UPTHESIS STATEMENT.docx
WILL THE REAL BRANDON SMITHPLEASE STAND UPTHESIS STATEMENT.docxWILL THE REAL BRANDON SMITHPLEASE STAND UPTHESIS STATEMENT.docx
WILL THE REAL BRANDON SMITHPLEASE STAND UPTHESIS STATEMENT.docxalanfhall8953
 
Will the Internet Be Bad for Democracy Eli M. NoamProfessor a.docx
Will the Internet Be Bad for Democracy Eli M. NoamProfessor a.docxWill the Internet Be Bad for Democracy Eli M. NoamProfessor a.docx
Will the Internet Be Bad for Democracy Eli M. NoamProfessor a.docxalanfhall8953
 

More from alanfhall8953 (20)

With regards to this article, I agree and disagree on certain leve.docx
With regards to this article, I agree and disagree on certain leve.docxWith regards to this article, I agree and disagree on certain leve.docx
With regards to this article, I agree and disagree on certain leve.docx
 
WIT Financial Accounting Test Ch.docx
WIT Financial Accounting Test Ch.docxWIT Financial Accounting Test Ch.docx
WIT Financial Accounting Test Ch.docx
 
Windows Server Deployment ProposalOverviewEach student will .docx
Windows Server Deployment ProposalOverviewEach student will .docxWindows Server Deployment ProposalOverviewEach student will .docx
Windows Server Deployment ProposalOverviewEach student will .docx
 
Willowbrook SchoolBackgroundWillowbrook School is a small, pri.docx
Willowbrook SchoolBackgroundWillowbrook School is a small, pri.docxWillowbrook SchoolBackgroundWillowbrook School is a small, pri.docx
Willowbrook SchoolBackgroundWillowbrook School is a small, pri.docx
 
Wind PowerUsed For Millennia Variations in alb.docx
Wind PowerUsed For Millennia Variations in alb.docxWind PowerUsed For Millennia Variations in alb.docx
Wind PowerUsed For Millennia Variations in alb.docx
 
winter 2013 235 CREATE A CONTRACTInstructionsI will giv.docx
winter 2013 235 CREATE A CONTRACTInstructionsI will giv.docxwinter 2013 235 CREATE A CONTRACTInstructionsI will giv.docx
winter 2013 235 CREATE A CONTRACTInstructionsI will giv.docx
 
WinEst As 1. Es2. Tassignment stInfo (Esti.docx
WinEst As 1. Es2. Tassignment stInfo (Esti.docxWinEst As 1. Es2. Tassignment stInfo (Esti.docx
WinEst As 1. Es2. Tassignment stInfo (Esti.docx
 
Wiley Plus Brief Exercise 6 –Accounting 100Brief Exercise 6-1B.docx
Wiley Plus Brief Exercise 6 –Accounting 100Brief Exercise 6-1B.docxWiley Plus Brief Exercise 6 –Accounting 100Brief Exercise 6-1B.docx
Wiley Plus Brief Exercise 6 –Accounting 100Brief Exercise 6-1B.docx
 
Winter 2011 • Morality in Education 35Workplace Bullying .docx
Winter 2011 • Morality in Education 35Workplace Bullying .docxWinter 2011 • Morality in Education 35Workplace Bullying .docx
Winter 2011 • Morality in Education 35Workplace Bullying .docx
 
With the competitive advantage that Crocs’ supply chain holds, the.docx
With the competitive advantage that Crocs’ supply chain holds, the.docxWith the competitive advantage that Crocs’ supply chain holds, the.docx
With the competitive advantage that Crocs’ supply chain holds, the.docx
 
Windows Server 2012 R2 Essentials Windows Server 2012.docx
Windows Server 2012 R2 Essentials Windows Server 2012.docxWindows Server 2012 R2 Essentials Windows Server 2012.docx
Windows Server 2012 R2 Essentials Windows Server 2012.docx
 
Wind power resources on the eastern U.S. continental shelf are est.docx
Wind power resources on the eastern U.S. continental shelf are est.docxWind power resources on the eastern U.S. continental shelf are est.docx
Wind power resources on the eastern U.S. continental shelf are est.docx
 
WilliamStearman_Java301build.xml Builds, tests, and ru.docx
WilliamStearman_Java301build.xml Builds, tests, and ru.docxWilliamStearman_Java301build.xml Builds, tests, and ru.docx
WilliamStearman_Java301build.xml Builds, tests, and ru.docx
 
Wilco Corporation has the following account balances at December 3.docx
Wilco Corporation has the following account balances at December 3.docxWilco Corporation has the following account balances at December 3.docx
Wilco Corporation has the following account balances at December 3.docx
 
Wilson Majee Technology Diffusion, S-Curve, and Innovation.docx
Wilson Majee Technology Diffusion, S-Curve, and Innovation.docxWilson Majee Technology Diffusion, S-Curve, and Innovation.docx
Wilson Majee Technology Diffusion, S-Curve, and Innovation.docx
 
WinARM - Simulating Advanced RISC Machine Architecture .docx
WinARM - Simulating Advanced RISC Machine Architecture .docxWinARM - Simulating Advanced RISC Machine Architecture .docx
WinARM - Simulating Advanced RISC Machine Architecture .docx
 
William PennWhat religion was William PennWilliam Pen was fr.docx
William PennWhat religion was William PennWilliam Pen was fr.docxWilliam PennWhat religion was William PennWilliam Pen was fr.docx
William PennWhat religion was William PennWilliam Pen was fr.docx
 
William PennOne of the most memorable people in United States re.docx
William PennOne of the most memorable people in United States re.docxWilliam PennOne of the most memorable people in United States re.docx
William PennOne of the most memorable people in United States re.docx
 
WILL THE REAL BRANDON SMITHPLEASE STAND UPTHESIS STATEMENT.docx
WILL THE REAL BRANDON SMITHPLEASE STAND UPTHESIS STATEMENT.docxWILL THE REAL BRANDON SMITHPLEASE STAND UPTHESIS STATEMENT.docx
WILL THE REAL BRANDON SMITHPLEASE STAND UPTHESIS STATEMENT.docx
 
Will the Internet Be Bad for Democracy Eli M. NoamProfessor a.docx
Will the Internet Be Bad for Democracy Eli M. NoamProfessor a.docxWill the Internet Be Bad for Democracy Eli M. NoamProfessor a.docx
Will the Internet Be Bad for Democracy Eli M. NoamProfessor a.docx
 

Recently uploaded

EPANDING THE CONTENT OF AN OUTLINE using notes.pptx
EPANDING THE CONTENT OF AN OUTLINE using notes.pptxEPANDING THE CONTENT OF AN OUTLINE using notes.pptx
EPANDING THE CONTENT OF AN OUTLINE using notes.pptxRaymartEstabillo3
 
call girls in Kamla Market (DELHI) 🔝 >༒9953330565🔝 genuine Escort Service 🔝✔️✔️
call girls in Kamla Market (DELHI) 🔝 >༒9953330565🔝 genuine Escort Service 🔝✔️✔️call girls in Kamla Market (DELHI) 🔝 >༒9953330565🔝 genuine Escort Service 🔝✔️✔️
call girls in Kamla Market (DELHI) 🔝 >༒9953330565🔝 genuine Escort Service 🔝✔️✔️9953056974 Low Rate Call Girls In Saket, Delhi NCR
 
Meghan Sutherland In Media Res Media Component
Meghan Sutherland In Media Res Media ComponentMeghan Sutherland In Media Res Media Component
Meghan Sutherland In Media Res Media ComponentInMediaRes1
 
Employee wellbeing at the workplace.pptx
Employee wellbeing at the workplace.pptxEmployee wellbeing at the workplace.pptx
Employee wellbeing at the workplace.pptxNirmalaLoungPoorunde1
 
ENGLISH 7_Q4_LESSON 2_ Employing a Variety of Strategies for Effective Interp...
ENGLISH 7_Q4_LESSON 2_ Employing a Variety of Strategies for Effective Interp...ENGLISH 7_Q4_LESSON 2_ Employing a Variety of Strategies for Effective Interp...
ENGLISH 7_Q4_LESSON 2_ Employing a Variety of Strategies for Effective Interp...JhezDiaz1
 
Final demo Grade 9 for demo Plan dessert.pptx
Final demo Grade 9 for demo Plan dessert.pptxFinal demo Grade 9 for demo Plan dessert.pptx
Final demo Grade 9 for demo Plan dessert.pptxAvyJaneVismanos
 
Introduction to ArtificiaI Intelligence in Higher Education
Introduction to ArtificiaI Intelligence in Higher EducationIntroduction to ArtificiaI Intelligence in Higher Education
Introduction to ArtificiaI Intelligence in Higher Educationpboyjonauth
 
POINT- BIOCHEMISTRY SEM 2 ENZYMES UNIT 5.pptx
POINT- BIOCHEMISTRY SEM 2 ENZYMES UNIT 5.pptxPOINT- BIOCHEMISTRY SEM 2 ENZYMES UNIT 5.pptx
POINT- BIOCHEMISTRY SEM 2 ENZYMES UNIT 5.pptxSayali Powar
 
MICROBIOLOGY biochemical test detailed.pptx
MICROBIOLOGY biochemical test detailed.pptxMICROBIOLOGY biochemical test detailed.pptx
MICROBIOLOGY biochemical test detailed.pptxabhijeetpadhi001
 
MARGINALIZATION (Different learners in Marginalized Group
MARGINALIZATION (Different learners in Marginalized GroupMARGINALIZATION (Different learners in Marginalized Group
MARGINALIZATION (Different learners in Marginalized GroupJonathanParaisoCruz
 
Roles & Responsibilities in Pharmacovigilance
Roles & Responsibilities in PharmacovigilanceRoles & Responsibilities in Pharmacovigilance
Roles & Responsibilities in PharmacovigilanceSamikshaHamane
 
“Oh GOSH! Reflecting on Hackteria's Collaborative Practices in a Global Do-It...
“Oh GOSH! Reflecting on Hackteria's Collaborative Practices in a Global Do-It...“Oh GOSH! Reflecting on Hackteria's Collaborative Practices in a Global Do-It...
“Oh GOSH! Reflecting on Hackteria's Collaborative Practices in a Global Do-It...Marc Dusseiller Dusjagr
 
Like-prefer-love -hate+verb+ing & silent letters & citizenship text.pdf
Like-prefer-love -hate+verb+ing & silent letters & citizenship text.pdfLike-prefer-love -hate+verb+ing & silent letters & citizenship text.pdf
Like-prefer-love -hate+verb+ing & silent letters & citizenship text.pdfMr Bounab Samir
 
Painted Grey Ware.pptx, PGW Culture of India
Painted Grey Ware.pptx, PGW Culture of IndiaPainted Grey Ware.pptx, PGW Culture of India
Painted Grey Ware.pptx, PGW Culture of IndiaVirag Sontakke
 
ECONOMIC CONTEXT - LONG FORM TV DRAMA - PPT
ECONOMIC CONTEXT - LONG FORM TV DRAMA - PPTECONOMIC CONTEXT - LONG FORM TV DRAMA - PPT
ECONOMIC CONTEXT - LONG FORM TV DRAMA - PPTiammrhaywood
 
How to Configure Email Server in Odoo 17
How to Configure Email Server in Odoo 17How to Configure Email Server in Odoo 17
How to Configure Email Server in Odoo 17Celine George
 
Procuring digital preservation CAN be quick and painless with our new dynamic...
Procuring digital preservation CAN be quick and painless with our new dynamic...Procuring digital preservation CAN be quick and painless with our new dynamic...
Procuring digital preservation CAN be quick and painless with our new dynamic...Jisc
 

Recently uploaded (20)

EPANDING THE CONTENT OF AN OUTLINE using notes.pptx
EPANDING THE CONTENT OF AN OUTLINE using notes.pptxEPANDING THE CONTENT OF AN OUTLINE using notes.pptx
EPANDING THE CONTENT OF AN OUTLINE using notes.pptx
 
ESSENTIAL of (CS/IT/IS) class 06 (database)
ESSENTIAL of (CS/IT/IS) class 06 (database)ESSENTIAL of (CS/IT/IS) class 06 (database)
ESSENTIAL of (CS/IT/IS) class 06 (database)
 
call girls in Kamla Market (DELHI) 🔝 >༒9953330565🔝 genuine Escort Service 🔝✔️✔️
call girls in Kamla Market (DELHI) 🔝 >༒9953330565🔝 genuine Escort Service 🔝✔️✔️call girls in Kamla Market (DELHI) 🔝 >༒9953330565🔝 genuine Escort Service 🔝✔️✔️
call girls in Kamla Market (DELHI) 🔝 >༒9953330565🔝 genuine Escort Service 🔝✔️✔️
 
TataKelola dan KamSiber Kecerdasan Buatan v022.pdf
TataKelola dan KamSiber Kecerdasan Buatan v022.pdfTataKelola dan KamSiber Kecerdasan Buatan v022.pdf
TataKelola dan KamSiber Kecerdasan Buatan v022.pdf
 
Meghan Sutherland In Media Res Media Component
Meghan Sutherland In Media Res Media ComponentMeghan Sutherland In Media Res Media Component
Meghan Sutherland In Media Res Media Component
 
Employee wellbeing at the workplace.pptx
Employee wellbeing at the workplace.pptxEmployee wellbeing at the workplace.pptx
Employee wellbeing at the workplace.pptx
 
ENGLISH 7_Q4_LESSON 2_ Employing a Variety of Strategies for Effective Interp...
ENGLISH 7_Q4_LESSON 2_ Employing a Variety of Strategies for Effective Interp...ENGLISH 7_Q4_LESSON 2_ Employing a Variety of Strategies for Effective Interp...
ENGLISH 7_Q4_LESSON 2_ Employing a Variety of Strategies for Effective Interp...
 
Final demo Grade 9 for demo Plan dessert.pptx
Final demo Grade 9 for demo Plan dessert.pptxFinal demo Grade 9 for demo Plan dessert.pptx
Final demo Grade 9 for demo Plan dessert.pptx
 
Introduction to ArtificiaI Intelligence in Higher Education
Introduction to ArtificiaI Intelligence in Higher EducationIntroduction to ArtificiaI Intelligence in Higher Education
Introduction to ArtificiaI Intelligence in Higher Education
 
POINT- BIOCHEMISTRY SEM 2 ENZYMES UNIT 5.pptx
POINT- BIOCHEMISTRY SEM 2 ENZYMES UNIT 5.pptxPOINT- BIOCHEMISTRY SEM 2 ENZYMES UNIT 5.pptx
POINT- BIOCHEMISTRY SEM 2 ENZYMES UNIT 5.pptx
 
MICROBIOLOGY biochemical test detailed.pptx
MICROBIOLOGY biochemical test detailed.pptxMICROBIOLOGY biochemical test detailed.pptx
MICROBIOLOGY biochemical test detailed.pptx
 
MARGINALIZATION (Different learners in Marginalized Group
MARGINALIZATION (Different learners in Marginalized GroupMARGINALIZATION (Different learners in Marginalized Group
MARGINALIZATION (Different learners in Marginalized Group
 
Roles & Responsibilities in Pharmacovigilance
Roles & Responsibilities in PharmacovigilanceRoles & Responsibilities in Pharmacovigilance
Roles & Responsibilities in Pharmacovigilance
 
9953330565 Low Rate Call Girls In Rohini Delhi NCR
9953330565 Low Rate Call Girls In Rohini Delhi NCR9953330565 Low Rate Call Girls In Rohini Delhi NCR
9953330565 Low Rate Call Girls In Rohini Delhi NCR
 
“Oh GOSH! Reflecting on Hackteria's Collaborative Practices in a Global Do-It...
“Oh GOSH! Reflecting on Hackteria's Collaborative Practices in a Global Do-It...“Oh GOSH! Reflecting on Hackteria's Collaborative Practices in a Global Do-It...
“Oh GOSH! Reflecting on Hackteria's Collaborative Practices in a Global Do-It...
 
Like-prefer-love -hate+verb+ing & silent letters & citizenship text.pdf
Like-prefer-love -hate+verb+ing & silent letters & citizenship text.pdfLike-prefer-love -hate+verb+ing & silent letters & citizenship text.pdf
Like-prefer-love -hate+verb+ing & silent letters & citizenship text.pdf
 
Painted Grey Ware.pptx, PGW Culture of India
Painted Grey Ware.pptx, PGW Culture of IndiaPainted Grey Ware.pptx, PGW Culture of India
Painted Grey Ware.pptx, PGW Culture of India
 
ECONOMIC CONTEXT - LONG FORM TV DRAMA - PPT
ECONOMIC CONTEXT - LONG FORM TV DRAMA - PPTECONOMIC CONTEXT - LONG FORM TV DRAMA - PPT
ECONOMIC CONTEXT - LONG FORM TV DRAMA - PPT
 
How to Configure Email Server in Odoo 17
How to Configure Email Server in Odoo 17How to Configure Email Server in Odoo 17
How to Configure Email Server in Odoo 17
 
Procuring digital preservation CAN be quick and painless with our new dynamic...
Procuring digital preservation CAN be quick and painless with our new dynamic...Procuring digital preservation CAN be quick and painless with our new dynamic...
Procuring digital preservation CAN be quick and painless with our new dynamic...
 

Wireshark Lab IP v6.0 Supplement to Computer Networking.docx

  • 1. Wireshark Lab: IP v6.0 Supplement to Computer Networking: A Top-Down Approach, 6th ed., J.F. Kurose and K.W. Ross “Tell me and I forget. Show me and I remember. Involve me and I understand.” Chinese proverb © 2005-21012, J.F Kurose and K.W. Ross, All Rights Reserved In this lab, we’ll investigate the IP protocol, focusing on the IP datagram. We’ll do so by analyzing a trace of IP datagrams sent and received by an execution of the traceroute program (the traceroute program itself is explored in more detail in the Wireshark ICMP lab). We’ll investigate the various fields in the IP datagram, and study IP fragmentation in detail. Before beginning this lab, you’ll probably want to review sections 1.4.3 in the text1 and section 3.4 of RFC 2151 [ftp://ftp.rfc-editor.org/in- notes/rfc2151.txt] to update yourself on the operation of the traceroute program. You’ll also want to read Section 4.4 in
  • 2. the text, and probably also have RFC 791 [ftp://ftp.rfc- editor.org/in-notes/rfc791.txt] on hand as well, for a discussion of the IP protocol. 1. Capturing packets from an execution of traceroute In order to generate a trace of IP datagrams for this lab, we’ll use the traceroute program to send datagrams of different sizes towards some destination, X. Recall that traceroute operates by first sending one or more datagrams with the time-to-live (TTL) field in the IP header set to 1; it then sends a series of one or more datagrams towards the same destination with a TTL value of 2; it then sends a series of datagrams towards the same destination with a TTL value of 3; and so on. Recall that a router must decrement the TTL in each received datagram by 1 (actually, RFC 791 says that the router must decrement the TTL by at least one). If the TTL reaches 0, the router returns an ICMP message (type 11 – TTL-exceeded) to the sending host. As a result of this behavior, a datagram with a TTL of 1 (sent by the host executing traceroute) will cause the router one hop away from the sender to send an ICMP TTL-exceeded message back to the sender; the datagram sent with a TTL of 2 will cause the router two hops 1 References to figures and sections are for the 6th edition of our text, Computer Networks, A Top-down Approach, 6th ed., J.F. Kurose and K.W. Ross, Addison-
  • 3. Wesley/Pearson, 2012. away to send an ICMP message back to the sender; the datagram sent with a TTL of 3 will cause the router three hops away to send an ICMP message back to the sender; and so on. In this manner, the host executing traceroute can learn the identities of the routers between itself and destination X by looking at the source IP addresses in the datagrams containing the ICMP TTL-exceeded messages. We’ll want to run traceroute and have it send datagrams of various lengths. • Windows. The tracert program (used for our ICMP Wireshark lab) provided with Windows does not allow one to change the size of the ICMP echo request (ping) message sent by the tracert program. A nicer Windows traceroute program is pingplotter, available both in free version and shareware versions at http://www.pingplotter.com. Download and install pingplotter, and test it out by performing a few traceroutes to your favorite sites. The size of the ICMP echo request message can be explicitly set in pingplotter by selecting the menu item Edit-> Options->Packet Options and then filling in the Packet Size field. The default packet size is 56 bytes. Once pingplotter has sent a series of packets with
  • 4. the increasing TTL values, it restarts the sending process again with a TTL of 1, after waiting Trace Interval amount of time. The value of Trace Interval and the number of intervals can be explicitly set in pingplotter. • Linux/Unix/MacOS. With the Unix/MacOS traceroute command, the size of the UDP datagram sent towards the destination can be explicitly set by indicating the number of bytes in the datagram; this value is entered in the traceroute command line immediately after the name or address of the destination. For example, to send traceroute datagrams of 2000 bytes towards gaia.cs.umass.edu, the command would be: %traceroute gaia.cs.umass.edu 2000 Do the following: • Start up Wireshark and begin packet capture (Capture->Start) and then press OK on the Wireshark Packet Capture Options screen (we’ll not need to select any options here). • If you are using a Windows platform, start up pingplotter and enter the name of a target destination in the “Address to Trace Window.” Enter 3 in the “# of times to Trace” field, so you don’t gather too much data. Select the menu item Edit- >Advanced Options->Packet Options and enter a value of 56 in the Packet Size
  • 5. field and then press OK. Then press the Trace button. You should see a pingplotter window that looks something like this: Next, send a set of datagrams with a longer length, by selecting Edit->Advanced Options->Packet Options and enter a value of 2000 in the Packet Size field and then press OK. Then press the Resume button. Finally, send a set of datagrams with a longer length, by selecting Edit- >Advanced Options->Packet Options and enter a value of 3500 in the Packet Size field and then press OK. Then press the Resume button. Stop Wireshark tracing. • If you are using a Unix or Mac platform, enter three traceroute commands, one with a length of 56 bytes, one with a length of 2000 bytes, and one with a length of 3500 bytes. Stop Wireshark tracing.
  • 6. If you are unable to run Wireshark on a live network connection, you can download a packet trace file that was captured while following the steps above on one of the author’s Windows computers2. You may well find it valuable to download this trace even if you’ve captured your own trace and use it, as well as your own trace, when you explore the questions below. 2 Download the zip file http://gaia.cs.umass.edu/wireshark- labs/wireshark-traces.zip and extract the file ip- ethereal-trace-1. The traces in this zip file were collected by Wireshark running on one of the author’s computers, while performing the steps indicated in the Wireshark lab. Once you have downloaded the trace, you can load it into Wireshark and view the trace using the File pull down menu, choosing Open, and then selecting the ip-ethereal-trace-1 trace file. 2. A look at the captured trace In your trace, you should be able to see the series of ICMP Echo Request (in the case of Windows machine) or the UDP segment (in the case of Unix) sent by your computer and the ICMP TTL-exceeded messages returned to your computer by the intermediate routers. In the questions below, we’ll assume you are using a Windows machine; the corresponding questions for the case of a Unix machine should be clear. Whenever
  • 7. possible, when answering a question below you should hand in a printout of the packet(s) within the trace that you used to answer the question asked. When you hand in your assignment, annotate the output so that it’s clear where in the output you’re getting the information for your answer (e.g., for our classes, we ask that students markup paper copies with a pen, or annotate electronic copies with text in a colored font).To print a packet, use File->Print, choose Selected packet only, choose Packet summary line, and select the minimum amount of packet detail that you need to answer the question. 1. Select the first ICMP Echo Request message sent by your computer, and expand the Internet Protocol part of the packet in the packet details window. What is the IP address of your computer? 2. Within the IP packet header, what is the value in the upper layer protocol field? 3. How many bytes are in the IP header? How many bytes are in the payload of the IP datagram? Explain how you determined the number of payload bytes. 4. Has this IP datagram been fragmented? Explain how you determined whether or not the datagram has been fragmented.
  • 8. Next, sort the traced packets according to IP source address by clicking on the Source column header; a small downward pointing arrow should appear next to the word Source. If the arrow points up, click on the Source column header again. Select the first ICMP Echo Request message sent by your computer, and expand the Internet Protocol portion in the “details of selected packet header” window. In the “listing of captured packets” window, you should see all of the subsequent ICMP messages (perhaps with additional interspersed packets sent by other protocols running on your computer) below this first ICMP. Use the down arrow to move through the ICMP messages sent by your computer. 5. Which fields in the IP datagram always change from one datagram to the next within this series of ICMP messages sent by your computer? 6. Which fields stay constant? Which of the fields must stay constant? Which fields must change? Why? 7. Describe the pattern you see in the values in the Identification field of the IP datagram Next (with the packets still sorted by source address) find the
  • 9. series of ICMP TTL- exceeded replies sent to your computer by the nearest (first hop) router. 8. What is the value in the Identification field and the TTL field? 9. Do these values remain unchanged for all of the ICMP TTL- exceeded replies sent to your computer by the nearest (first hop) router? Why? Fragmentation Sort the packet listing according to time again by clicking on the Time column. 10. Find the first ICMP Echo Request message that was sent by your computer after you changed the Packet Size in pingplotter to be 2000. Has that message been fragmented across more than one IP datagram? [Note: if you find your packet has not been fragmented, you should download the zip file http://gaia.cs.umass.edu/wireshark-labs/wireshark-traces.zip and extract the ip- ethereal-trace-1packet trace. If your computer has an Ethernet interface, a packet size of 2000 should cause fragmentation.3] 11. Print out the first fragment of the fragmented IP datagram. What information in the IP header indicates that the datagram been fragmented? What information in the IP header indicates whether this is the first fragment versus
  • 10. a latter fragment? How long is this IP datagram? 3 The packets in the ip-ethereal-trace-1 trace file in http://gaia.cs.umass.edu/wireshark-labs/wireshark- traces.zip are all less that 1500 bytes. This is because the computer on which the trace was gathered has an Ethernet card that limits the length of the maximum IP packet to 1500 bytes (40 bytes of TCP/IP header data and 1460 bytes of upper-layer protocol payload). This 1500 byte value is the standard maximum length allowed by Ethernet. If your trace indicates a datagram longer 1500 bytes, and your computer is using an Ethernet connection, then Wireshark is reporting the wrong IP datagram length; it will likely also show only one large IP datagram rather than multiple smaller datagrams.. This inconsistency in reported lengths is due to the interaction between the Ethernet driver and the Wireshark software. We recommend that if you have this inconsistency, that you perform this lab using the ip-ethereal-trace-1 trace file. 12. Print out the second fragment of the fragmented IP datagram. What information in the IP header indicates that this is not the first datagram fragment? Are the more fragments? How can you tell? 13. What fields change in the IP header between the first and second fragment? Now find the first ICMP Echo Request message that was sent by your computer after you
  • 11. changed the Packet Size in pingplotter to be 3500. 14. How many fragments were created from the original datagram? 15. What fields change in the IP header among the fragments? Wireshark Lab: ICMP v6.0 Supplement to Computer Networking: A Top-Down Approach, 6th ed., J.F. Kurose and K.W. Ross “Tell me and I forget. Show me and I remember. Involve me and I understand.” Chinese proverb © 2005-21012, J.F Kurose and K.W. Ross, All Rights Reserved In this lab, we’ll explore several aspects of the ICMP protocol: • ICMP messages generating by the Ping program; • ICMP messages generated by the Traceroute program; • the format and contents of an ICMP message.
  • 12. Before attacking this lab, you’re encouraged to review the ICMP material in section 4.4.3 of the text1. We present this lab in the context of the Microsoft Windows operating system. However, it is straightforward to translate the lab to a Unix or Linux environment. 1. ICMP and Ping Let’s begin our ICMP adventure by capturing the packets generated by the Ping program. You may recall that the Ping program is simple tool that allows anyone (for example, a network administrator) to verify if a host is live or not. The Ping program in the source host sends a packet to the target IP address; if the target is live, the Ping program in the target host responds by sending a packet back to the source host. As you might have guessed (given that this lab is about ICMP), both of these Ping packets are ICMP packets. Do the following2: 1 References to figures and sections are for the 6th edition of our text, Computer Networks, A Top-down Approach, 6th ed., J.F. Kurose and K.W. Ross, Addison- Wesley/Pearson, 2012. 2 If you are unable to run Wireshark live on a computer, you can download the zip file http://gaia.cs.umass.edu/wireshark-labs/wireshark-traces.zip and extract the file ICMP-ethereal-trace-1. The traces in this zip file were collected by Wireshark running
  • 13. on one of the author’s computers, while performing the steps indicated in the Wireshark lab. Once you have downloaded the trace, you can load it into Wireshark and view the trace using the File pull down menu, choosing Open, and then selecting the ICMP-ethereal-trace-1 trace file. You can then use this trace file to answer the questions below. • Let’s begin this adventure by opening the Windows Command Prompt application (which can be found in your Accessories folder). • Start up the Wireshark packet sniffer, and begin Wireshark packet capture. • The ping command is in c:windowssystem32, so type either “ping –n 10 hostname” or “c:windowssystem32ping –n 10 hostname” in the MS-DOS command line (without quotation marks), where hostname is a host on another continent. If you’re outside of Asia, you may want to enter www.ust.hk for the Web server at Hong Kong University of Science and Technology. The argument “-n 10” indicates that 10 ping messages should be sent. Then run the Ping program by typing return. • When the Ping program terminates, stop the packet capture in Wireshark. At the end of the experiment, your Command Prompt Window
  • 14. should look something like Figure 1. In this example, the source ping program is in Massachusetts and the destination Ping program is in Hong Kong. From this window we see that the source ping program sent 10 query packets and received 10 responses. Note also that for each response, the source calculates the round-trip time (RTT), which for the 10 packets is on average 375 msec. Figure 1 Command Prompt window after entering Ping command. Figure 2 provides a screenshot of the Wireshark output, after “icmp” has been entered into the filter display window. Note that the packet listing shows 20 packets: the 10 Ping queries sent by the source and the 10 Ping responses received by the source. Also note that the source’s IP address is a private address (behind a NAT) of the form 192.168/12; the destination’s IP address is that of the Web server at HKUST. Now let’s zoom in on the first packet (sent by the client); in the figure below, the packet contents area provides information about this packet. We see that the IP datagram within this packet has protocol number 01, which is the protocol number for ICMP. This means that the payload
  • 15. of the IP datagram is an ICMP packet. Figure 2 Wireshark output for Ping program with Internet Protocol expanded. Figure 3 focuses on the same ICMP but has expanded the ICMP protocol information in the packet contents window. Observe that this ICMP packet is of Type 8 and Code 0 - a so-called ICMP “echo request” packet. (See Figure 4.23 of text.) Also note that this ICMP packet contains a checksum, an identifier, and a sequence number. Figure 3 Wireshark capture of ping packet with ICMP packet expanded. What to Hand In: You should hand in a screen shot of the Command Prompt window similar to Figure 1 above. Whenever possible, when answering a question below, you should hand in a printout of the packet(s) within the trace that you used to answer the question asked. Annotate the printout3 to explain your answer. To print a packet, use File->Print, choose Selected packet only, choose Packet summary line, and select the minimum amount of
  • 16. packet detail that you need to answer the question. You should answer the following questions: 3 What do we mean by “annotate”? If you hand in a paper copy, please highlight where in the printout you’ve found the answer and add some text (preferably with a colored pen) noting what you found in what you ‘ve highlight. If you hand in an electronic copy, it would be great if you could also highlight and annotate. 1. What is the IP address of your host? What is the IP address of the destination host? 2. Why is it that an ICMP packet does not have source and destination port numbers? 3. Examine one of the ping request packets sent by your host. What are the ICMP type and code numbers? What other fields does this ICMP packet have? How many bytes are the checksum, sequence number and identifier fields? 4. Examine the corresponding ping reply packet. What are the ICMP type and code numbers? What other fields does this ICMP packet have? How many bytes are the checksum, sequence number and identifier fields?
  • 17. 2. ICMP and Traceroute Let’s now continue our ICMP adventure by capturing the packets generated by the Traceroute program. You may recall that the Traceroute program can be used to figure out the path a packet takes from source to destination. Traceroute is discussed in Section 1.4 and in Section 4.4 of the text. Traceroute is implemented in different ways in Unix/Linux/MacOS and in Windows. In Unix/Linux, the source sends a series of UDP packets to the target destination using an unlikely destination port number; in Windows, the source sends a series of ICMP packets to the target destination. For both operating systems, the program sends the first packet with TTL=1, the second packet with TTL=2, and so on. Recall that a router will decrement a packet’s TTL value as the packet passes through the router. When a packet arrives at a router with TTL=1, the router sends an ICMP error packet back to the source. In the following, we’ll use the native Windows tracert program. A shareware version of a much nice Windows Traceroute program is pingplotter (www.pingplotter.com). We’ll use pingplotter in our Wireshark IP lab since it provides additional functionality that we’ll need there.
  • 18. Do the following4: • Let’s begin by opening the Windows Command Prompt application (which can be found in your Accessories folder). • Start up the Wireshark packet sniffer, and begin Wireshark packet capture. • The tracert command is in c:windowssystem32, so type either “tracert hostname” or “c:windowssystem32tracert hostname” in the MS-DOS command line (without quotation marks), where hostname is a host on another continent. 4 If you are unable to run Wireshark live on a computer, you can download the zip file http://gaia.cs.umass.edu/wireshark-labs/wireshark-traces.zip and extract the file ICMP-ethereal-trace-2. The traces in this zip file were collected by Wireshark running on one of the author’s computers, while performing the steps indicated in the Wireshark lab. Once you have downloaded the trace, you can load it into Wireshark and view the trace using the File pull down menu, choosing Open, and then selecting the ICMP-ethereal-trace-2 trace file. You can then use this trace file to answer the questions below. (Note that on a Windows machine, the command is “tracert” and not “traceroute”.) If you’re outside of Europe, you may want to
  • 19. enter www.inria.fr for the Web server at INRIA, a computer science research institute in France. Then run the Traceroute program by typing return. • When the Traceroute program terminates, stop packet capture in Wireshark. At the end of the experiment, your Command Prompt Window should look something like Figure 4. In this figure, the client Traceroute program is in Massachusetts and the target destination is in France. From this figure we see that for each TTL value, the source program sends three probe packets. Traceroute displays the RTTs for each of the probe packets, as well as the IP address (and possibly the name) of the router that returned the ICMP TTL-exceeded message. Figure 4 Command Prompt window displays the results of the Traceroute program. Figure 5 displays the Wireshark window for an ICMP packet returned by a router. Note that this ICMP error packet contains many more fields than the Ping ICMP messages.
  • 20. Figure 5 Wireshark window of ICMP fields expanded for one ICMP error packet. What to Hand In: For this part of the lab, you should hand in a screen shot of the Command Prompt window. Whenever possible, when answering a question below, you should hand in a printout of the packet(s) within the trace that you used to answer the question asked. Annotate the printout to explain your answer. To print a packet, use File->Print, choose Selected packet only, choose Packet summary line, and select the minimum amount of packet detail that you need to answer the question. Answer the following questions: 5. What is the IP address of your host? What is the IP address of the target destination host? 6. If ICMP sent UDP packets instead (as in Unix/Linux), would the IP protocol number still be 01 for the probe packets? If not, what would it be? 7. Examine the ICMP echo packet in your screenshot. Is this different from the
  • 21. ICMP ping query packets in the first half of this lab? If yes, how so? 8. Examine the ICMP error packet in your screenshot. It has more fields than the ICMP echo packet. What is included in those fields? 9. Examine the last three ICMP packets received by the source host. How are these packets different from the ICMP error packets? Why are they different? 10. Within the tracert measurements, is there a link whose delay is significantly longer than others? Refer to the screenshot in Figure 4, is there a link whose delay is significantly longer than others? On the basis of the router names, can you guess the location of the two routers on the end of this link? 3. Extra Credit For one of the programming assignments you created a UDP client ping program. This ping program, unlike the standard ping program, sends UDP probe packets rather than ICMP probe packets. Use the client program to send a UDP packet with an unusual destination port number to some live host. At the same time, use Wireshark to capture any response from the target host. Provide aWireshark screenshot for the response as well as an analysis of the response.
  • 22. Wireshark Lab: Ethernet and ARP v6.01 Supplement to Computer Networking: A Top-Down Approach, 6th ed., J.F. Kurose and K.W. Ross “Tell me and I forget. Show me and I remember. Involve me and I understand.” Chinese proverb © 2005-21012, J.F Kurose and K.W. Ross, All Rights Reserved In this lab, we’ll investigate the Ethernet protocol and the ARP protocol. Before beginning this lab, you’ll probably want to review sections 5.4.1 (link-layer addressing and ARP) and 5.4.2 (Ethernet) in the text1. RFC 826 (ftp://ftp.rfc-editor.org/in- notes/std/std37.txt) contains the gory details of the ARP protocol, which is used by an IP device to determine the IP address of a remote interface whose Ethernet address is known. 1. Capturing and analyzing Ethernet frames Let’s begin by capturing a set of Ethernet frames to study. Do the following2:
  • 23. • First, make sure your browser’s cache is empty. To do this under Mozilla Firefox V3, select Tools->Clear Recent History and check the box for Cache. For Internet Explorer, select Tools->Internet Options->Delete Files. Start up the Wireshark packet sniffer • Enter the following URL into your browser http://gaia.cs.umass.edu/wireshark-labs/HTTP-ethereal-lab- file3.html Your browser should display the rather lengthy US Bill of Rights. 1 References to figures and sections are for the 6th edition of our text, Computer Networks, A Top-down Approach, 6th ed., J.F. Kurose and K.W. Ross, Addison- Wesley/Pearson, 2012. 2 If you are unable to run Wireshark live on a computer, you can download the zip file http://gaia.cs.umass.edu/wireshark-labs/wireshark-traces.zip and extract the file ethernet--ethereal-trace-1. The traces in this zip file were collected by Wireshark running on one of the author’s computers, while performing the steps indicated in the Wireshark lab. Once you have downloaded the trace, you can load it into Wireshark and view the trace using the File pull down menu, choosing Open, and then selecting the ethernet-ethereal-trace-1 trace file. You can then use this trace file to answer the questions below.
  • 24. • Stop Wireshark packet capture. First, find the packet numbers (the leftmost column in the upper Wireshark window) of the HTTP GET message that was sent from your computer to gaia.cs.umass.edu, as well as the beginning of the HTTP response message sent to your computer by gaia.cs.umass.edu. You should see a screen that looks something like this (where packet 4 in the screen shot below contains the HTTP GET message) • Since this lab is about Ethernet and ARP, we’re not interested in IP or higher- layer protocols. So let’s change Wireshark’s “listing of captured packets” window so that it shows information only about protocols below IP. To have Wireshark do this, select Analyze->Enabled Protocols. Then uncheck the IP box and select OK. You should now see an Wireshark window that looks like: In order to answer the following questions, you’ll need to look into the packet details and packet contents windows (the middle and lower display windows in Wireshark). Select the Ethernet frame containing the HTTP GET message.
  • 25. (Recall that the HTTP GET message is carried inside of a TCP segment, which is carried inside of an IP datagram, which is carried inside of an Ethernet frame; reread section 1.5.2 in the text if you find this encapsulation a bit confusing). Expand the Ethernet II information in the packet details window. Note that the contents of the Ethernet frame (header as well as payload) are displayed in the packet contents window. Answer the following questions, based on the contents of the Ethernet frame containing the HTTP GET message. Whenever possible, when answering a question you should hand in a printout of the packet(s) within the trace that you used to answer the question asked. Annotate the printout3 to explain your answer. To print a packet, use File->Print, choose Selected packet only, choose Packet summary line, and select the minimum amount of packet detail that you need to answer the question. 1. What is the 48-bit Ethernet address of your computer? 2. What is the 48-bit destination address in the Ethernet frame? Is this the Ethernet address of gaia.cs.umass.edu? (Hint: the answer is no). What device has this as its Ethernet address? [Note: this is an important question, and one that students sometimes get wrong. Re-read pages 468-469 in the text and
  • 26. make sure you understand the answer here.] 3. Give the hexadecimal value for the two-byte Frame type field. What upper layer protocol does this correspond to? 4. How many bytes from the very start of the Ethernet frame does the ASCII “G” in “GET” appear in the Ethernet frame? Next, answer the following questions, based on the contents of the Ethernet frame containing the first byte of the HTTP response message. 5. What is the value of the Ethernet source address? Is this the address of your computer, or of gaia.cs.umass.edu (Hint: the answer is no). What device has this as its Ethernet address? 6. What is the destination address in the Ethernet frame? Is this the Ethernet address of your computer? 7. Give the hexadecimal value for the two-byte Frame type field. What upper layer protocol does this correspond to? 8. How many bytes from the very start of the Ethernet frame does the ASCII “O” in “OK” (i.e., the HTTP response code) appear in the Ethernet frame?
  • 27. 3 What do we mean by “annotate”? If you hand in a paper copy, please highlight where in the printout you’ve found the answer and add some text (preferably with a colored pen) noting what you found in what you ‘ve highlight. If you hand in an electronic copy, it would be great if you could also highlight and annotate. 2. The Address Resolution Protocol In this section, we’ll observe the ARP protocol in action. We strongly recommend that you re-read section 5.4.1 in the text before proceeding. ARP Caching Recall that the ARP protocol typically maintains a cache of IP- to-Ethernet address translation pairs on your comnputer The arp command (in both MSDOS and Linux/Unix) is used to view and manipulate the contents of this cache. Since the arp command and the ARP protocol have the same name, it’s understandably easy to confuse them. But keep in mind that they are different - the arp command is used to view and manipulate the ARP cache contents, while the ARP protocol defines the format and meaning of the messages sent and received, and defines the actions taken on message transmission and receipt.
  • 28. Let’s take a look at the contents of the ARP cache on your computer: • MS-DOS. The arp command is in c:windowssystem32, so type either “arp” or “c:windowssystem32arp” in the MS-DOS command line (without quotation marks). • Linux/Unix/MacOS. The executable for the arp command can be in various places. Popular locations are /sbin/arp (for linux) and /usr/etc/arp (for some Unix variants). The Windows arp command with no arguments will display the contents of the ARP cache on your computer. Run the arp command. 9. Write down the contents of your computer’s ARP cache. What is the meaning of each column value? In order to observe your computer sending and receiving ARP messages, we’ll need to clear the ARP cache, since otherwise your computer is likely to find a needed IP-Ethernet address translation pair in its cache and consequently not need to send out an ARP message.
  • 29. • MS-DOS. The MS-DOS arp –d * command will clear your ARP cache. The –d flag indicates a deletion operation, and the * is the wildcard that says to delete all table entries. • Linux/Unix/MacOS. The arp –d * will clear your ARP cache. In order to run this command you’ll need root privileges. If you don’t have root privileges and can’t run Wireshark on a Windows machine, you can skip the trace collection part of this lab and just use the trace discussed in the earlier footnote. Observing ARP in action Do the following4: • Clear your ARP cache, as described above. • Next, make sure your browser’s cache is empty. To do this under Mozilla Firefox V3, select Tools->Clear Recent History and check the box for Cache. For Internet Explorer, select Tools->Internet Options->Delete Files. • Start up the Wireshark packet sniffer • Enter the following URL into your browser http://gaia.cs.umass.edu/wireshark-labs/HTTP-wireshark-lab-
  • 30. file3.html Your browser should again display the rather lengthy US Bill of Rights. • Stop Wireshark packet capture. Again, we’re not interested in IP or higher-layer protocols, so change Wireshark’s “listing of captured packets” window so that it shows information only about protocols below IP. To have Wireshark do this, select Analyze->Enabled Protocols. Then uncheck the IP box and select OK. You should now see an Wireshark window that looks like: 4 The ethernet-ethereal-trace-1 trace file in http://gaia.cs.umass.edu/wireshark-labs/wireshark-traces.zip was created using the steps below (in particular after the ARP cache had been flushed). In the example above, the first two frames in the trace contain ARP messages (as does the 6th message). The screen shot above corresponds to the trace referenced in footnote 1. Answer the following questions: 10. What are the hexadecimal values for the source and destination addresses in the Ethernet frame containing the ARP request message?
  • 31. 11. Give the hexadecimal value for the two-byte Ethernet Frame type field. What upper layer protocol does this correspond to? 12. Download the ARP specification from ftp://ftp.rfc-editor.org/in-notes/std/std37.txt. A readable, detailed discussion of ARP is also at http://www.erg.abdn.ac.uk/users/gorry/course/inet- pages/arp.html. a) How many bytes from the very beginning of the Ethernet frame does the ARP opcode field begin? b) What is the value of the opcode field within the ARP-payload part of the Ethernet frame in which an ARP request is made? c) Does the ARP message contain the IP address of the sender? d) Where in the ARP request does the “question” appear – the Ethernet address of the machine whose corresponding IP address is being queried? 13. Now find the ARP reply that was sent in response to the ARP request. a) How many bytes from the very beginning of the Ethernet frame does the ARP opcode field begin? b) What is the value of the opcode field within the ARP-payload part of the
  • 32. Ethernet frame in which an ARP response is made? c) Where in the ARP message does the “answer” to the earlier ARP request appear – the IP address of the machine having the Ethernet address whose corresponding IP address is being queried? 14. What are the hexadecimal values for the source and destination addresses in the Ethernet frame containing the ARP reply message? 15. Open the ethernet-ethereal-trace-1 trace file in http://gaia.cs.umass.edu/wireshark-labs/wireshark-traces.zip. The first and second ARP packets in this trace correspond to an ARP request sent by the computer running Wireshark, and the ARP reply sent to the computer running Wireshark by the computer with the ARP-requested Ethernet address. But there is yet another computer on this network, as indicated by packet 6 – another ARP request. Why is there no ARP reply (sent in response to the ARP request in packet 6) in the packet trace? Extra Credit EX-1. The arp command: arp -s InetAddr EtherAddr allows you to manually add an entry to the ARP cache that resolves the IP address
  • 33. InetAddr to the physical address EtherAddr. What would happen if, when you manually added an entry, you entered the correct IP address, but the wrong Ethernet address for that remote interface? EX-2. What is the default amount of time that an entry remains in your ARP cache before being removed. You can determine this empirically (by monitoring the cache contents) or by looking this up in your operation system documentation. Indicate how/where you determined this value.