CS 279 Assignment 2 Link, Internet, and Transport Layer Protocols | Complete Solution

CS 279 – Winter 2015 – Assign 2            Name _____________________________
Link, Internet, and Transport Layer Protocols
Enter your answers into this document in bold then upload it through Moodle.  Be sure to include the requested screen shots.  You may use the Lower-Layer Protocols Power Point to help you.

PART 1 – Common Protocols

A. Address Resolution Protocol (ARP)
1.    Intro: Both physical and logical addresses are used for network communications.  Recall that switches are layer 2 networking devices (we are speaking of the traditional switch most commonly used rather than a layer 3 switch) which connect end stations to the network, while routers are layer 3 networking devices that interconnect networks.  When one computer transmits data to another, the data normally is first transferred to at least one switch on the near end, then to at least one router in order to reach the destination network, and finally to at least one switch on the far end to reach the destination computer.  The MAC addresses (physical addresses) used by switches are for communication between devices directly connected to the same network, while the IP addresses (logical addresses) used by routers facilitate communication between networks.  ARP is used to map layer 3 IP addresses to layer 2 MAC addresses, and vice versa.  This allows a packet to be forwarded through a network fabric made up of switches and routers. 

2. Suppose you are sending a packet to a remote server, for example, a web server.  The application you are using, that is, your browser, knows the IP address of the server via DNS and this address is placed in the destination address field in the IP header of the packet.  This IP address allows the packet to traverse the internetwork of routers to the destination network. But in order for the packet to reach the first switch from your computer, and for it to reach the server from the far end switch, MAC addresses need to be used.  Computers and networking devices have ARP tables to allow this translation between IP addresses and MAC addresses to occur.  However, if the ARP table doesn’t contain the desired address an ARP broadcast packet is sent to all the devices connected to the local network to find the MAC address associated with the given IP address.  The ARP resolution process uses only two packets—an ARP request and an ARP reply.   

3. Login to an account on your computer that has administrative privilege.  You will need this later when you clear the ARP table.  From the Windows Command Prompt on your computer, enter ipconfig/all to find the IP address of your default gateway (also, note your computer’s IP address and its MAC address for use later).  Recall that the default gateway is the first router in the path to the destination server.  Now, enter arp -a to view your computer’s ARP table.  If the table doesn’t have an entry for your default gateway, then ping the IP address of the default gateway and redisplay your ARP table with arp -a.  You should now have that entry in the table.  Open your browser, then open Wireshark and start capturing packets.  Now, enter the URL for www.lanecc.edu in your browser. Stop the Wireshark capture.  Now, like we did in Assign 1 use the Wireshark filter to display only HTTP packets.  Look for the HTTP GET packet that started the request for the Lane home page.  Use the source and destination IP addresses to confirm that it is the correct packet.   We know the source from ipconfig/all above.  Recall that in Assign 1 we determined the IP address of the Lane web server by pinging www.lanecc.edu and looking at the output. 
Did you find the HTTP GET? _____
Now, use the Wireshark filter by entering “arp” to display only the ARP packets.  Do you see an ARP packet from your computer? ____

Think about the situation when ARP packets are generated.  Why isn’t there an ARP packet captured? ________________________________________________________

4.Now, redo the test but clear the ARP table on your computer first by entering arp -d * from a privileged account at the Command Prompt (you can do this by right clicking the Command Prompt icon and selecting “Run as Administrator”).  Confirm that the ARP table is empty by entering arp –a (Windows 8 wants to put the default gateway address back).  Did the filtering operation on ARP packets find one from your computer this time? _____

Why do you get these packets now and not with the previous test? ________________________________________________________________________

5.Is the one from your computer an ARP request or ARP reply? _________________

Confirm this by looking at the Opcode value shown in the ARP header.  As shown in the Lower-Layer Protocols Power Point, which Opcode represents an ARP request and which an ARP reply? ___________________ 

Which MAC address is the packet asking for (check one)? [  ] my computer [  ]  default gateway [  ] some other machine 

How do you determine the answer to the last question? _______________________________________________________________________

Confirm that it is broadcast by examining the destination MAC address in the Ethernet header in the packet-header details pane.  What is the destination MAC address shown? ____________________________ 

What is the source MAC address? ______________________

Which computer is the source? ________________________

In the ARP header, notice that your computer’s IP address and MAC address are listed as the sender, and in the target IP address field is the default gateway address, but what is listed in the target MAC address field? ___________________________ 

This is the representation of the ARP request process—“I need to send a packet to this IP address but I don’t know its MAC address, whoever has this IP address please respond with your MAC address.” 

Screen print the packet-header details pane for the ARP packet with the Ethernet and ARP headers maximized but the other sections minimized, and insert the screen shot immediately below.

6.How many protocols layers are there in the ARP packet (count the protocol headers including Ethernet)? _______


Does this match the maximum number of layers for a TCP/IP packet? ______ 

From our work with DHCP in Assign 1, which TCP/IP layers are missing from this ARP packet (recall that the TCP/IP layers are Link, Internet, Transport, Application)? ______________________________ (give their TCP/IP names)

Is there a TCP port number associated with ARP requests? ______

7.You saw that there are IP addresses in the ARP packet, but in order for IP addresses to be used to deliver packets they need to be in the IP header.  Is there an IP layer in an ARP? ______

Recall that switches and routers are used to deliver packets in a network, and at which layers do switches and routers operate? __________________________ (give their TCP/IP names)

Hence, we see that the ARP packet can only go to devices on the local network because they can’t be forwarded through a router since their IP addresses are not in the IP header.

8.Now open the next ARP packet.  It should be the ARP reply.  Do the IP addresses in the IP header and the MAC addresses in the Ethernet header indicate that it is from the default gateway to your computer? ______  

Now, look in the ARP header of the packet.  The addresses will be reversed from the ARP request, but notice that the ARP question has been answered by the default gateway sending back its ________________ (fill in blank). 

What is the Opcode value shown in the ARP header? __________ 

Screen print the packet-header details pane for the ARP packet with the Ethernet and ARP headers maximized but the other sections minimized, and insert the screen shot immediately below.

9.How many TCP/IP protocol layers are there in this ARP reply packet (count the protocol headers including Ethernet)? _______

Does this match the maximum number of layers for a TCP/IP packet? ______  

Which TCP/IP layers are missing from this ARP packet? ______________________

Is there a TCP port number associated with ARP replies? ______

10.Recall the description of gratuitous ARPs in the Lower-Layer Protocols Power Point.  How might you set up a test to see if your operating system sends a gratuitous ARP at boot time?  Explain how you think you could test this? _______________________________________
    _________________________________________________________________________

11.Now implement your idea.  This would normally require a couple computers, so if you are in the online class and don’t have access to a couple networked computers skip to the next step.  However, if you are in an in-class section pair up with another student or find an unused computer in the lab room or classroom.  Did your test work? ____

Does your operating system send a gratuitous ARP at boot time? ____

Screen print the packet-header details pane for the gratuitous ARP packet with the Ethernet and ARP headers maximized but the other sections minimized, and insert the screen shot immediately below.
 

B.Internet Protocol (IP)
1. Intro: IP’s purpose is to support internetwork communication.  IP functions at OSI layer 3 which is where routers are, and as we learned routers are used to interconnect networks.  They do this via IP. 

2. Open in Wireshark the saved capture file named ip_ttl_source.pcap provided in Moodle.  This capture contains two ICMP packets, a ping request and reply (discussed below).  Maximize the IP header in the packet-header details pane of the first packet.  What version of IP is indicated? ______

What is the IP header length? ________

What is the total length of the header and payload? _______

Now, click on the IP header line to highlight the bytes in the packet-bytes pane at the bottom.  How many bytes are highlighted? _______

Click on the Internet Control Message Protocol line.  This is the payload of the IP packet.  How many bytes are highlighted in the packet-bytes pane? ______

Are these last two numbers you found consistent with the IP header length and total length fields? ______

3. What is the value of the Time to Live field? ________

What is the value of the Protocol field? _________ (recall from the Power Point accompanying this assignment that this indicates the type of packet coming next in the sequence of packets)

4. ICMP pings are used to test network communication between hosts.  What is the source IP address of this packet? ____________________

What is the destination IP address? ____________________________This capture file was created at the source host.

5.How many TCP/IP protocol layers are there in the packet (count the protocol headers including Ethernet)? _______

Does this match the maximum number of layers for a TCP/IP packet? ______

Which TCP/IP layers are missing from this packet? ______________________

Would an ICMP ping request have a port number associated with it? _______

Screen print the packet-header details pane for this packet with the IP header maximized but the other sections minimized, and insert the screen shot immediately below.

6. Open the second packet in the capture file, the ping reply.  Have the source and destination addresses reversed? ____

What is the Time to Live value in this packet? _________
7.Now, open the capture file ip_ttl_dest.pcap provided in Moodle.  The data in this file was captured at the destination host.  Maximize the IP header of the first packet, ping request.  This is the same ping request you looked at above, but it was captured at the destination host.  Notice that the source and destination IP addresses are consistent with what you recorded above.  What is the Time to Live field value though? _____  Does this indicate that the packet (check one) [  ] went through a router but the TTL remained the same  [  ] went through several routers and so the TTL was decremented  [  ] went through one router and so was decremented by 1
    Notice that (if you answered the above question correctly) without having a map of the network we found through Wireshark that there was one router between the source and destination hosts.

    Screen print the packet-header details pane for this packet with the IP header maximized but the other sections minimized, and insert the screen shot immediately below.

8.Now, open the second packet in the capture file, the ping reply.  This is the same reply we looked at in the first capture file but this one was capture at the destination.  Observe that the TTL value is one more than the same reply packet that we observed from the source host.  This is (check one) [  ] confirmation that there is one router between the two hosts  [  ] confirmation that there is no router between the two hosts  [  ]

IP Fragmentation
9. Open the capture file ip_frag_source.pcap provided in Moodle.  This capture was taken from a host sending a ping request.  Observe that the Info column in Wireshark packet-list pane lists two fragmented IP packets following the ICMP ping request between from the 10.10.0.3 host to the 192.168.0.128 host.  When asked for a flag value, maximize the Flags field in the IP header.
    Click on the first packet in the capture file.
    What is the More Fragments flag set to? ______ 
    What is the Fragment Offset value? _______
    What is the Identification value? _______
    If this is the first packet in a sequence the More Fragments flag should be set to 1 and the Fragment Offset to zero.  Is that the case? ____
   
    Now, click on the second packet in the capture file
    What is the More Fragments flag set to? ______ 
    What is the Fragment Offset value? _______
    What is the Identification value? _______
    If this is the second of three packets in a sequence the More Fragments flag should be set to 1 and the Fragment Offset non-zero.  Is that the case? ____

Is the fragment offset equal to the default MTU value (1,500 bytes) minus the 20 bytes in the IP header? _____

Notice that the Data section of this packet has the same number of bytes.

    Next, click on the third packet in the capture file
    What is the More Fragments flag set to? ______ 
    What is the Fragment Offset value? _______
    What is the Identification value? _______
    If this is the third of three packets in a sequence the More Fragments flag should be set to 0 and the Fragment Offset non-zero.  Is that the case? ____

Is the fragment offset equal to 1480 + 1480? _____ (the number of payload bytes sent in the first two packets).

    Are the Identification fields the same in the three packets? ______ (if they are this indicates they are part of the same sequence of packets)

    Screen print the packet-header details pane for this third packet with the IP header maximized but the other sections minimized, and insert the screen shot immediately below.

C. Transmission Control Protocol (TCP)
1.    Intro: TCP’s purpose is to support application-to-application communication.  This is sometimes referred to as process-to-process communication.  It is a connection-oriented protocol which means that there is communication between the sending and receiving hosts during the session.  This is referred to as “handshaking.”  TCP is reliable because it checks to be sure that everything it sends gets through and if not will ask for a re-send.  It uses port numbers to identify the processes it is communicating with.

2.    Start a new Wireshark capture and then from your browser access www.lanecc.edu and www.cisco.com.  Close your browser, and then stop the Wireshark capture.  Due to the fact there are so many packets displayed, let’s find just those between your computer and the Lane web server by using the Wireshark Expression button on the filter bar.  What is the IP address of your computer (ipconfig/all shows it)? ___________________

What is the IP address of the Lane web server (ping www.lanecc.edu shows it)? ____________________

Click Expression on the Wireshark filter bar, then in the field name list select “IPv4 Source” that is, ip.src.  Then click on the == relation and enter your IP address in the value box, then click OK.  Now type & after the string in the filter box (& means “and”).  Then click Expression again and in the field name list select “IPv4 Destination” that is, ip.dst.  Then click on the == relation and enter the Lane web server’s IP address in the value box, then click OK.  Your filter box should now have this string “ip.src == yourIP & ip.dst == LaneIP”  Now click Apply on the filter bar.  You should see only the captured packets originating from your computer to the Lane web server.  What protocols are listed in the Protocol column of the packet-list pane? _______________________

Look in the Info column of the packet-list pane.  What is your port number and what is the Lane web server’s port number for this communication? ____________________________

Is your port number and ephemeral port number? ______

Is the Lane web server’s port a well-known port number? ________

What application is this port number associated with? _______

Are these port numbers the same for all the filtered packets shown in the packet-list pane? ______ (TCP uses a random port number for the source computer at the start of the communication, and typically a well-known port number for the destination.  Once the initial packet is sent, these ports are established and communication continues using them.)

3. Click on the first packet in the filtered list (the TCP SYN packet) to display it in the packet-header details pane.  Confirm the source and destination IP addresses and source and destination port numbers you found above by looking in the IP header and the TCP header for this packet.  Are they what you found above? _____

Is there an HTTP header in this packet? _____

This is the first packet in the TCP three-way handshake that sets up the TCP communication channel not an HTTP request or reply so the HTTP header should not be present.  In the TCP header, maximize the Flags section.  Is the SYN flag set? _____

Are there any other flags set? _____

Does this indicate that it is the first packet in the three-way handshake? ____

Screen print the packet-header details pane for this packet with the TCP header and TCP Flags maximized but the other sections minimized, and insert it immediately below.

4.How many protocols layers are there in the packet (count the protocol headers including Ethernet)? _______

Does this match the maximum number of layers for a TCP/IP packet? ______

Which TCP/IP layers are missing from this packet? ______________________

5.    Now, let’s change the filter expression to display all the packets capture between your computer and the Lane web server going both ways.  Enter this string into the filter box “ip.src == yourIP & ip.dst == LaneIP || ip.src == LaneIP & ip.dst == yourIP” (double vertical bar (||) means “or”).  Click Apply on the filter bar.  Click on the packet coming from the Lane web server to your computer that appears after the TCP SYN packet.  Which TCP flag(s) are set in this packet? _____

Does this indicate that the packet is the first, second, or third packet in the TCP three-way handshake? _______

Screen print the packet-header details pane for this packet with the TCP header and TCP Flags maximized but the other sections minimized, and insert it immediately below.

6.Click on the packet after the last one and look at the TCP flags field.  What flags are set? __________

Is this the first, second, or third packet in the TCP three-way handshake? ___________ 

7.Now, scroll to the bottom of the filtered capture and look for the four packets that signal the TCP teardown (FIN/ACK, ACK, FIN/ACK, ACK).  Do you find them? ____

Indicate the observed Flags that are set and the direction for these four packets below:
   
    TCP Teardown
Packet    Flags    Source IP Addr    Dest’n IP Addr
First           
Second           
Third           
Fourth           

    Screen print the packet-header details pane for each of these four packets with the TCP header and TCP Flags maximized but the other sections minimized, and insert the four screen shots immediately below.

8.How many protocols layers are there in these packets (count the protocol headers including Ethernet)? _______

Does this match the maximum number of layers for a TCP/IP packet? ______

Which TCP/IP layers are missing from this packet? ______________________

9.Next, change the filter expression so you are displaying the packets between your computer and the Cisco web server and apply it.  Does this communication have a different ephemeral port number for your computer than the communication with the Lane web server even though it has the same source IP address? _____

What is this port number? _____

What is the port number of the Cisco web server? ____

Is this the same as the port number for Lane’s web  server? ____

Why is that? ________________________________________________

10.Try to find the TCP three-way handshake and the TCP teardown packets in this filtered list.


D. Internet Control Message Protocol (ICMP)
1.    Intro: ICMP is the utility protocol of the TCP/IP suite.  Many software tools use ICMP, for example, ping. The are many different types of ICMP packets.

2.We did some exploration of ICMP in Section B above.  Using the knowledge you acquired from doing the above exercises, create a Wireshark capture of your ping to www.cisco.com.  Locate the first ping request.  Maximize the ICMP header and find the ICMP type.  What type and code does it have? ______

In the Power Point accompanying this assignment, it is indicated that the ICMP header has a Variable field after the Checksum.  For this ping request packet, what is in the Variable field as displayed by Wireshark? _________________________________________________________________________ 

You pinged the hostname/domain name for Ciso’s website.  What is shown in the IP header for destination IP address?  ______________________

Does this match what the ping output shows in the Command Prompt window? ____

What networking protocol made this conversion from alphabetic target name to destination IP address? _________

Screen print the packet-header details pane for this packet with the IP and ICMP headers maximized but the other sections minimized, and insert the screen shot immediately below.

Screen print the Command Prompt window that shows your ping and the replies and insert it immediately below.

3.    Find a ping reply.  What is the ICMP type and code shown? ______________

Look at the packet-list pane.  How many echo request/echo reply pairs where generated by your ping command?  ________

Does this match what the ping output shows in the Command Prompt window? ______

    Close Wireshark, no need to save the capture if you have finished.


PART 2 – Summary
1.    Fill-in the table below based on your experience doing the exercises above.  The header referred to is the header for the protocol in column 1.



Protocol    Header Contains IP Addresses (yes/no)    Header Contains MAC Addresses (yes/no)    Header Contains Port Numbers (yes/no)
ARP           
IP           
TCP           
ICMP           

2.    Fill-in the table below based on your experience doing the exercises above.  Consider which TCP/IP layers (Link, Internet, Transport, Application) were contained in the packet you analyzed in the indicated section.  That is, network transmissions involve encapsulation of one protocol in another.  Identify in the table this encapsulation for the indicated packets by listing the TCP/IP layers you observed.

Packet    Which TCP/IP layers did you find (list each layer)
Section A, ARP   
Section B, ICMP ping   
Section C, TCP 3-way handshake   
Section C, TCP teardown   


Upload this document through Moodle with answers in bold and requested screen shots inserted.

[Note: Part 1 of this assignment is a modification of a Ch. 6 from Practical Packet Analysis, Sanders, 2nd ed, No Starch Press, 2011]