Wireshark Lab: HTTP, DNS and ARP v7 solution Computer Networking: A Top-Down Approach, 7th ed., J.F. Kurose and K.W. Ross

1. Wireshark Lab HTTP, DNS, ARP v7
HTTP
1. Is your browser running HTTP version 1.0 or 1.1? What version of HTTP is the server running?
Answer: Both are HTTP 1.1
2. What languages (if any) does your browser indicate that it can accept to the server?
Answer: Accept-Language: en-us, en
3. What is the IP address of your computer? Of the gaia.cs.umass.edu server?
Answer: My IP address is 192.168.1.102 and the server’s is 128.119.245.12
4. What is the status code returned from the server to your browser?
Answer: HTTP/1.1 200 OK (text/html)
5. When was the HTML file that you are retrieving last modified at the server?
Answer: Last-Modified: Thu, 07 Jun 2007 22:09:01 GMT
6. How many bytes of content are being returned to your browser?
Answer: Content-Length: 126
7. By inspecting the raw data in the packet content window, do you see any headers within the
data that are not displayed in the packet-listing window? If so, name one.
Answer: No all of the headers can be found in the raw data.
8. Inspect the contents of the first HTTP GET request from your browser to the server. Do you
see an “IF-MODIFIED-SINCE” line in the HTTP GET?
Answer: No

2. 9. Inspect the contents of the server response. Did the server explicitly return the contents of the
file? How can you tell?
Answer: Yes because we can see the contents in the Line-based text data field.
10. Now inspect the contents of the second HTTP GET request from your browser to the server.
Do you see an “IF-MODIFIED-SINCE:” line in the HTTP GET? If so, what information follows
the “IF-MODIFIED-SINCE:” header?
Answer: Yes. The information following is: Thu, 07 Jun 2007 16:29:01 GMT.
11. What is the HTTP status code and phrase returned from the server in response to this second
HTTP GET? Did the server explicitly return the contents of the file? Explain.
Answer: is HTTP/1.1 304 Not Modified. The server didn’t return the contents of the file since the
browser loaded it from its cache.
12. How many HTTP GET request messages were sent by your browser?
Answer: There was 1 HTTP GET request message sent by my browser as seen in the screenshot.
13. How many data-containing TCP segments were needed to carry the single HTTP response?
Answer: TCP segments containing 309, 1452, 1452, 1452 and 144 bytes respectively for a total
of 4500 bytes.
14. What is the status code and phrase associated with the response to the HTTP GET request?
Answer: 200 OK
15. Are there any HTTP status lines in the transmitted data associated with a TCP induced
“Continuation”?
Answer: No

3. 16. How many HTTP GET request messages were sent by your browser? To which Internet
addresses were these GET requests sent?
Answer: As you can see from the above screenshot there were 3 HTTP GET requests sent to the
following Internet addresses:
a. 128.119.245.12
b. 128.119.240.90
c. 165.193.123.218
17. Can you tell whether your browser downloaded the two images serially, or whether they were
downloaded from the two web sites in parallel? Explain.
Answer: By checking the TCP ports we can see if our files were downloaded serially or in parallel.
In this case the 2 images were transmitted over 2 TCP connections therefore they were
downloaded serially.
18. What is the server’s response (status code and phrase) in response to the initial HTTP GET
message from your browser?
Answer: Status code: 401, Phrase: Authorization Required
19. When your browser’s sends the HTTP GET message for the second time, what new field is
included in the HTTP GET message?
Answer: As seen in the screenshot the new field (highlighted) is Authorization.
Authorization: Basic d2lyZXNoYXJrLXN0dWRlbnRzOm5ldHdvcms=rn
DNS

4. 4. Locate the DNS query and response messages. Are then sent over UDP or TCP? ANSWER:
They are sent over UDP
5. What is the destination port for the DNS query message? What is the source port of DNS
response message?
ANSWER: The destination port for the DNS query is 53 and the source port of
the DNS response is 53.
6. To what IP address is the DNS query message sent? Use ipconfig to determine the IP address
of your local DNS server. Are these two IP addresses the same?
ANSWER: It’s sent to 192.168.1.1,
7. Examine the DNS query message. What “Type” of DNS query is it? Does the query message
contain any “answers”?
ANSWER: It’s a type A Standard Query and it doesn’t contain any answers.
8. Examine the DNS response message. How many “answers” are provided? What do each of
these answers contain?
ANSWER: There were 2 answers containing information about the name of the host, the type of
address, class, the TTL, the data length and the IP address.
9. Consider the subsequent TCP SYN packet sent by your host. Does the destination IP address
of the SYN packet correspond to any of the IP addresses provided in the DNS response message?
ANSWER: The first SYN packet was sent to 209.173.57.180 which corresponds to the first IP
address provided in the DNS response message.
10. This web page contains images. Before retrieving each image, does your host issue new DNS
queries?

5. ANSWER: No
ARP
1. What is the 48-bit Ethernet address of your computer?
ANSWER: The Ethernet address of my computer is 00:09:5b:61:8e:6d
2. What is the 48-bit destination address in the Ethernet frame? Is this the Ethernet address of
gaia.cs.umass.edu? What device has this as its Ethernet address?
ANSWER: The destination address 00:0c:41:45:90:a8 is not the Ethernet address of
gaia.cs.umass.edu. It is the address of my Linksys router.
3. Give the hexadecimal value for the two-byte Frame type field. What do the bit(s) whose value
is 1 mean within the flag field?
ANSWER: The hex value for the Frame type field is 0x0800.
4. How many bytes from the very start of the Ethernet frame does the ASCII “G” in
“GET” appear in the Ethernet frame?
ANSWER: The ASCII “G” appears 52 bytes from the start of the ethernet frame. There are 14 B
Ethernet frame, and then 20 bytes of IP header followed by 20 bytes of TCP header before the
HTTP data is encountered.
5. What is the hexadecimal value of the CRC field in this Ethernet frame?
ANSWER: The hex value for the CRC field is 0x 0d0a 0d0a.
6. What is the value of the Ethernet source address? Is this the address of your computer, or of
gaia.cs.umass.edu? What device has this as its Ethernet address?

6. ANSWER: The source address 00:0c:41:45:90:a8. Ethernet address of gaia.cs.umass.edu not the
address of my computer. It is the address of my Linksys router.
7. What is the destination address in the Ethernet frame? Is this the Ethernet address of your
computer?
ANSWER: The destination address 00:09:5b:61:8e:6d is the address of computer.
8. Give the hexadecimal value for the two-byte Frame type field. What do the bit(s) whose value
is 1 mean within the flag field?
ANSWER: The hex value for the Frame type field is 0x0800.
9. How many bytes from the very start of the Ethernet frame does the ASCII “O” in “OK” (i.e.,
the HTTP response code) appear in the Ethernet frame?
ANSWER: The ASCII “O” appears 52 bytes from the start of the ethernet frame.
10. What is the hexadecimal value of the CRC field in this Ethernet frame?
ANSWER: The hex value for the CRC field is 0x 0d0a 0d0a.
11. Write down the contents of your computer’s ARP cache. What is the meaning of each column
value?
ANSWER: The Internet Address column contains the IP address, the Physical Address column
contains the MAC address, and the type indicates the protocol type.
12. What are the hexadecimal values for the source and destination addresses in the Ethernet frame
containing the ARP request message?
ANSWER: The hex value for the source address is 00:d0:59:a9:3d:68. The hex value for the
destination address is ff:ff:ff:ff:ff:ff, the broadcast address.

7. 13. Give the hexadecimal value for the two-byte Ethernet Frame type field. What do the bit(s)
whose value is 1 mean within the flag field?
ANSWER: The hex value for the Ethernet Frame type field is 0x0806, for ARP.
14. Download the ARP specification from ftp://ftp.rfc-editor.org/innotes/std/std37.txt. A
readable, detailed discussion of ARP is also at http://www.erg.abdn.ac.uk/users/gorry/course/inet-
pages/arp.html.
a) How many bytes from the very beginning of the Ethernet frame does the ARP opcode field
begin?
ANSWER: 20 bytes.
b) What is the value of the opcode field within the ARP-payload part of the Ethernet frame in
which an ARP request is made?
ANSWER: ARP-payload of the request is 0x0001.
c) Does the ARP message contain the IP address of the sender?
ANSWER: Yes, the ARP message containing the IP address 192.168.1.105 for the sender.
d) Where in the ARP request does the “question” appear – the Ethernet address of the machine
whose corresponding IP address is being queried?
ANSWER:
15. Now find the ARP reply that was sent in response to the ARP request.
a) How many bytes from the very beginning of the Ethernet frame does the ARP opcode field
begin?
ANSWER: 20 bytes.

8. b) What is the value of the opcode field within the ARP-payload part of the Ethernet frame in
which an ARP response is made?
ANSWER: The ARP-payload of the request is 0x0002, for reply.
c) Where in the ARP message does the “answer” to the earlier ARP request appear – the IP address
of the machine having the Ethernet address whose corresponding IP address is being queried?
ANSWER:
16. What are the hexadecimal values for the source and destination addresses in the
Ethernet frame containing the ARP reply message?
ANSWER: The source address is 00:06:25:da:af:73 and for the destination is 00:d0:59:a9:3d:68.