1. Simple IP Trace below ‘Answer the following questions using the ip-ethereal-trace-1 packet trace to answer the questions 1.Sclect the first ICMP Echo Request message sent by your computer, and expand the Internet Protocol part of the packet in the packet details window. What is the IP address of your computer? Ans. IP Address : 192.168.1.102 Y ee Ipeteeinent en hoes Pcs 1026 (Gt anon em anol Fin E6t iow Co Cape syne Sete Taeproy Tonle mtn Hp ses Bap © penn Car 8 SF ii rine oc [cthemer ats Set acthonceurovi(Grarents ovis ones Linayn das [Sats os “ores nies etic, oe te peti - et doe ge Da] Sm We cw 2. Within the IP packet header, what is the value in the upper layer protocol field? Ans, ICMP(1)hte rues flonan aes reser OW O- Sy roe spleen er icon ier I SCS REN SETA CAE a | a bytes are in the IP header? How many bytes are in the payload of the IP datagram? Explain how you determined the number of payload bytes. Ans. Header length : 20bytes Explaination To determine the payload bytes we subtract the IP header Length 20 bytes from the total Length 84 bytes which gives the bytes of the payload Payload bytes = Total Length - Header Lengthhrtonme sr flonan nae ress OW O- ane ence ete so og og tense eet teeta een Intermt Protest Vraton By ret 2s 16,1102 (12.16. 1e)62h+ Oe 38hS0,2n10 (158.2 © swat seer - ng Or ronment ten [Mtns [ia te 4. Has this IP datagram been fragmented? Expla fragmented. how you determined whether or not the datagram has been Ans. No, because flags: 0x00 and Fragment offset:0 and we can’t see any Ip4 so we can conclude that IP datagram hasn't fragmented hte rues froma ae reas OW O- er rts Uke aia7a Conceiasiacaza ‘fe iateai en ia hay ves Sm S.2. 20 2920301 Qaim epee | Soe ee a Next, sort the traced packets according to IP source address by el ‘king on the Source column header; a small downward pointing arrow should appear next to the word Souree. If the arrow points up, click on the Sourcecolumn header again, Select the first ICMP Echo Request message sent by your computer, and expand the Internet Protocol portion in the details of selected packet header window. In the listing of eaptured packets window, ‘you should see all of the subsequent ICMP messages (perhaps with additional interspersed packets sent by other protocols running on your computer) below this first ICMP. Use the down arrow to move through the ICMP. _messages sent by your computer. 5. Which fields the IP datagram always change from one data series of ICMP messages sent by your computer? Ans, Time to live (TTL) and Sequence no. are changing 2 Aention” Puces > fest ane pete (Wrest 10.26 (G8 omar Fle Eat Vow Go Capt dese Seater Tptny Tne mle Help eed a cuaes eas ina) == a eesuuoNuesrce. gasssgsseeasses SE geenieta ssaccass im I rn Gs ET inns Qian Gane i 6. Which fields stay constant? Which of the fields must stay constant? Which fields must change? Why? Ans. Fields constant 1. Source IP 2. Destination IP 3. Header Length = 20bytes 4. Version = Ipv4 5 Fields changing 1. TTL (Time to live) 2. Identification no. 3. Header Checksum 7. Describe the pattern you see in the values in the Identification field of the IP datag1Ans. Identification Field is increasing 2 Artin” races bes newa ane te162 DW O~ Irseraaeri Wear 1034 (Gi Re Uno rom ean ait ln at aw Go Captn nays Stace Tannny Tete Wasp iter (pnp femest_Stcmene, topmniynm, La [ropty 49) 7 (neti 7) Smeengeprteal ersten feet louse dat eset sel, bet ae a-tdeo (i 22-00) | ae 1 bps = Pes fre two ayer = sens? 04 O- reheat Weak 1038 (he Uno om oon cee Fe Edt Yew Aye Sette Teepony ets beams Hep : : ice Seto lpinp teaest sdawone: sopswmnrmm: Lez E 0 Ea tare (pimp ronest_ ste, toraenins, La [rly 49) Se pe atin anon Next (with the packets still sorted by source address) find the series of ICMP TTL-exceeded replies sent to your computer by the nearest (first hop) router. 8. What is the value in the Identification field and the TTL field? Ans. _ identification; 0x9d7e(40316) TTL: 2552 brptenne sr fon nae aaa Fragmentation Sort the packet listing according to time again by clicking on the Time column, 9. Find the first ICMP Echo Request message that was sent by your computer. Has that message been fragmented across more than one IP datagram? Ans. No 1 ition c= flesh ott ese Te162 OW O- frst (Weak 1024 (GR Uno ram aoe - wee tsp. la App Ser10, Print out the first fragment of the fragmented IP datagram. What the datagram been fragmented? What information in the IP header indicates whether this is the first fragment versus a latter fragment? How long is this IP datagram? Ans, Information - more fragment is set Header Length = 20 Total Length = 1500 Fragment offset is zero and more fragments is set so it is the first fragment TIL (i Aen > nl abe Net Ana fais) OM Ov Ipetecetance i Wrea130.4 (G8 ev Une Mom tne) eo Fa Ea View Go Cape tye Sete Talay Tene earls lp 11, Print out the second fragment of the fragmented IP datagram. What information in the IP header indicates that this is not the first datagram fragment? Are the more fragments? How can you tell? ‘Ans. Information - more fragment is set Header Length = 20 Total Length = 548 TIL= Fragment offset is not zero so it is not the first datagram fragment No, there is no more fragment because the more fragment is not set1 bps rcs flr art aye naness 0.4 O- Ipretereac (Wrest 1034 (OR ev Uo omamanor ie Eat Vow 60 Cope dnsyne Suet Taprny Tete eae Help ‘ret es aA BG J ov ne Qumee-e om | Genes F 12. What fields change in the IP header between the first and second fragment? ‘Ans. Size of the total length is change from 1500 to 548 ARP 1. Capturing and analyzing Ethernet frames Note: Answer the following questions using the ethernet-ethereal-trace-I packet trace to answer the questions below 1. What is the 48-bit Ethernet address of your computer? Ans, 48 bit address is : (00:d0:59:a9:34:68)2. What is the 48-bit destination address in the Ethernet frame? Is this the Ethernet address of gaia.cs.umass.edu? (Hint: the answer is no). What device has this as its Ethernet address? [Note: this is an important question, and one that students sometimes get wrong, Re-read pages 468-469 in the text and make sure you understand the answer here] ‘Ans. Destination address is 00:06:25:daaf'73 not the ethernet address of gaia.cs.umass.edu oy Ef 3. Give the hexadecimal value for the two-byte Frame type field. What upper layer protocol does this correspond to? Ans. Type: ARP (0x0806)4. How many bytes from the very start of the Ethernet frame does the ASCII DzGdz in DzGETdz appear in the Ethernet frame? total byte count = S8bytes ces.umass.edu the address of your computer, or of gai the answer is mo). What device has this as its Ethernet address? Source address of Ethernet in HTTP response message is (00:06:25:da:af 73), This is not the address of my computer or gaia.cs umass.edu. It is the address of my Router.cases Re Qeoutsrmaaas 6. What is the destination address in the Ethernet frame? Is this the Ethernet address of your computer? Ans. The destination address is 00:06:25:daraf-73 This is the address of my computer duce soee (cszsszmaaas 7. Give the hexadecimal value for the two-byte Frame type field. What upper layer protocol does this correspond to? Ans, Internet Protocol Version 4oe ke Qeewessmaane Bice iat holt na than a ape tn ean a 79 E Saweengennans Jai 7 f 8, How many bytes from the very start of the Ethernet frame does the ASCII “O” in “OK” response code) appear in the Ethernet frame? down the contents of your computer's ARP cache. What is the meaning of each column value? st column is for ip address Second column is for mac address Third column is for type of address static or dynamicthe ARP request message? Ans, Source address 00:06:25:da:af.73 Destination address 00:d0:59:29:34:68 10, What are the hexadecimal values for the source and destination addresses in the Ethernet frame containing the hexadecimal value for the two-byte Ethernet correspond to? Ans. Type: ARP (0x0806) field. What upper layer protocol does thCX SEE 12, Download the ARP specification from ftp://ftp.rfe-editor.org/in-notes/std/std37.txt. A readable, detailed ‘ussion of ARP is also at http://www.erg.abdn.ac.uk/users/gorry/course/inet-pages/arp.html, a. How many bytes from the very beginning of the Ethernet frame does the ARP opcode field begi Ans, 20 Bytes b, What is the value of the opcode field witl request is made? Ans. 0x0001 . Does the ARP message contain the IP address of the sender Ans. Yes 192.168.1.105 the ARP request does the Dzquestiondz appear — the Ethernet address of the machine whose ig IP address is being queried? Ans. TArget mac address is set 00:00:00:00:00:00 in the ARP-payload part of the Ethernet frame in which an ARP13, Now find the ARP reply that was sent in response to the ARP request. a. How many bytes from the very beginning of the Ethernet frame does the ARP opcode field begin? Ans, 20 Bytes b, What is the value of the opcode field w response is made? Ans. 0x0002 ¢. Where in the ARP message does the Dzanswerdz to the earlier ARP request appear — the IP address of the machine having the Ethernet address whose corresponding IP address is being queried? Ans, _ Ethernet address 00:06:25:dacat:73 for the sender with IP address 192.168. 1.1 an ARP. the ARP-payload part of the Ethernet frame in w'14, What are the hexadecimal values for the source and destination addresses in the Ethernet frame containing the ARP reply message? Ans. Source: 00:06:25:da:af'73 Destination: 00:d0:59:a9:34:68 ‘The first and second ARP packets in this trace correspond to an ARP request sent by the computer running Wireshark, and the ARP reply sent to the computer running Wireshark by the computer with the ARPrequested Ethernet address. But there is yet another computer on this network, as indicated by packet 6 — another ARP request. Why is there no ARP reply (sent in response to the ARP request in packet 6) in the packet trace? Ans. There is no reply in this trace because we are not at the machine that sent the request, The ARP request is, broadcast, but the ARP reply is sent back directly to the sender's Ethernet address