Collaboration Policy: CP-1
(Use any online reference, but do not communicate with other students)
Name:
SI455 Advanced Networks
6-Week Exam (Part B)
Spring AY2014
Write legibly - neatness counts
Instructions:
• Use vSphere to log into gertie
•
•
•
•
•
Log into your personal workstation VM
All of the following questions relate to messages being sent on your group’s network
You may use any reference you can find on the Internet (including class notes) but you may not
contact other students verbally or digitally until this exam is over
Do NOT log into email or any other communications server
All of these questions can be answered with the tools we have been using in class
There is a new machine on your group’s network that you did not build. It is using an IP address
that you did not assign. All of these questions relate to this unknown machine. This machine is
sending out a lot of traffic on the network. It is attempting to communicate with IP addresses
10.10.1.100-10.1.1.119 approximately every 45 seconds.
1. [5 pts] IP address. What is this unknown machine’s IP address?
10.10.1.242
2. [5 pts] MAC address. What is the unknown machine’s MAC address?
00:50:56:12:34:56
3. [5 pts] List two different commands you can use to determine the unknown machine’s MAC
address. (Include the options required to display the MAC, if any.)
tcpdump –e; arp
4. [5 pts] The unknown machine is sending ARP requests and UDP packets. To what port is it
sending UDP packets? What service is that port most commonly used for?
27030, Steam Client
5. [5 pts] What Layer-7 message is included in the UDP packet sent to this port number? (Give
the ASCII text of the msg)
NAME:usafa13 PASSWORD:zooming DATA:..
6. [5 pts] What are the 2 bytes (in hex) that are being transmitted after “DATA:”?
0x19 0x91
Coming Soon: Starting next class, we are going to learn how to identify and block traffic like this
7. Extra credit: If you examine the list of UDP packets closely, you will notice that you can see
packets addressed to several IP addresses other than yourself. This is highly unusual – when
connected to a switch, you generally do not see messages that are addressed to other
machines’ IP addresses.
a. [+5 pts] Why is it that you can see these packets at all? Specifically, explain what
technical mechanism allows it.
They are being sent via the Layer-2 broadcast address ff:ff:ff:ff:ff:ff
b. [+10 pts] Based on the pattern of UDP messages that you see, devise a plausible
explanation as to what chain of events occurred that lets you see these packets. (Hint:
first, figure out what is special about the IP addresses that you can see. Do they cover
the entire 10.10.1.100 – 10.10.1.119 range?)
The unknown server is sending the same UDP request to a range of IP addresses,
without checking to see if they exist.
Before the unknown machine can send the UDP message, it sends an ARP request.
After not hearing an ARP reply, the machine sends its message via Layer-2 broadcast.
By examining the ARP requests and UDP messages that you get, you should notice
that there are several machines for which you do not get either message. nmap or ping
will tell you that these are the only real machines in the block. So you can surmise
that the unknown machine is trying to ARP for the non-existent machines, and is
sending the UDP messages via Layer-2 broadcast only if they are not found. Since
your machine is getting the UDP message directly (without the ARP), you can
surmise that the same is happening to the other real machines.
Since these messages are sent to all machines every 45 seconds, there is no reason for
the sender to continually make ARP requests to known machines. (The ARP timeout
defaults to 60 seconds.)