Scribd
Upload
10 views

Tutorial 3- Network Layer Protocols

This tutorial covers Network Layer Protocols including ARP, IP, and ICMP using Wireshark for practical understanding. It explains how ARP resolves IP addresses to MAC addresses, the function of gratuitous ARP for updating address mappings, and the role of ICMP in network communication, particularly through the ping utility. The tutorial includes practical exercises and questions to enhance comprehension of these protocols.

Uploaded by

myayoonthu2020
Copyright
© © All Rights Reserved
Available Formats
Download as PDF, TXT or read online on Scribd
10 views

Tutorial 3- Network Layer Protocols

This tutorial covers Network Layer Protocols including ARP, IP, and ICMP using Wireshark for practical understanding. It explains how ARP resolves IP addresses to MAC addresses, the function of gratuitous ARP for updating address mappings, and the role of ICMP in network communication, particularly through the ping utility. The tutorial includes practical exercises and questions to enhance comprehension of these protocols.

Uploaded by

myayoonthu2020
Copyright
© © All Rights Reserved
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 6

6202COMP Tutorial 3 - Network Layer Protocols

Introduction:
In this tutorial, we shall be looking at some Network Layer Protocols (ARP, IP and ICMP) using
Wireshark to get an understanding of how each protocol functions.

Address Resolution Protocol (ARP)


Computers on the same network and switch use MAC addresses also known as the hardware
address to communicate rather than IP Addresses. The resolution process that TCP/IP networking
(with IPv4) uses to resolve an IP address to a MAC address is called the Address Resolution
Protocol (ARP).

Scenario:
Suppose PC A wants to communicate to PC B. The transmitting computer (PC A) sends out an ARP
request that basically says,
“Hello, everybody. My IP address is 192.168.0.114, and my MAC address is f2:f2:f2:f2:f2:f2. I
need to send something to whoever has the IP address 192.168.0.1, but I don’t know the
hardware address. Will whoever has this IP address please respond with your MAC address?”
This packet is broadcast to every device on the network segment. Any device that doesn’t have
this IP address simply discards the packet. The device that does have the address sends an ARP
reply with an answer such as “Hey, transmitting device, I’m the one you’re looking for with the
IP address 192.168.0.1. My MAC address is 02:f2:02:f2:02:f2.”

Let’s look at this in practice….

 Open arp_resolution.pcagng with Wireshark. This capture contains two Frames 1 and 2.
 Double click on Frame 1 and you should see a window pop up similar to this:

1|Page
 The Image above shows this is an ARP request [Opcode request (1)] sent from the
transmitting computer with IP address 192.168.0.114 with mac address highlighted in
red.
 The target IP is 192.168.0.1. Notice the Target MAC address is not known as this point
and contains a series of zeros.
 Double click on Frame 2 to view the response and answer the following:

Questions:
1. What is the opcode in this packet, what does it signify?
2. What is the sender and target’s IP addresses and MAC addresses respectively?
3. Look at frame 1 again and comment on what is important about the destination MAC address
in this case.
4. What else can we determine about the MAC addresses of the endpoints (e.g.
manufacturers)?

Gratuitous ARP
In many cases, a device’s IP address can change. When this happens, the IP-to-MAC address
mappings that hosts on the network have in their caches will be invalid.

2|Page
To prevent this from causing communication errors, a gratuitous ARP packet is transmitted on
the network to force any device that receives it to update its cache with the new IP-to-MAC
address mapping.
Let’s look at this in practice….

 Open the arp_gratuitious.pcagng with Wireshark. This capture contains one packet.
 Double click on the frame and you should see a windows pop like the one shown below:

1. Examining the Ethernet header, you can see that this packet is sent as a broadcast so that
all hosts on the network receive it.
2. The ARP request shows gratuitous is true.
3. The Sender IP and Target IP appears to be the same.
4. Note once a computer’s IP address is changed on a single network, it will send a gratuitous
ARP request with these information IP address and MAC address so that computers on
the same network can update their record of who the new “guy” is.

3|Page
Internet Protocol (IP)
As you just saw, MAC addresses are used for communication on a single network at layer 2. In
much the same fashion, layer 3 is responsible for addresses used in internetwork communication.
Hence Computers on different networks use Internet Protocol addresses to communicate.
Internet Protocol (IP), which currently has two versions in use—IP version 4 and IP version 6.

Open the file ip_ttl_source.pcapng in Wireshark which contains two ICMP packets. Note ICMP
uses IP to communicate as this is a ping request.

Questions
1. Double click on Frame 1.
2. What IP version is being used in this network capture?
3. What is the IP address and MAC address of transmitting computer and destination
computers respectively?
4. What is the Time-To-Live (TTL) value in this packet?
5. Double click on Frame 2 how can you determine that this is a response to the ping request
in frame 1?
6. What is the source and destination of the hosts in this packet?
7. What is the Time-To-Live (TTL) value in this packet?
8. The TTL indicates how many hops a packet transverses over a router before it reaches its
destination. So a TTL from both frames indicates one hop.

Internet Control Message Protocol (ICMP)


Internet Control Message Protocol (ICMP) is the utility protocol of TCP/IP, responsible for
providing information regarding the availability of devices, services, or routes on a TCP/IP
network. Most network-troubleshooting techniques and tools center on common ICMP message
types.

Echo Requests and Responses


ICMP’s biggest claim to fame is the ping utility. Ping is used to test for connectivity to a device.
While ping itself isn’t a part of the ICMP spec, it utilizes ICMP to achieve its core functionality. For
instance in the image below, the PING utility is used to send a ping echo request to
www.google.com and to check if Google’s web server is online and up (internet connection
required).

4|Page
We get a reply from the IP address 172.217.22.132; which is Google’s IP address.

Let’s take a look in practice of an ICMP Ping Echo Request and reply.

 Open a command prompt and type in ipconfig to see the IP address of your machine
 Try to ping your own machine, does it work?
 Now try it again but start Wireshark and leave it running in the background. Do the ping
messages show up?
 Finally, ping the machine sequentially next to yours in terms of IP address, e.g. if your
address is 192.168.0.1, you would ping 192.16.8.0.2. Again leave Wireshark running in the
background.

Questions
1. How many frames do you see in the capture, why is this the case?
2. What might this tell us about the structure of the LAN in this lab?
3. Select a random packet from the capture, what is the IP address of the source and
destination hosts respectively?
4. What do these IP addresses represent, are they public or private? What does this mean?

5|Page
5. From the ICMP portion of this packet, determine if this request is an echo request or
reply?
6. Find a ping reply and look at the information in the ICMP field. Compare this to the output
on the console, does the data match up?

References

Sanders, C. (2017). Practical packet analysis. San Francisco, Calif.: No Starch Press.

6|Page

You might also like