Taking Wireshark for a Test Run
1. List up to 10 different protocols that appear in the protocol column in the
unfiltered packet-listing window in step 7 above.
answer 1. SCTP
2. How long did it take from when the HTTP GET message was sent until the HTTP
OK reply was received? (By default, the value of the Time column in the packet-
listing window is the amount of time, in seconds, since Wireshark tracing began.
To display the Time field in time-of-day format, select the Wireshark View pull
down menu, then select Time Display Format, then select Time-of-day.)
answer Time of start is 13:25:18.818210
Time of end is 13:25:19.196493
Time of used is 0.37872 sec
3. What is the Internet address of the gaia.cs.umass.edu (also known as www-
net.cs.umass.edu)? What is the Internet address of your computer?
answers IP of Src is 192.168.1.2
IP of Dst is 126.96.36.199
4. Print the two HTTP messages displayed in step 9 above. To do so, select Print
from the Wireshark File command menu, and select “Selected Packet Only” and
“Print as displayed” and then click OK.
Lab 2 Wireshark Lab: DNS
Lab 2 Wireshark Lab: DNS Subpages »
1. Run nslookup to obtain the IP address of a Web server in Asia.
answer I would choose www.kmitl.ac.th. cause it is web server in Thailand.
result IP address of www.kmitl.ac.th is 188.8.131.52
2. Run nslookup to determine the authoritative DNS servers for a university inEurope.
answer I would choose www.manchester.ac.uk. because it is university in England.
3. Run nslookup so that one of the DNS servers obtained in Question 2 is queried forthe mail servers for Yahoo! mail.
Tracing DNS with Wireshark
4. Locate the DNS query and response messages. Are they sent over UDP or TCP?
answer DNS query and response messages sent over UDP.
5. What is the destination port for the DNS query message? What is the source portof DNS response message?
answer DNS query message destination port is 53.
DNS response message source port is 3411.
6. To what IP address is the DNS query message sent? Use ipconfig to determine theIP address of your local DNS server. Are these two IP addresses the same?
answer IP address of DNS query message sent is 192.168.1.2 , IP address of your local DNS server is 192.168.1.2 , two IP address are same.
7. Examine the DNS query message. What “Type” of DNS query is it? Does thequery message contain any “answers”?
answer Type of DNS query is PTR(Domain name pointer). , No query message contain any “answers”.
8. Examine the DNS response message. How many “answers” are provided? Whatdoes each of these answers contain?
answer 1 answer is provided.
answer contain is 184.108.40.206.in-addr.arpa: type PTR, class IN, www.ietf.org.
9. Consider the subsequent TCP SYN packet sent by your host. Does the destinationIP address of the SYN packet correspond to any of the IP addresses provided inthe DNS response message?
answer IP address of the SYN packet is 220.127.116.11
IP address of the DNS response message is 192.168.1.1
10. This web page contains images. Before retrieving each image, does your hostissue new DNS queries?
answer my host isn’t issue new DNS queries.
11. What is the destination port for the DNS query message? What is the source portof DNS response message?
answer destination port for the DNS query message is 53. , sourece port of DNS response message is 53.
12. To what IP address is the DNS query message sent? Is this the IP address of yourdefault local DNS server?
answer IP address of DNS query message sent is 18.104.22.168 , yes, is the IP address of my default local DNS server.
13. Examine the DNS query message. What “Type” of DNS query is it? Does thequery message contain any “answers”?
answer Type of DNS query is A (Host address). no query message contian any answers.
14. Examine the DNS response message. How many “answers” are provided? Whatdoes each of these answers contain?
answer 1 answer are provided. , answer contain is www.mit.edu: type A, class IN, addr 22.214.171.124.
15. Provide a screenshot.
nslookup –type=NS mit.edu
16. To what IP address is the DNS query message sent? Is this the IP address of yourdefault local DNS server?
answer IP of DNS query message sent is 126.96.36.199 . , yes, is the IP address of my default local DNS server.
17. Examine the DNS query message. What “Type” of DNS query is it? Does thequery message contain any “answers”?
answer Type of DNS query is NS (Authoritative name server) , no query message contain.
18. Examine the DNS response message. What MIT name servers does the responsemessage provide? Does this response message also provide the IP addresses of theMIT name servers?
answer mit.edu: type NS, class IN, ns bitsy.mit.edu, addr 188.8.131.52
mit.edu: type NS, class IN, ns w20ns.mit.edu, addr 184.108.40.206
mit.edu: type NS, class IN, ns strawb.mit.edu, addr 220.127.116.11
19. Provide a screenshot.
nslookup www.aiit.or.kr bitsy.mit.edu
20. To what IP address is the DNS query message sent? Is this the IP address of yourdefault local DNS server? If not, what does the IP address correspond to?
answer IP of DNS query message sent is 18.104.22.168 . , yes, is the IP address of my default local DNS server.
21. Examine the DNS query message. What “Type” of DNS query is it? Does thequery message contain any “answers”?
answer Type of DNS query message in Standard query on PTR 22.214.171.124 is PTR . , no query message contain any answer.
Type of DNS query message in Standard query on A www.aiit.or.kr is A . , no query message contain any answer.
22. Examine the DNS response message. How many “answers” are provided? Whatdoes each of these answers contain?
answer 1 answer of DNS response message in Standard query on PTR 126.96.36.199 . , answer contain is 188.8.131.52.in-addr.arpa: type PTR, class IN, BITSY.MIT.EDU
1 answer of DNS response message in Standard query on A www.aiit.or.kr . , answer contain is www.aiit.or.kr: type A, class IN, addr 184.108.40.206
23. Provide a screenshot.
Lab 1 Wireshark Lab: HTTP
1. The Basic HTTP GET/response interaction
1. Is your browser running HTTP version 1.0 or 1.1? What version of HTTP is the server running?
answer browser running HTTP version is 1.1
server running HTTP version is 1.1
2. What languages (if any) does your browser indicate that it can accept to the server?
answer Accept-Language : th\r\n
3. What is the IP address of your computer? Of the gaia.cs.umass.edu server?
answer IP address of my computer is 192.168.1.2
IP address of gain.cs.umass.edu server is 220.127.116.11
4. What is the status code returned from the server to your browser?
answer response code : 200
5. When was the HTML file that you are retrieving last modified at the server?
answer Last-Modified: Fri , 13 Jun 2008 04:26:01 GMT \r\n
6. How many bytes of content are being returned to your browser?
answer Content-Length : 128
7. By inspecting the raw data in the packet content window, do you see any headers within the data that are not displayed in the packet-listing window? If so, name one.
answer Ethernet II, Src: CompalEl_80:aa:38 (00:0f:b0:80:aa:38), Dst: Shanghai_5c:8f:d4(00:08:5c:5c:8f:d4)
2. The HTTP CONDITIONAL GET/response interaction
8. Inspect the contents of the first HTTP GET request from your browser to the server.
Do you see an “IF-MODIFIED-SINCE” line in the HTTP GET?
answer I don’t see an “IF-MODIFIED-SINCE” line in the HTTP GET.
9. Inspect the contents of the server response. Did the server explicitly return the contents of the file? How can you tell?
answer first response of server is return Content-Type: text/html; charset=ISO-8859-1\r\n.
second response of server isn’t return Content-Type. because it return HTTP/1.1 304 not
10. Now inspect the contents of the second HTTP GET request from your browser to the server. Do you see an “IF-MODIFIED-SINCE:” line in the HTTP GET? If so, what information follows the “IF-MODIFIED-SINCE:” header?
answer yes,I see an “IF-MODIFIED-SINCE”. “
“IF-MODIFIED-SINCE” header is Fri , 13 Jun 2008 04:45:01 GMT \r\n
11. What is the HTTP status code and phrase returned from the server in response to this second HTTP GET? Did the server explicitly return the contents of the file? Explain.
answer Response Code : 304 , server isn’t return contents of the file.
3. Retrieving Long Documents
12. How many HTTP GET request messages were sent by your browser?
answer 1 time.
13. How many data-containing TCP segments were needed to carry the single HTTP response?
answer 5 TCP Segments.
[Reassembled TCP Segments (4809 bytes): #8(309), #9(1452), #16(1452), #17(1452), #19(144)]
Frame: 8, payload: 0-308 (309 bytes)
Frame: 9, payload: 309-1760 (1452 bytes)
Frame: 16, payload: 1761-3212 (1452 bytes)
Frame: 17, payload: 3213-4664 (1452 bytes)
Frame: 19, payload: 4665-4808 (144 bytes)
14. What is the status code and phrase associated with the response to the HTTP GET request?
answer Request Method: GET
Request URI: /wireshark-labs/HTTP-wireshark-file3.html
Request Version: HTTP/1.1
15. Are there any HTTP status lines in the transmitted data associated with a TCP-induced “Continuation”?
4. HTML Documents with Embedded Objects
16. How many HTTP GET request messages were sent by your browser? To which Internet addresses were these GET requests sent?
answer 4 HTTP GET request messages.
1. Internet addresses is gain.cs.umass.edu (18.104.22.168)
2. Internet addresses is www.aw-bc.com (22.214.171.124)
3. Internet addresses is manic.cs.umass.edu (126.96.36.199)
4. Internet addresses is www.pearsonhighered.com (188.8.131.52)
17. Can you tell whether your browser downloaded the two images serially, or whether they were downloaded from the two web sites in parallel? Explain.
answer I think my browser downloaded the two images on parallel because I see to observe time form Time column. which it is requested pictures in the same time by don’t wait last request is finished .
5 HTTP Authentication
18. What is the server’s response (status code and phrase) in response to the initial HTTP GET message from your browser?
answer Response Code : 401 , HTTP/1.1 401 Authorization Required.
19. When your browser’s sends the HTTP GET message for the second time, what new field is included in the HTTP GET message?
answer Authorization: Basic d2lyZXNoYXJrLXN0dWRlbnRzOm5ldHdvcms=\r\n
Lab 3 Wireshark Lab: UDP
Lab 3 Wireshark Lab: UDP Subpages »
1. Select one packet. From this packet, determine how many fields there are in theUDP header. (Do not look in the textbook! Answer these questions directly fromwhat you observe in the packet trace.) Name these fields.
answer 4 fields in UDP header. that is Source Port,Destination Port,Length,CheckSum .
2. From the packet content field, determine the length (in bytes) of each of the UDPheader fields.
answer The UDP header consists of four (4) fields each:
source port number 2 bytes
destination port number 2 bytes
datagram size(Length) 2 bytes
checksum 2 bytes
3. The value in the Length field is the length of what? Verify your claim with yourcaptured UDP packet.
answer Length field is is a simple count of the number of bytes contained in the header and data sections. so The value in the Length field is 37. (Picture in a point 1 mention above)
4. What is the maximum number of bytes that can be included in a UDP payload?
answer The maximum size of a datagram varies depending on the operating environment. With a two-byte size field, the theoretical maximum size is 65535 bytes.
5. What is the largest possible source port number?
answer the largest source port number is 65535.
6. What is the protocol number for UDP? Give your answer in both hexadecimal anddecimal notation. (To answer this question, you’ll need to look into the IPheader.)
answer number protocol UDP is 0×11(hexadecimal),17(decimal).
7. Search “UDP” in Google and determine the fields over which the UDP checksumis calculated.
answer it used Pseudo Header Field in calculation checksum. as that is Source IP address,Destination IP address,IP payload length,protocol type (reference from web :http://www.erg.abdn.ac.uk/users/gerrit/udp-lite/).
8. Examine a pair of UDP packets in which the first packet is sent by your host andthe second packet is a reply to the first packet. Describe the relationship betweenthe port numbers in the two packets.
answer First packet source port is 1801 , Destination port is 53.
Second packet source port is 53 , Destination port is 1801.
1. Capture a small UDP packet. Manually verify the checksum in this packet. Showall work and explain all steps.
answer UDP sender:
IP Source Address = 184.108.40.206
seperate into 16 bit = 00111010.00001010.01001101.10111010
IP Destination Address = 220.127.116.11
seperate into 16 bit = 11001011.10010000.11001111.00110001
Protocol: UDP (0×11) = 00010001
UDP Length: 53 = 00110101
calculated checksum :
00111010 00001010 + 01001101 10111010 01110111 10110000 + 11001011 10010000 10111100 00110001 + 11001111 00110001 01110011 00010001 + 00010001 00110101 01100010 00100100
10011101 11011011 1’s complement
IP Source Address = 18.104.22.168
seperate into 16 bit = 11001011.10010000.11001111.00110001
IP Destination Address = 22.214.171.124
seperate into 16 bit = 00111010.00001010.01001101.10111010
Protocol: UDP (0×11) = 00010001
UDP Length: 53 = 00110101
calculated checksum :
11001011 10010000 + 11001111 00110001 00000100 10100001 + 00111010 00001010 00111110 10101011 + 01001101 10111010 01110011 00010001 + 00010001 00110101 01100010 00100100 : result receive + 10011101 11011011 : result sender 11111111 11111111 : no error
Capturing a bulk TCP transfer from your computer to a remote server
1. What is the IP address and TCP port number used by the client computer (source) that is transferring the file to gaia.cs.umass.edu? To answer this question, it’s probably easiest to select an HTTP message and explore the details of the TCP packet used to carry this HTTP message, using the “details of the selected packet header window” (refer to Figure 2 in the “Getting Started with Wireshark” Lab if you’re uncertain about the Wireshark windows).answer source IP address is 126.96.36.199 , source TCP port is 5010 .
2. What is the IP address of gaia.cs.umass.edu? On what port number is it sendingand receiving TCP segments for this connection?answer IP address of gaia.cs.umass.edu is 188.8.131.52, port number of sendingand receiving TCP segments is 80 . (From picture sequence 1)
3. What is the IP address and TCP port number used by your client computer(source) to transfer the file to gaia.cs.umass.edu? answer IP address is Local IP , TCP port is Local port .
4. What is the sequence number of the TCP SYN segment that is used to initiate the TCP connection between the client computer and gaia.cs.umass.edu? What is it in the segment that identifies the segment as a SYN segment?answer the sequence number of the TCP SYN segment that is used to initiate the TCP connection between the client computer and gaia.cs.umass.edu is 0 , SYS segment is 1 .
5. What is the sequence number of the SYNACK segment sent by gaia.cs.umass.edu to the client computer in reply to the SYN? What is the value of the ACKnowledgement field in the SYNACK segment? How did gaia.cs.umass.edu determine that value? What is it in the segment that identifies the segment as a SYNACK segment?answer sequence number of the SYNACK segment sent by gaia.cs.umass.edu to the client computer in reply to the SYN is 0 , value of the ACKnowledgement field in the SYNACK segment is 1 , SYNACK segment is 1.
6. What is the sequence number of the TCP segment containing the HTTP POST command? Note that in order to find the POST command, you’ll need to dig into the packet content field at the bottom of the Wireshark window, looking for a segment with a “POST” within its DATA field.answer sequence number of the TCP segment containing the HTTP POST command is FRAME 4 .
7. Consider the TCP segment containing the HTTP POST as the first segment in the TCP connection. What are the sequence numbers of the first six segments in the TCP connection (including the segment containing the HTTP POST)? At what time was each segment sent? When was the ACK for each segment received? Given the difference between when each TCP segment was sent, and when itsacknowledgement was received, what is the RTT value for each of the six segments? What is the EstimatedRTT value (see page 249 in text) after the receipt of each ACK? Assume that the value of the EstimatedRTT is equal to the measured RTT for the first segment, and then is computed using theEstimatedRTT equation on page 249 for all subsequent segments. Note: Wireshark has a nice feature that allows you to plot the RTT for each of the TCP segments sent. Select a TCP segment in the “listing of captured packets” window that is being sent from the client to the gaia.cs.umass.edu server. Then select: Statistics->TCP Stream Graph->Round Trip Time Graph.answer HTTP POST segment is No. 4,5,7,8,10,11. ACK segment is No. 6,9,12,14,15,16. Segment 1 Sequence Number is 1 Segment 2 Sequence Number is 777 Segment 3 Sequence Number is 2203 Segment 4 Sequence Number is 3629 Segment 5 Sequence Number is 5055 Segment 6 Sequence Number is 6481
send time ACK RTT Segment 1 0.359375 0.703125 0.34375 Segment 2 0.359375 0.734375 0.375 Segment 3 0.703125 1.062500 0.359375 Segment 4 0.703125 1.093750 0.390625 Segment 5 0.734375 1.109375 0.375 Segment 6 0.734375 1.140625 0.40625
Calculated EstimatedRTT : EstimatedRTT = 0.875 * EstimatedRTT + 0.125 * SampleRTT EstimatedRTT of Segment 1 = 0.34375 EstimatedRTT of Segment 2 = 0.875 * 0.34375 + 0.125 *0.375 = 0.3475 EstimatedRTT of Segment 3 = 0.875 * 0.3475 + 0.125 *0.359375 = 0.3489 EstimatedRTT of Segment 4 = 0.875 * 0.3489 + 0.125 *0.390625 = 0.3541 EstimatedRTT of Segment 5 = 0.875 * 0.3541 + 0.125 *0.375 = 0.3567 EstimatedRTT of Segment 6 = 0.875 * 0.3567 + 0.125 * 0.40625 = 0.3628
HTTP POST segmentACK segmentRound Trip Time Graph
8. What is the length of each of the first six TCP segments?answer Length of first TCP segment is 776 bytes and Length of the other TCP segments( 5 TCP segments ) is 1426 bytes (From picture HTTP POST segment mention below).
9. What is the minimum amount of available buffer space advertised at the received for the entire trace? Does the lack of receiver buffer space ever throttle the sender?answer minimum amount of available buffer space advertised at the received for the entire trace is 5840 bytes (First Connention) . No, doesn’t lack of receiver buffer space ever throttle the sender.
10. Are there any retransmitted segments in the trace file? What did you check for (in the trace) in order to answer this question?answer No, aren’t retransmitted segmensts in the trace file. I would check retransmitted segments from Time-Sequence Graph (Stevens).
11. How much data does the receiver typically acknowledge in an ACK? Can you identify cases where the receiver is ACKing every other received segment (see Table 3.2 on page 257 in the text).answer acknowledged sequence number acknowledged data ack1 1 776 ack2 777 1426 ack3 2203 1426 ack4 3629 1426 ack5 5505 1426 ack6 6481 1426 ack7 7907 1062 ack8 8969 1426 ack9 10395 1426 . . . . . . . . .
12. What is the throughput (bytes transferred per unit time) for the TCP connection?Explain how you calculated this value.answer average throughput of a connection = (0.75*W)/RTT W is window size ( bytes ) RTT is the current round-trip time Ex reference from 7 calculated first segment . window size of first segment is 65535 . RTT of first segment is 0.34375 . average throughput of a connection = (0.75*65535 )/0.34375 = 142,985.45 bytes/sec = 142 Kbytes/sec
TCP congestion control in action
13. Use the Time-Sequence-Graph(Stevens) plotting tool to view the sequence number versus time plot of segments being sent from the client to the gaia.cs.umass.edu server. Can you identify where TCP’s slowstart phase beginsand ends, and where congestion avoidance takes over? Comment on ways in which the measured data differs from the idealized behavior of TCP that we’ve studied in the text.answer From picture sequence 10 becaue it may be traffic on network(bottleneck link). when TCP have connected between Sender and Receiver , it have a one value(it is a windows size) that used to fix value of Information can be to send to Receivers. so windows size is a value of deal between Sender and Receiver how many have in segment before sending.
14. Answer each of two questions above for the trace that you have gathered when you transferred a file from your computer to gaia.cs.umass.eduanswer when have a lot of traffic on network. TCP sender have used AIMD algorithm to reduce window size value.
A look at the captured trace
1. Select the first ICMP Echo Request message sent by your computer, and expand the Internet Protocol part of the packet in the packet details window. What is the IP address of your computer?answer IP address of my computer is 184.108.40.206
2. Within the IP packet header, what is the value in the upper layer protocol field?answer ICMP (0×01)
3. How many bytes are in the IP header? How many bytes are in the payload of theIP datagram? Explain how you determined the number of payload bytes.answer IP header = Total Length – Header Length = 56 – 20 = 36 . payload of the IP datagram is 0 bytes because Flags : 0×00 .
4. Has this IP datagram been fragmented? Explain how you determined whether ornot the datagram has been fragmented.answer this IP datagram hasn’t been fragmented because Flags : 0×00 0… = Reserved bit: Not set .0.. = Don’t fragment: Not set ..0. = More fragments: Not set
5. Which fields in the IP datagram always change from one datagram to the nextwithin this series of ICMP messages sent by your computer?answer 1. Identification 2. Time to live(TTL) 3. Checksum
6. Which fields stay constant? Which of the fields must stay constant? Which fieldsmust change? Why?answer 1. Version 2. Header length 3. Flag 4. Fragment offset 5. Protocol 6. Sourece 7. Destination
7. Describe the pattern you see in the values in the Identification field of the IPdatagramanswer Identification : This field contains a 16-bit value that is common to each of the fragments belonging to a particular message; for datagrams originally sent unfragmented it is still filled in
8. What is the value in the Identification field and the TTL field?answer Identification: 0×2772 (10098) Time to live: 1
9. Do these values remain unchanged for all of the ICMP TTL-exceeded replies sentto your computer by the nearest (first hop) router? Why?answer value of TTL isn’t changed becuase no send datagram to work with router.
10. Find the first ICMP Echo Request message that was sent by your computer afteryou changed the Packet Size in pingplotter to be 2000. Has that message beenfragmented across more than one IP datagram?answer yes , message has been fragmented across more than one IP datagram.11. Print out the first fragment of the fragmented IP datagram. What information inthe IP header indicates that the datagram been fragmented? What information inthe IP header indicates whether this is the first fragment versus a latter fragment?How long is this IP datagram?answer Total length is 1500 . Flags : 0×02 0… = Reserved bit: Not set .0.. = Don’t fragment: Not set ..1. = More fragments: Not set
12. Print out the second fragment of the fragmented IP datagram. What information inthe IP header indicates that this is not the first datagram fragment? Are the morefragments? How can you tell?answer Total length is 520 . Flags : 0×00 0… = Reserved bit: Not set .0.. = Don’t fragment: Not set ..0. = More fragments: Not set Fragment offset: 1480
13. What fields change in the IP header between the first and second fragment?answer 1.Total length 2.Flag 3.Fragment offset 4.Checksum
14. How many fragments were created from the original datagram?answer 3 fragments were created from the original datagram.
15. What fields change in the IP header among the fragments?answer 1.Total length 2.Flag 3.Fragment offset 4.Checksum
Lab 6 Wireshark Lab: DHCP
Lab 6 Wireshark Lab: DHCP Subpages »
1. Are DHCP messages sent over UDP or TCP? answer UDP2. Draw a timing datagram illustrating the sequence of the first four-packet Discover/Offer/Request/ACK DHCP exchange between the client and server. For each packet, indicated the source and destination port numbers. Are the port numbers the same as in the example given in this lab assignment? answer
3. What is the link-layer (e.g., Ethernet) address of your host?answer Address of host is 00:0f:b0:80:aa:38 .4. What values in the DHCP discover message differentiate this message from the DHCP request message?answer values in the DHCP discover message differentiate DHCP request is option .
5. What is the value of the Transaction-ID in each of the first four(Discover/Offer/Request/ACK) DHCP messages? What are the values of the Transaction-ID in the second set (Request/ACK) set of DHCP messages? What is the purpose of the Transaction-ID field?answer Transaction-ID of first DHCP messages is 0×989ac758. Transaction-ID of second DHCP message is 0xd5d4e490. Transction-ID is a random number by client. its’ objective used to give client and DHCP server can defined DHCP message sending and DHCP message receving has relation together.6. A host uses DHCP to obtain an IP address, among other things. But a host’s IP address is not confirmed until the end of the four-message exchange! If the IP address is not set until the end of the four-message exchange, then what values are used in the IP datagrams in the four-message exchange? For each of the four DHCP messages (Discover/Offer/Request/ACK DHCP), indicate the source and destination IP addresses that are carried in the encapsulating IP datagram.answer Source IP address : 0.0.0.0 is special address. Destination IP address : 255.255.255.255 is broadcast IP address .
7. What is the IP address of your DHCP server?answer 192.168.1.8
8. What IP address is the DHCP server offering to your host in the DHCP Offer message? Indicate which DHCP message contains the offered DHCP address.answer 192.168.1.89. In the example screenshot in this assignment, there is no relay agent between the host and the DHCP server. What values in the trace indicate the absence of a relay agent? Is there a relay agent in your experiment? If so what is the IP address of the agent?answer relay agent has reponsibility to control send DHCP message across different subnet network. this lap is not relay agent because IP address is 0.0.0.0 .
10. Explain the purpose of the router and subnet mask lines in the DHCP offer message.answer router is used to get to know what IP address of router , that used by client on network. subnet mask is defined where is host on network or sub network.
11. In the example screenshots in this assignment, the host requests the offered IP address in the DHCP Request message. What happens in your own experiment?answer Host has requet the offered IP address in the DHCP Request message.
12. Explain the purpose of the lease time. How long is the lease time in your experiment?answer lease time is time to tell how long IP address can used. lease time in experiment is 1 hour.
13. What is the purpose of the DHCP release message? Does the DHCP server issue an acknowledgment of receipt of the client’s DHCP request? What would happen if the client’s DHCP release message is lost?answer DHCP release message is used to tell DHCP server,that client has already used IP address. if DHCP release message is lost then that IP address has used until expired time.
14. Clear the bootp filter from your Wireshark window. Were any ARP packets sent or received during the DHCP packet-exchange period? If so, explain the purpose of those ARP packets.answer ARP (Address Solution Protocal) is protocal. that used to mapped between IP address (Internet Protocal Address) with MAC Address (Media Access Control) .
Lab 7 Wireshark Lab: ICMP
Lab 7 Wireshark Lab: ICMP Subpages »
1. What is the IP address of your host? What is the IP address of the destination host? answer IP address of host is 220.127.116.11 , IP address of destination is 18.104.22.168 .
2.Why is it that an ICMP packet does not have source and destination port numbers?answer ICMP is on the network layer , in that layer isn’t have sourece and destination port numbers to used sending.
3. Examine one of the ping request packets sent by your host. What are the ICMP type and code numbers? What other fields does this ICMP packet have? Howmany bytes are the checksum, sequence number and identifier fields?answer Type: 8 Code : 0 Checksum : 2 bytes Identifier : 2 bytes Sequence number : 2 bytes4. Examine the corresponding ping reply packet. What are the ICMP type and code numbers? What other fields does this ICMP packet have? How many bytes are the checksum, sequence number and identifier fields?answer Type: 8 Code : 0 Checksum : 2 bytes Identifier : 2 bytes Sequence number : 2 bytes
5. What is the IP address of your host? What is the IP address of the target destination host? answer IP address of host is 22.214.171.124 , IP address of destination is 126.96.36.199 .
6. If ICMP sent UDP packets instead (as in Unix/Linux), would the IP protocol number still be 01 for the probe packets? If not, what would it be?answer no, ICMP sent packets is port 0×01(17) .
7. Examine the ICMP echo packet in your screenshot. Is this different from the ICMP ping query packets in the first half of this lab? If yes, how so?answer from picture on sequence 4 compare with picture below. it isn’t difference .
8. Examine the ICMP error packet in your screenshot. It has more fields than the ICMP echo packet. What is included in those fields?answer Type : 11 , Code : 0 , no Identifier Number .9. Examine the last three ICMP packets received by the source host. How are these packets different from the ICMP error packets? Why are they different?answer the last three ICMP packets is ICMP reply packet .10. Within the tracert measurements, is there a link whose delay is significantly longer than others? Refer to the screenshot in Figure 4, is there a link whose delay is significantly longer than others? On the basis of the router names, can you guess the location of the two routers on the end of this link?answer link delay is singificantly longer than other is 10 , 11 because host of link 10 is in Thailand but host of link 11 is in Germany .
Lab 8 Wireshark Lab: Ethernet and ARP
1. What is the 48-bit Ethernet address of your computer?Answer 00:0f:b0:80:aa:38
2. What is the 48-bit destination address in the Ethernet frame? Is this the Etherne address of gaia.cs.umass.edu? (Hint: the answer is no). What device has this as Ethernet address? [Note: this is an important question, and one that students sometimes get wrong. Re-read pages 468-469 in the text and make sure you understand the answer here.Answer 00:08:5c:5c:8f:d4 isn't IP address of Destination Host but is IP address of gateway .3. Give the hexadecimal value for the two-byte Frame type field. What do the bit( whose value is 1 mean within the flag field?Answer
4. How many bytes from the very start of the Ethernet frame does the ASCII “G” i “GET” appear in the Ethernet frame?Answer
5. What is the hexadecimal value of the CRC field in this Ethernet frame?Answer no hexadecimal value in the CRC field.
6. What is the value of the Ethernet source address? Is this the address of your computer, or of gaia.cs.umass.edu (Hint: the answer is no). What device has this as its Ethernet address?Answer Source Address is 00:08:5c:5c:8f:d4 . it is not address of my computer and gaia.cs.um.ass.edu but it is address of gateway .
7. What is the destination address in the Ethernet frame? Is this the Ethernet address of your computer?Answer Destination Address is 00:0f:b0:80:aa:38 .
8. Give the hexadecimal value for the two-byte Frame type field. What do the bit(s) whose value is 1 mean within the flag field?Answer
9. How many bytes from the very start of the Ethernet frame does the ASCII “O” in “OK” (i.e., the HTTP response code) appear in the Ethernet frame?Answer
10. What is the hexadecimal value of the CRC field in this Ethernet frame?Answer no hexadecimal value in the CRC field.
11. Write down the contents of your computer’s ARP cache. What is the meaning of each column value?Answer Internet Address = IP Address Physical Address = Ethernet or MAC Address of client Type = type of dynamic
12. What are the hexadecimal values for the source and destination addresses in the Ethernet frame containing the ARP request message?Answer Source Address is 00:1b:fc:1d:99:41. Destination Address is ff:ff:ff:ff:ff:ff.
13. Give the hexadecimal value for the two-byte Ethernet Frame type field. What do the bit(s) whose value is 1 mean within the flag field?Answer
14. Download the ARP specification from ftp://ftp.rfc-editor.org/in-notes/std/std37.txt.A readable, detailed discussion of ARP is also at http://www.erg.abdn.ac.uk/users/gorry/course/inet-pages/arp.html.
a) How many bytes from the very beginning of the Ethernet frame does the ARP opcode field begin?Answer
b) What is the value of the opcode field within the ARP-payload part of theEthernet frame in which an ARP request is made?Answer Opcode: request (0×0001) is mean ARP Number 10 .
c) Does the ARP message contain the IP address of the sender?Answer Sender IP address: 192.168.1.1 (192.168.1.1)
d) Where in the ARP request does the “question” appear – the Ethernet address of the machine whose corresponding IP address is being queried?Answer ARP request appear in Target MAC address: 00:00:00_00:00:00 (00:00:00:00:00:00) .
15. Now find the ARP reply that was sent in response to the ARP request.a) How many bytes from the very beginning of the Ethernet frame does the ARP opcode field begin?Answer
b) What is the value of the opcode field within the ARP-payload part of the Ethernet frame in which an ARP response is made?Answer Opcode: reply (0×0002) is mean ARP Number 13.
c) Where in the ARP message does the “answer” to the earlier ARP request appear – the IP address of the machine having the Ethernet address whose corresponding IP address is being queried?Answer ARP message answer appear in Sender MAC Address .
16. What are the hexadecimal values for the source and destination addresses in the Ethernet frame containing the ARP reply message?Answer Ethernet Source Address is 00:0f:b0:80:aa:38. Ethernet Destination Address is 00:08:5c:5c:8f:d4.
17. Open the ethernet-ethereal-trace-1 trace file in . The first and second http://gaia.cs.umass.edu/wireshark-labs/wireshark-traces.zip ARP packets in this trace correspond to an ARP request sent by the computer running Wireshark, and the ARP reply sent to the computer running Wireshark by the computer with the ARP-requested Ethernet address. But there is yet another computer on this network, as indiated by packet 6 – another ARP request. Why is there no ARP reply (sent in response to the ARP request in packet 6) in the packet trace?Answer
Lab 9 Wireshark Lab: 802.11
1. What are the SSIDs of the two access points that are issuing most of the beacon frames in this trace? Answer SSID of first access points is 30 Munroe St. SSID of second access points is linksys12.2. What are the intervals of time between the transmission of the beacon frames the linksys_ses_24086 access point? From the 30 Munroe St. access point?Answer intervals of time between the transmisson of the beacon frames the linksys_ses_24086 access point is Beacon Interval: 0.102400 [Seconds] .intervals of time between the transmisson of the beacon frames the 30 Munroe St. access point is Beacon Interval: 0.102400 [Seconds] . 3. What (in hexadecimal notation) is the source MAC address on the beacon frame from 30 Munroe St? Recall from Figure 6.13 in the text that the source, destination, and BSS are three addresses used in an 802.11 frame. For a detailed discussion of the 802.11 frame structure, see section 7 in the IEEE 802.11 standards document (cited above).Answer Source address: Cisco-Li_f7:1d:51 (00:16:b6:f7:1d:51).4. What (in hexadecimal notation) is the destination MAC address on the beacon frame from 30 Munroe St??Answer Destination address: Broadcast (ff:ff:ff:ff:ff:ff).5. What (in hexadecimal notation) is the MAC BSS id on the beacon frame from 30 Munroe St? Answer BSS Id: Cisco-Li_f7:1d:51 (00:16:b6:f7:1d:51).6. The beacon frames from the 30 Munroe St access point advertise that the access point can support four data rates and eight additional “extended supported rates.” What are these rates?Answer Supported Rates: 1.0(B) 2.0(B) 5.5(B) 11.0(B). Extended Supported Rates: 6.0(B) 9.0 12.0(B) 18.0 24.0(B) 36.0 48.0 54.0 .
7. Find the 802.11 frame containing the SYN TCP segment for this first TCP session (that downloads alice.txt). At what time is the TCP SYN sent?Answer TCP SYN sent 24.811093 Sec.What are three MAC address fields in the 802.11 frame? Which MAC address in this frame corresponds to the wireless host (give the hexadecimal representation of the MAC address for the host)? To the access point? To the first-hop router? Answer BSS Id: Cisco-Li_f7:1d:51 (00:16:b6:f7:1d:51). Source address: IntelCor_d1:b6:4f (00:13:02:d1:b6:4f). Destination address: Cisco-Li_f4:eb:a8 (00:16:b6:f4:eb:a8).What is the IP address of the wireless host sending this TCP segment? What is the destination IP address? Does this destination IP address correspond to the host, access point, first-hop router, or some other network-attached device? Answer IP address ของ wireless host คือ 192.168.1.109. Destination IP address คือ 188.8.131.52.
8. Find the 802.11 frame containing the SYNACK segment for this TCP session. Awhat time is the TCP SYNACK received?Answer TCP received 24.827751 Sec.What are three MAC address fields in the 802.11 frame containing the SYNACK? Which MAC address in this frame corresponds to the host? To the access point? To the first-hop router? Answer Destination address: 91:2a:b0:49:b6:4f (91:2a:b0:49:b6:4f). BSS Id: Cisco-Li_f7:1d:51 (00:16:b6:f7:1d:51). Source address: Cisco-Li_f4:eb:a8 (00:16:b6:f4:eb:a8).Does the sender MAC address in the frame correspond to the IP address of the device that sent the TCP segment encapsulated within this datagram? Answer sender MAC address is MAC address of access point. it is not TCP segment.
9. What two actions are taken (i.e., frames are sent) by the host in the trace just after t=49, to end the association with the 30 Munroe St AP that was initially in place when trace collection began, and at what times are these frames sent?Answer time DHCP release is 49.583615 second. time Deauthentication is 49.609617 second.10. Examine the trace file and look for AUTHENICATION frames sent from the host to an AP and vice versa. When is the first AUTHENTICATION frame sent from the wireless host to the linksys_ses_24086 AP (which has a MAC address of Cisco_Li_f5:ba:bb) starting at around t=49? . Answer the first AUTHENTICATION frame sent from the wireless host to the linksys_ses_24086 AP is49.638857 second.
11. Does the host want the authentication to require a key or be open?Answer Host want the authentication to require be open system .
12. Do you see a reply AUTHENTICATION from the linksys_ses_24086 AP in the trace?Answer None.
13. Now let’s consider what happens as the host gives up (sometime after t = 63.0 ) trying to associate with the linksys_ses_24086 AP and now tries to associate with the 30 Munroe St AP. Look for AUTHENICATION frames sent from the host to and AP and vice versa. At what times are there an AUTHENTICATION frame from the host to the 30 Munroe St. AP, and when is there a reply AUTHENTICATION sent from that AP to the host in reply?Answer time AUTHENTICATION frame from the host to the 30 Munroe St. AP is 63.169071 second. time reply AUTHENTICATION sent from that AP to the host in reply is 63.169707 second.
14. Let’s continue on with the association between the wireless host and the 30 Munroe St AP that happens after t = 63.0. An ASSOCIATE from host to AP, and a corresponding ASSOCIATE RESPONSE frame from AP to host are used for the host to associated with an AP. At what time is there an ASSOCIATE REQUEST from host to the 30 Munroe St AP? When is the corresponding ASSOCIATE REPLY sent?Answer time ASSOCIATE REQUEST from host to the 30 Munroe St AP is 63.169910 second. time ASSOCIATE REPLY sent is 63.192101 second.
15. What transmission rates is the host willing to use? The AP? To answer this question, you will need to look into the parameters fields of the 802.11 wireless LAN management frame.Answer Transmission rate on the host willing to use is 1.0, 2.0, 5.5, 11.0, 6.0, 9.0, 12.0, 18.0, 24.0,36.0, 48.0 และ 54.0. Transmission rate on AP is 1.0, 2.0, 5.5, 11.0, 6.0, 9.0, 12.0, 18.0, 24.0, 36.0, 48.0 และ 54.0 .
Other Frame types
16. Consider the first PROBE REQUEST and the soonest subsequent PROBE RESPONSE PAIR occurs after t = 2.0 seconds in the trace. When are these frames sent and what are the sender, receiver and BSS ID MAC addresses for these frames? What is the purpose of these two types of frames? (To answer this last question, you’ll need to dig into the online references cited earlier in this lab).Answer the first PROBE REQUEST send on TIME 2.297613 second., So Destination address: Broadcast (ff:ff:ff:ff:ff:ff),Source address: IntelCor_1f:57:13 (00:12:f0:1f:57:13),BSS Id: Broadcast (ff:ff:ff:ff:ff:ff).the PROBE RESPONSE send on TIME 2.300697 second., So Destination address: IntelCor_1f:57:13 (00:12:f0:1f:57:13),Source address: Cisco-Li_f7:1d:51 (00:16:b6:f7:1d:51),BSS Id: Cisco-Li_f7:1d:51 (00:16:b6:f7:1d:51).
Lab 10 Wireshark Lab: SSL
1. For each of the first 8 Ethernet frames, specify the source of the frame (client or server), determine the number of SSL records that are included in the frame, and list the SSL record types that are included in the frame. Draw a timing diagram between client and server, with one arrow for each SSL record.answer 2. Each of the SSL records begins with the same three fields (with possibly different values). One of these fields is “content type” and has length of one byte. List all three fields and their lengths.answer Content Type : Handshake(22) has length 1 byte Version : TLS 1.0 (0×0301) has length 2 byte Length : 111 has length 2 byte
3. Expand the ClientHello record. (If your trace contains multiple ClientHello records, expand the frame that contains the first one.) What is the value of the content type?answer value of the content type is Handshake (22)4. Does the ClientHello record contain a nonce (also known as a “challenge”)? If so, what is the value of the challenge in hexadecimal notation?answer value of the challenge in hexadecimal notation is48ca936dccacffd6d73613ac9ed9bb1fe52ca43424577b37b16d26fdfe14ef98 .5. Does the ClientHello record advertise the cyber suites it supports? If so, in the first listed suite, what are the public-key algorithm, the symmetric-key algorithm, and the hash algorithm?answer yes, ClientHello record advertise the cyber suites it supports does. , So the first lisetd suite is Cipher Suite: TLSRSAWITHAES128CBCSHA (0×002f), So Public-key algorithm is RSA Symmetric-key algorithm is AES 128 Bit Cipher Block Chaining Hash algorithm is Secure Hash Algorithm
6. Locate the ServerHello SSL record. Does this record specify a chosen cipher suite? What are the algorithms in the chosen cipher suite?answer yes, Cipher Suite is TLSRSAWITHAES128CBCSHA (0×002f),So Public-key algorithm is RSA Symmetric-key algorithm is AES 128 Bit Cipher Block Chaining Hash algorithm is Secure Hash Algorithm
7. Does this record include a nonce? If so, how long is it? What is the purpose of theclient and server nonces in SSL?answer yes,record has length of nonce is 32 bit, it used to calculated common master secret.8. Does this record include a session ID? What is the purpose of the session ID?answer yes,the record include a session ID. session ID mean can reused so if value doesn’t zero mean client can updated parameter value but value dose zero mean client make connetion .9. Does this record contain a certificate, or is the certificate included in a separate record. Does the certificate fit into a single Ethernet frame?answer yes,record contain a certificate . yes,certificate fit into a single Ethernet frame.
Client Key Exchange Record
10. Locate the client key exchange record. Does this record contain a pre-master secret? What is this secret used for? Is the secret encrypted? If so, how? How long is the encrypted secret?answer yes,record contain a pre-master secret. it used to create master key and encrypted information has 130 bytes.
Change Cipher Spec Record (sent by client) and Encrypted Handshake Record
11. What is the purpose of the Change Cipher Spec record? How many bytes is the record in your trace?answer it uesed to tell server to changed status to encrypted state . , the record has 1 byte.12. In the encrypted handshake record, what is being encrypted? How?answer Finished handshake record so messages has contain has hash of Handshake message with hash algorithm. in this case used MD5.13. Does the server also send a change cipher record and an encrypted handshake record to the client? How are those records different from those sent by the client?answer yes, Encrypted Handshake Message is differented.
14. How is the application data being encrypted? Do the records containing application data include a MAC? Does Wireshark distinguish between the encrypted application data and the MAC?answer application data is encrypted by AES algorithm that specific define in cipher suite so in normal case record has MAC value but wireshark cann’t show both of value because record has encrypted data.