1. Capturing packets from an execution of traceroute

advertisement
2011
Vietnamese-German University
Nguyen Dinh Thong
[COMPUTER NETWORKING]
[Type the abstract of the document here. The abstract is typically a short summary of the contents of
the document. Type the abstract of the document here. The abstract is typically a short summary of the
contents of the document.]
Table of Contents
Content .......................................................................................................... Error! Bookmark not defined.
Exercises ........................................................................................................................................................ 2
Chapter 01: Introduction .......................................................................................................................... 2
Chapter 02: Application Layer ............................................................................................................... 4
Problem 1: ............................................................................................................................................. 4
Problem 2: ............................................................................................................................................. 4
Problem 3: ............................................................................................................................................. 5
Problem 4: ............................................................................................................................................. 5
Problem 5: ............................................................................................................................................. 5
Problem 6: ............................................................................................................................................. 5
Chapter 3: Transport Layer ....................................................................................................................... 6
Chapter 4: Network Layer ......................................................................................................................... 7
Chapter 5: Link Layer ................................................................................................................................ 9
Wireshark Labs ............................................................................................................................................ 10
Wireshark HTTP....................................................................................................................................... 10
Wireshark DNS .................................................................................................................................... 13
Wireshark UDP .................................................................................................................................... 15
Wireshark TCP ..................................................................................................................................... 16
Wireshark IP ........................................................................................................................................ 18
Wireshark ICMP .................................................................................................................................. 19
Wireshark DHCP .................................................................................................................................. 20
Wireshark EthernetARP ...................................................................................................................... 22
Exercises
Chapter 01: Introduction
1. Design and describe an application-level protocol to be used between an Automatic Teller Machine,
and a bank's centralized computer. Your protocol should allow a user's card and password to be verified,
the account balance (which is maintained at the centralized computer) to be queried, and an account
withdrawal (i.e., when money is given to the user) to be made. Your protocol entities should be able to
handle the all-too-common case in which there is not enough money in the account to cover the
withdrawal. Specify your protocol by listing the messages exchanged, and the action taken by the
Automatic Teller Machine or the bank's centralized computer on transmission and receipt of messages.
Sketch the operation of your protocol for the case of a simple withdrawal with no errors, using some
form of sequence diagram. Explicitly state the assumptions made by your protocol about the underlying
end-to-end transport service.
2. This elementary problem begins to explore propagation delay and transmission delay, two central
concepts in data networking. Consider two hosts, Hosts A and B, connected by a single link of rate R
bps. Suppose that the two hosts are separted by m meters, and suppose the propagation speed along
the link is s meters/sec. Host A is to send a packet of size L bits to Host B.
a. Express the propagation delay, dprop in terms of m and s.
b. Determine the transmission time of the packet, dtrans in terms of L and R.
c. Ignoring processing and queing delays, obtain an expression for the end-to-end delay.
d. Suppose Host A begins to transmit the packet at time t=0. At time t=dtrans, where is the last
bit of the packet?
e. Suppose dprop is greater than dtrans . At time t=dtrans, where is the first bit of the packet?
f. Suppose dprop is less than dtrans . At time t=dtrans, where is the first bit of the packet?
g. Suppose s=2.5*108, L=100 bits and R=28 kbps. Find the distance m so that dprop equals
dtrans.
3. Consider an application that transmits data at a steady rate (e.g., the sender generates one packet of
N bits every k time units, where k is small and fixed). Also, when such an application starts, it will stay on
for relatively long period of time.
a. Would a packet-switched network or a circuit-switched network be more appropriate for this
application? Why?
b. Suppose that a packet-switched network is used and the only traffic in this network comes
from such applications as described above. Furthermore, assume that the sum of the application
data rates is less that the capacities of each and every link. Is some form of congestion control
needed? Why or why not?
4. Consider the queueing delay in a router buffer (preceding an outbound link). Suppose all packets are L
bits, the transmission rate is R bps and that N packets arrive to the buffer every LN/R seconds. Find the
average queueing delay of a packet.
5. Suppose two hosts, A and B are sparated be 10000 km and are connected by a direct link of R=1Mbps.
Suppose the propagation speed over the link ist 2.5x108 m/s
a. Calculate the bandwidth-delay product.
b. Consider sending a file of 400000 Bit from host A to host B. Suppose the file is
sent continuously as one big message. What is the maximum number of bits that
will be in the link at any given time?
c. Provide an interpretation of the delay-bandwidth product.
d. What is the width (in meter) of a bit in the link?
Chapter 02: Application Layer
1. Two HTTP request methods are GET and POST. Are there any other methods in HTTP/1.0 or in
HTTP/1.1. If yes, what are these methods used for?
2. Within the web browser, a link is clicked to obtain a web page. Suppose that a DNS look-up is
necessary to obtain the IP address, because the IP address for the associated URL is not cached. Suppose
that n DNS servers are visited before your host receives the IP address from DNS; the successive visits
incur an RTT of RTT1, …, RTTn. Further suppose that the Web page associated with the link contains
exactly one object, consisting of a small amount of HTML text. Let RTT0 denote the RTT between the
local host and the server containing the object. Assuming zero transmission time of the object, how
much time elapses from when the client clicks on the link until the client receives the object (according
to Kurose, Ross, Problems, chapter)
3. Referring to question (2), suppose the page contains three very small objects. Neglecting transmission
times, how much time elapses with (a) nonpersistent HTTP with no parallel TCP connections, (b)
nonpersistent HTTP with arallel connections, (c) persistent HTTP with pipelining.
4. What are the well known port numbers for FTP (File transfer protocol), TFTP (trivial file transfer
protocol) and NTP (network time protocol)? Visit: http/www.iana.org for an answer. Give a second
source to obtain an answer to the question.
5. Consider an e-commerce site that wants to keep a purchase record for each of its customers. Describe
how this can be done with cookies 6. Is it possible that an organization's Web server and mail server
have exactly the same alias for a hostname (e.g., foo.com)? What would be the "type" for the RR that
contains the hostname of the mail server?
Problem 1:
Beside GET and POST, there are some other methods in HTTP/1.0 and HTTP 1.1 such as
HEAD: asks server to leave requested object out of response.
PUT: uploads file in entity body to path specified in URL field.
DELETE: deletes file specified in URL field.
Problem 2:
-Total amount of time to obtain the IP address is:
RTT1+ RTT2+…+ RTTn
-The object/file transmission time is
2RTT + Transmission time
-Since RTT0 = RTT, and Transmission time of the object is assumed zero. Therefore, the time
elapses from when the client clicks on the link until the client receives the object is:
2RTT0 + RTT1+RTT2+…+RTTn
Problem 3:
Problem 4:
- The well known port numbers for
o FTP: 21
o TFTP: 69
o NTP: 123
- Second
source
for
list
of
TCP
and
UDP
http://en.wikipedia.org/wiki/List_of_TCP_and_UDP_port_numbers
port
numbers
Problem 5:
Problem 6:
-It is possible.
- Mail server: mail.hostname. Example hostname: foo.com -> mail server can be ‘mail.foo.com’.
:
Chapter 3: Transport Layer
1. Consider transferring an enormous file of L bytes from host A to host B. Assumme an MSS of 1460
bytes.
a. What us the maximum length of L such that TCP sequence numbers are not exhausted? Recall
that the TCP number field has four bytes.
b. For the L you obtain in (a), find how long it takes to transmit the file. Assme that a total of 66
bytes of transport, network and data-link header are added to each segment before the
resulting packet is sent out over a 10 Mbps link. Ignore flow control and congestion control, so A
can pump out the segments back-to-back and continuously.?
2. Consider the following plot of TCP window size as a function of time.
Assuming TCP Reno is the protocol experiencing the behavior shown above, answer the
following questions. In all cases, you should provide a short discussion justifying your answer.
a. Identify the intervals of time when TCP slow start is operating.
b. Identify the intervals of time when TCP congestion avoidance is operating.
c. After 16th transmission round, is segment loss detected by a triple duplicate ACK or by a
timeout?
d. After the 22nd transmission round, is segment loss detected by a triple duplicate ACK or by a
timeout?
e. What is the initial value of Threshold at the first transmission round?
f. What is the value of Threshold at the 18th transmission round?
g. What is the value of Threshold at the 24th transmission round?
h. During what transmission round is the 7th segment sent?
i. Assuming a packet loss is detected after the 26th round by the receipt of a triple duplicate
ACK, what will be the values of the congestion window size of Threshold?
3. Consider sending an object of size O=100 Kbytes from server to client. Let S=536 bytes and RTT=100
msec. Suppose the transport protocol uses static windows with window size W.
a. For a transmission rate of 28 kbps, determine the minimum possible latency. Determine the
minimum window size that achieves this latency.
b. Repeat a) for 1 Mbps.
Chapter 4: Network Layer
1. What is the 32 Bit binary equivalent of the IP address 223.1.3.27?
2. Suppose an application generates chunks 40 bytes of data every 20 msec, and each chunk
gets encapsulated in a TCP segment and then an IP datagram. What percentage of each
datagram will be overhead and what percentage will be application data?
3. Consider sending a 3000 byte datagram into a link that has a MTU of 500 bytes. Suppose the
original datagram is stamped with the identification number 422. How many fragments are
generated? What are their characteristics?
4. Consider the topology shown in Figure 1. Denote the three subnets with hosts (starting
clockwise at 12:00) as Networks A, B, and C. Denote the subnets without hosts as Networks D, E,
and F.
a. Assign network addresses to each of these six subnets, with the following constraints:
All addresses must be allocated from 214.97.254/17; Subnet A should have enough
addresses to support 250 interfaces; Subnet B should have enough addresses to support
120 interfaces; and Subnet C should have enough addresses to support 120 interfaces.
Of course, subnets D, E and F should each be able to support two interfaces. For each
subnet, the assignment should take
the form a.b.c.d/x or a.b.c.d/x – e.f.g.h/y.
b. Using your answer to part (a), provide the forwarding tables (using longest prefix
matching) for each of the three routers.
5. Compare and contrast the IPv4 and the IPv6 header fields. Do they have any fields in
common?
6. Consider a datagram network using 8-Bit host addresses. Suppose a router uses longest
prefix matching and has the following forwarding table:
Prefix match Interfaces
10
11 1
111 2
Otherwise (default) 3
For each of the four interfaces, give the associated range of destination host addresses and the
number of addresses in the range.
Chapter 5: Link Layer
1. Consider three LANs interconnected by two routers, as shown in the diagram below.
a. Redraw the diagram to include adapters.
b. Assign IP addresses to all of the interfaces. For LAN 1 use addresses of the form
111.111.111.xxx ; for LAN 2 uses addresses of the form 122.222.222.xxx ; and for LAN 3 use
addresses of the form 133.333.333.xxx .
c. Assign MAC addresses to all of the adapters.
d. Consider sending an IP datagram from host A to host F. Suppose all the ARP tables are up-todate. Enumerate all the steps as done for the single-router example in the lectures.
e. Repeat (d), now assuming that the ARP table in the sending host is empty (and the
other tables are up-to-date).
2. Suppose nodes A and B are on the same 10 Mbps Ethernet segment, and the propagation delay
between the two nodes is 225 bit times. Suppose node A begins transmitting a frame, and before it
finishes station B begins transmitting a frame. Can A finish transmitting before it detects that B has
transmitted? Why or why not? If the answer is yes, then A incorrectly believes that its frame was
successfully transmitted without a collision. Hint: Suppose at time t=0 bit times, A begins transmitting a
frame. In the worst case, A transmits a minimum size frame of 512+64 bit times. So A would finish
transmitting the frame at t=512+64 bit times. Thus the answer is no if B's signal reaches A before bit
time t=512+64 bits. In the worst case, when does B's signal reach A?
3. Suppose nodes A and B are on the same 10 Mbps Ethernet segment, and the propagation delay
between the two nodes is 225 bit times. Suppose A and B send frames at the same time, the frames
collide, and then A and B choose different values of K in the CSMA/CD algorithm. Assuming no other
nodes are active, can the retransmissions from A and B collide? For our purposes, it suffices to work out
the following example. Suppose A and B begin transmission at t=0 bit times. They both detect collisions
at t=225 bit times. They finish transmitting jam signal at t= 225+48= 273 bit times. Suppose KA=0 and
KB=1. At what time does B schedule its retransmission? At what time does A begin transmission? (Note,
the nodes must wait for an idle channel after returning to Step 2-- see protocol.) At what time does A's
signal reach B? Does B refrain from transmitting at its scheduled time?
Wireshark Labs
Wireshark HTTP
1. The Basic HTTP GET/response interaction
1. Is your browser running HTTP version 1.0 or 1.1? What version of HTTP is the server running?
Answer:
- My browser verion: HTTP 1.1
-Version of HTTP the server running:
2. What languages (if any) does your browser indicate that it can accept to the server?
Answer:
Accept-Language: vi-vn,vi;q=0.8,en-us;q=0.5,en;q=0.3\r\n
=> Vietnamese and English are both accepted by the server.
3. What is the IP address of your computer? Of the gaia.cs.umass.edu server?
Answer:
-IP address of my computer: 192.168.1.177
-IP address of the gaia.cs.umass.edu server: 128.119.245.12
4. What is the status code returned from the server to your browser?
Answer:
- Status code: 304 – Not modified.
5. When was the HTML file that you are retrieving last modified at the server?
6. How many bytes of content are being returned to your browser?
7. By inspecting the raw data in the packet content window, do you see any headers within the data
that are not displayed in the packet-listing window? If so, name one.
2. The HTTP CONDITIONAL GET/response interaction
8. Inspect the contents of the first HTTP GET request from your browser to the server. Do you see an IFMODIFIED-SINCE” line in the HTTP GET?
9. Inspect the contents of the server response. Did the server explicitly return the contents of the file?
How can you tell?
10. Now inspect the contents of the second HTTP GET request from your browser to the server. Do you
see an “IF-MODIFIED-SINCE:” line in the HTTP GET? If so, what information follows the “IF-MODIFIEDSINCE:” header?
11. What is the HTTP status code and phrase returned from the server in response to this second HTTP
GET? Did the server explicitly return the contents of the file? Explain.
3. Retrieving Long Documents
12. How many HTTP GET request messages were sent by your browser?
13. How many data-containing TCP segments were needed to carry the single HTTP response?
14. What is the status code and phrase associated with the response to the HTTP GET request?
15. Are there any HTTP status lines in the transmitted data associated with a TCP-induced
Continuation”?
4. HTML Documents with Embedded Objects
16. How many HTTP GET request messages were sent by your browser? To which Internet addresses
were these GET requests sent?
17. Can you tell whether your browser downloaded the two images serially, or whether they were
downloaded from the two web sites in parallel? Explain.
5 HTTP Authentication
18. What is the server’s response (status code and phrase) in response to the initial HTTP GET message
from your browser?
19. When your browser’s sends the HTTP GET message for the second time, what new field is included in
the HTTP GET message?
Wireshark DNS
1. nslookup
1. Run nslookup to obtain the IP address of a Web server in Asia.
2. Run nslookup to determine the authoritative DNS servers for a university in Europe.
3. Run nslookup so that one of the DNS servers obtained in Question 2 is queried for the mail servers
for Yahoo! mail.
2. ipconfig
-No question.
3. Tracing DNS with Wireshark
4. Locate the DNS query and response messages. Are then sent over UDP or TCP?
5. What is the destination port for the DNS query message? What is the source port of DNS response
message?
6. To what IP address is the DNS query message sent? Use ipconfig to determine the IP address of your
local DNS server. Are these two IP addresses the same?
7. Examine the DNS query message. What “Type” of DNS query is it? Does the query message contain
any “answers”?
8. Examine the DNS response message. How many “answers” are provided? What do each of these
answers contain?
9. Consider the subsequent TCP SYN packet sent by your host. Does the destination IP address of the
SYN packet correspond to any of the IP addresses provided in the DNS response message?
10. This web page contains images. Before retrieving each image, does your host issue new DNS
queries?
11. What is the destination port for the DNS query message? What is the source port of DNS response
message?
12. To what IP address is the DNS query message sent? Is this the IP address of your default local DNS
server?
13. Examine the DNS query message. What “Type” of DNS query is it? Does the query message contain
any “answers”?
14. Examine the DNS response message. How many “answers” are provided? What do each of these
answers contain?
15. Provide a screenshot.
16. To what IP address is the DNS query message sent? Is this the IP address of your default local DNS
server?
17. Examine the DNS query message. What “Type” of DNS query is it? Does the query message contain
any “answers”?
18. Examine the DNS response message. What MIT nameservers does the response message provide?
Does this response message also provide the IP addresses of the MIT namesers?
19. Provide a screenshot.
20. To what IP address is the DNS query message sent? Is this the IP address of your
default local DNS server? If not, what does the IP address correspond to?
21. Examine the DNS query message. What “Type” of DNS query is it? Does the query message contain
any “answers”?
22. Examine the DNS response message. How many “answers” are provided? What does each of these
answers contain?
23. Provide a screenshot.
Wireshark UDP
1. Select one packet. From this packet, determine how many fields there are in the UDP header. (Do not
look in the textbook! Answer these questions directly from what you observe in the packet trace.) Name
these fields.
2. From the packet content field, determine the length (in bytes) of each of the UDP header fields.
3. The value in the Length field is the length of what? Verify your claim with your captured UDP packet.
4. What is the maximum number of bytes that can be included in a UDP payload.
5. What is the largest possible source port number?
6. What is the protocol number for UDP? Give your answer in both hexadecimal and decimal notation.
(To answer this question, you’ll need to look into the IP header.)
7. Search “UDP” in Google and determine the fields over which the UDP checksum is calculated.
8. Examine a pair of UDP packets in which the first packet is sent by your host and the second packet is
a reply to the first packet. Describe the relationship between the port numbers in the two packets.
Extra Credit
1. Capture a small UDP packet. Manually verify the checksum in this packet. Show all work and explain
all steps.
Wireshark TCP
1. Capturing a bulk TCP transfer from your computer to a remote server
2. A first look at the captured trace
1. What is the IP address and TCP port number used by the client computer (source)that is transferring
the file to gaia.cs.umass.edu? To answer this question, it’s probably easiest to select an HTTP message
and explore the details of the TCP packet used to carry this HTTP message, using the “details of the
selected packet header window” (refer to Figure 2 in the “Getting Started with Wireshark” Lab ifyou’re
uncertain about the Wireshark windows.
2. What is the IP address of gaia.cs.umass.edu? On what port number is it sending and receiving TCP
segments for this connection?
3. What is the IP address and TCP port number used by you(source) to transfer the file to
gaia.cs.umass.edu?
3. TCP Basics
4. What is the sequence number of the TCP SYN segment that is used to initiate the TCP connection
between the client computer and gaia.cs.umass.edu? What is it in the segment that identifies the
segment as a SYN segment?
5. What is the sequence number of the SYNACK segment sent by gaia.cs.umass.edu to the client
computer in reply to the SYN? What is the value of the ACKnowledgement field in the SYNACK
segment? How did gaia.cs.umass.edu determine that value? What is it in the segment that identifies the
segment as a SYNACK segment?
6. What is the sequence number of the TCP segment containing the HTTP POST command? Note that in
order to find the POST command, you’ll need to dig into the packet content field at the bottom of the
Wireshark window, looking for a segment with a “POST” within its DATA field.
7. Consider the TCP segment containing the HTTP POST as the first segment in the TCP connection.
What are the sequence numbers of the first six segments in the TCP connection (including the segment
containing the HTTP POST)? At what time was each segment sent? When was the ACK for each
segment received?
Given the difference between when each TCP segment was sent, and when its acknowledgement was
received, what is the RTT value for each of the six segments? What is the EstimatedRTT value (see page
249 in text) after the receipt of each ACK? Assume that the value of the EstimatedRTT is equal to the
measured RTT for the first segment, and then is computed using the EstimatedRTT equation on page
249 for all subsequent segments.
Note: Wireshark has a nice feature that allows you to plot the RTT for each of the TCP segments
sent. Select a TCP segment in the “listing of captured packets” window that is being sent from
the client to the gaia.cs.umass.edu server. Then select: Statistics->TCP Stream Graph->Round
Trip Time Graph.
8. What is the length of each of the first six TCP segments?
9. What is the minimum amount of available buffer space advertised at the received for the entire
trace? Does the lack of receiver buffer space ever throttle the sender?
10. Are there any retransmitted segments in the trace file? What did you check for (in the trace) in order
to answer this question?
11. How much data does the receiver typically acknowledge in an ACK? Can you identify cases where
the receiver is ACKing every other received segment (see Table 3.2 on page 257 in the text).
12. What is the throughput (bytes transferred per unit time) for the TCP connection? Explain how you
calculated this value.
4. TCP congestion control in action
13. Use the Time-Sequence-Graph(Stevens) plotting tool to view the sequence number versus time plot
of segments being sent from the client to the gaia.cs.umass.edu server. Can you identify where TCP’s
slowstart phase begins and ends, and where congestion avoidance takes over? Comment on ways in
which the measured data differs from the idealized behavior of TCP that we’ve studied in the text.
14. Answer each of two questions above for the trace that you have gathered when you transferred a
file from your computer to gaia.cs.umass.edu
Wireshark IP
1. Capturing packets from an execution of traceroute
2. A look at the captured trace
1. Select the first ICMP Echo Request message sent by your computer, athe Internet Protocol part of the
packet in the packet details window. What is the IP address of your computer?
2. Within the IP packet header, what is the value in the upper layer protocol field?
3. How many bytes are in the IP header? How many bytes are in the payload of the IP datagram?
Explain how you determined the number of payload bytes.
4. Has this IP datagram been fragmented? Explain how you determined whether or not the datagram
has been fragmented.
5. Which fields in the IP datagram always change from one datagram to the next within this series of
ICMP messages sent by your computer?
6. Which fields stay constant? Which of the fields must stay constant? Which fields must change?
Why?
7. Describe the pattern you see in the values in the Identification field of the IP datagram
8. What is the value in the Identification field and the TTL field?
9. Do these values remain unchanged for all of the ICMP TTL-exceeded replies sent to your computer by
the nearest (first hop) router? Why?
Fragmentation
10. Find the first ICMP Echo Request message that was sent by your computer after you changed the
Packet Size in pingplotter to be 2000. Has that message been fragmented across more than one IP
datagram? [Note: if you find your packet has not been fragmented, you should download the zip file
http://gaia.cs.umass.edu/wireshark-labs/wireshark-traces.zip and extract the ip-ethereal-trace-1packet
trace. If your computer has an Ethernet interface, a packet size of 2000 should cause fragmentation.]
11. Print out the first fragment of the fragmented IP datagram. What information in the IP header
indicates that the datagram been fragmented? What information in the IP header indicates whether
this is the first fragment versus a latter fragment?
How long is this IP datagram?
12. Print out the second fragment of the fragmented IP datagram. What information in the IP header
indicates that this is not the first datagram fragment? Are the more fragments? How can you tell?
13. What fields change in the IP header between the first and second fragment?
14. How many fragments were created from the original datagram?
15. What fields change in the IP header among the fragments?
Wireshark ICMP
1. ICMP and Ping
1. What is the IP address of your host? What is the IP address of the destination host?
2. Why is it that an ICMP packet does not have source and destination port numbers?
3. Examine one of the ping request packets sent by your host. What are the ICMP type and code
numbers? What other fields does this ICMP packet have? How many bytes are the checksum, sequence
number and identifier fields?
4. Examine the corresponding ping reply packet. What are the ICMP type and code numbers? What
other fields does this ICMP packet have? How many bytes are the checksum, sequence number and
identifier fields?
2. ICMP and Traceroute
5. What is the IP address of your host? What is the IP address of the target destination host?
6. If ICMP sent UDP packets instead (as in Unix/Linux), would the IP protocol number still be 01 for the
probe packets? If not, what would it be?
7. Examine the ICMP echo packet in your screenshot. Is this different from the ICMP ping query packets
in the first half of this lab? If yes, how so?
8. Examine the ICMP error packet in your screenshot. It has more fields than the ICMP echo packet.
What is included in those fields?
9. Examine the last three ICMP packets received by the source host. How are these packets different
from the ICMP error packets? Why are they different?
10. Within the tracert measurements, is there a link whose delay is significantly longer than others?
Refer to the screenshot in Figure 4, is there a link whose delay is significantly longer than others? On
the basis of the router names, can you guess the location of the two routers on the end of this link?
Wireshark DHCP
DHCP Experiment
1. Are DHCP messages sent over UDP or TCP?
2. Draw a timing datagram illustrating the sequence of the first four-packet Discover/Offer/Request/ACK
DHCP exchange between the client and server. For each packet, indicated the source and destination
port numbers. Are the port numbers the same as in the example given in this lab assignment?
3. What is the link-layer (e.g., Ethernet) address of your host?
4. What values in the DHCP discover message differentiate this message from the DHCP request
message?
5. What is the value of the Transaction-ID in each of the first four (Discover/Offer/Request/ACK) DHCP
messages? What are the values of the Transaction-ID in the second set (Request/ACK) set of DHCP
messages? What is the purpose of the Transaction-ID field?
6. A host uses DHCP to obtain an IP address, among other things. But a host’s IP address is not
confirmed until the end of the four-message exchange! If the IP address is not set until the end of the
four-message exchange, then what values are used in the IP datagrams in the four-message exchange?
For each of the four DHCP messages (Discover/Offer/Request/ACK DHCP), indicate the source and
destination IP addresses that are carried in the encapsulating IP datagram.
7. What is the IP address of your DHCP server?
8. What IP address is the DHCP server offering to your host in the DHCP Offer message? Indicate which
DHCP message contains the offered DHCP address.
9. In the example screenshot in this assignment, there is no relay agent between the host and the DHCP
server. What values in the trace indicate the absence of a relay agent? Is there a relay agent in your
experiment? If so what is the IP address of the agent?
10. Explain the purpose of the router and subnet mask lines in the DHCP offer message.
11. In the example screenshots in this assignment, the host requests the offered IP address in the DHCP
Request message. What happens in your own experiment?
12. Explain the purpose of the lease time. How long is the lease time in your experiment?
13. What is the purpose of the DHCP release message? Does the DHCP server issue an acknowledgment
of receipt of the client’s DHCP request? What would happen if the client’s DHCP release message is
lost?
14. Clear the bootp filter from your Wireshark window. Were any ARP packets sent or received during
the DHCP packet-exchange period? If so, explain the purpose of those ARP packets.
Wireshark EthernetARP
1. Capturing and analyzing Ethernet frames
1. What is the 48-bit Ethernet address of your computer?
2. What is the 48-bit destination address in the Ethernet frame? Is this the Ethernet address of
gaia.cs.umass.edu? (Hint: the answer is no). What device has this as its Ethernet address? [Note: this is
an important question, and one that students sometimes get wrong. Re-read pages 468-469 in the text
and make sure you understand the answer here.]
3. Give the hexadecimal value for the two-byte Frame type field. What do the bit(s) whose value is 1
mean within the flag field?
4. How many bytes from the very start of the Ethernet frame does the ASCII “G” in “GET” appear in the
Ethernet frame?
5. What is the hexadecimal value of the CRC field in this Ethernet frame?
6. What is the value of the Ethernet source address? Is this the address of your computer, or of
gaia.cs.umass.edu (Hint: the answer is no). What device has this as its Ethernet address?
7. What is the destination address in the Ethernet frame? Is this the Ethernet address of your
computer?
8. Give the hexadecimal value for the two-byte Frame type field. What do the bit(s) whose value is 1
mean within the flag field?
9. How many bytes from the very start of the Ethernet frame does the ASCII “O” in “OK” (i.e., the HTTP
response code) appear in the Ethernet frame?
10. What is the hexadecimal value of the CRC field in this Ethernet frame?
2. The Address Resolution Protocol
11. Write down the contents of your computer’s ARP cache. What is the meaning of
each column value?
Observing ARP in action
12. What are the hexadecimal values for the source and destination addresses in the Ethernet frame
containing the ARP request message?
13. Give the hexadecimal value for the two-byte Ethernet Frame type field. What do the bit(s) whose
value is 1 mean within the flag field?
14. Download the ARP specification from ftp://ftp.rfc-editor.org/in-notes/std/std37.txt. A readable,
detailed discussion of ARP is also at http://www.erg.abdn.ac.uk/users/gorry/course/inetpages/arp.html.
a) How many bytes from the very beginning of the Ethernet frame does the
ARP opcode field begin?
b) What is the value of the opcode field within the ARP-payload part of the
Ethernet frame in which an ARP request is made?
c) Does the ARP message contain the IP address of the sender?
d) Where in the ARP request does the “question” appear – the Ethernet address of the machine
whose corresponding IP address is being queried?
15. Now find the ARP reply that was sent in response to the ARP request.
a) How many bytes from the very beginning of the Ethernet frame does the ARP opcode field
begin?
b) What is the value of the opcode field within the ARP-payload part of the Ethernet frame in
which an ARP response is made?
c) Where in the ARP message does the “answer” to the earlier ARP request
appear – the IP address of the machine having the Ethernet address whose corresponding IP
address is being queried?
16. What are the hexadecimal values for the source and destination addresses in the Ethernet frame
containing the ARP reply message?
17. Open the ethernet-ethereal-trace-1 trace file in http://gaia.cs.umass.edu/wireshark-labs/wiresharktraces.zip. The first and second ARP packets in this trace correspond to an ARP request sent by the
computer running Wireshark, and the ARP reply sent to the computer running Wireshark by the
computer with the ARP-requested Ethernet address. But there is yet another computer on this network,
as indiated by packet 6 – another ARP request. Why is there no ARP reply (sent in response to the ARP
request in packet 6) in the packet trace?
Extra Credit
EX-1. The arp command:
arp -s InetAddr EtherAddr
allows you to manually add an entry to the ARP cache that resolves the IP address InetAddr to the
physical address EtherAddr. What would happen if, when you manually added an entry, you entered the
correct IP address, but the wrong
Ethernet address for that remote interface?
EX-2. What is the default amount of time that an entry remains in your ARP cache before being
removed. You can determine this empirically (by monitoring the cache contents) or by looking this up in
your operation system documentation.
Indicate how/where you determined this value.
Download