1
Jae Sook Lee
FA16 CSIT 340 – 01
Dr. Constantine Coutras
Lab #6
Wire Shark Lab: Ethernet ARP
1. Capturing and analyzing Ethernet frames
2
Web browser used Mozilla Firefox v5 instead of v3.
3
4
WireShark uncheck IP
Answer the following questions, based on the contents of the Ethernet frame containing
the HTTP GET message. Whenever possible, when answering a question you should
hand in a printout of the packet(s) within the trace that you used to answer the question
asked. Annotate the printout3 to explain your answer. To print a packet, use File->Print,
choose Selected packet only, choose Packet summary line, and select the minimum
amount of packet detail that you need to answer the question.
1. What is the 48-bit Ethernet address of your computer?
Answer
Source: Giga-Byt_52:49:84 (40:8d:5c:52:49:84)
5
Physical address match up with Wireshark source ip which is my computer
2. What is the 48-bit destination address in the Ethernet frame? Is this the Ethernet
address of gaia.cs.umass.edu? (Hint: the answer is no). What device has this as its
Ethernet address? [Note: this is an important question, and one that students
sometimes get wrong. Re-read pages 468-469 in the text and make sure you
understand the answer here.]
Answer
Destination: Tp-LinkT_e6:67:2c (10:fe:ed:e6:67:2c) The datagram must first be sent to the
router interface, which is the IP address of the first-hop router on the path to the final
destination.
3. Give the hexadecimal value for the two-byte Frame type field. What upper layer
protocol does this correspond to?
Answer
Type: IPv4(0x0800)
6
4. How many bytes from the very start of the Ethernet frame does the ASCII “G” in
“GET” appear in the Ethernet frame?
Answer: 47 bytes
7
Next, answer the following questions, based on the contents of the Ethernet frame containing the first byte of the HTTP response message. 5. What is the value of the Ethernet source address? Is this the address of your computer, or of gaia.cs.umass.edu (Hint: the answer is no). What device has this as its Ethernet address? Answer Source IP: TP-LinkT_e6:67:2c (10:fe:ed:e6:67:2c) This is neither my machine or
gaia.cs.umass.edu machine. It is Tp_linkT router MAC address.
6. What is the destination address in the Ethernet frame? Is this the Ethernet address of your computer? Answer Destination: Giga-Byt_52:49:84 (40:8d:5c:52:49:84). The Ethernet address is mine. 7. Give the hexadecimal value for the two-byte Frame type field. What upper layer protocol does this correspond to? Answer Type: IPv4 (0x0800) 8. How many bytes from the very start of the Ethernet frame does the ASCII “O” in “OK” (i.e., the HTTP response code) appear in the Ethernet frame? Answer: 4f
8
2. The Address Resolution Protocol
In this section, we’ll observe the ARP protocol in action. We strongly recommend that you re-read section 6.4.1 in the text before proceeding.
MS-DOS. The arp command is in c:\windows\system32, so type either “arp” or “c:\windows\system32\arp” in the MS-DOS command line (without quotation marks).
The Windows arp command with no arguments will display the contents of the ARP cache on your computer. Run the arp command. 9. Write down the contents of your computer’s ARP cache. What is the meaning of each column value?
Answer Based on description, I tried to run command with no arguments. As we can expect, it
only display contents of the arp cache.
(Command in arp)
9
I also tried to run command with argument which is -a. According to description of it displays
my current networking interface. As you can see below, I have more than one assigned IP
Address that include home router, printer and other computers. And also, I tried to run arp -d *
which means delete the arp cache, it doesn’t do anything. After a couple trial and error, I found
that I did write argument incorrectly.
(Command in arp -a)
MS-DOS. The MS-DOS arp –d * command will clear your ARP cache. The –d flag indicates a deletion operation, and the * is the wildcard that says to delete all table entries.
10
In the example above, the first two frames in the trace contain ARP messages (as does the 6th message). The screen shot above corresponds to the trace referenced in footnote 1. Answer the following questions:
10. What are the hexadecimal values for the source and destination addresses in the Ethernet frame containing the ARP request message? Answer Source Address: Giga-Byt_52:49:84 (40:8d:5c:52:49:84) Destination Address: Broadcast (ff:ff:ff:ff:ff:ff) ARP request message contains: Hardware type, Protocol type, Hardware size, Protocol size, Opcode, Sender MAC, Sender IP, Target MAC and Target IP 11. Give the hexadecimal value for the two-byte Ethernet Frame type field. What upper layer protocol does this correspond to? Answer Type: ARP (0x0806)
11
12. Download the ARP specification from ftp://ftp.rfc-editor.org/in-notes/std/std37.txt. A readable, detailed discussion of ARP is also at http://www.erg.abdn.ac.uk/users/gorry/course/inet-pages/arp.html. a) How many bytes from the very beginning of the Ethernet frame does the ARP opcode field begin?
Ethernet transmission layer (not necessarily accessible to
the user):
48.bit: Ethernet address of destination (6 bytes)
48.bit: Ethernet address of sender (6 bytes)
16.bit: Protocol type = ether_type$ADDRESS_RESOLUTION (2 bytes)
Ethernet packet data:
16.bit: (ar$hrd) Hardware address space (e.g., Ethernet,
Packet Radio Net.) (2 bytes)
16.bit: (ar$pro) Protocol address space. For Ethernet
hardware, this is from the set of type
fields ether_typ$<protocol>. (2 bytes)
8.bit: (ar$hln) byte length of each hardware address (1 byte)
8.bit: (ar$pln) byte length of each protocol address (1 byte)
16.bit: (ar$op) opcode (ares_op$REQUEST | ares_op$REPLY) (2 bytes)
Answer: 20 bytes b) What is the value of the opcode field within the ARP-payload part of the
12
Ethernet frame in which an ARP request is made? Answer Opcode: request (1) c) Does the ARP message contain the IP address of the sender? Answer Yes. It contains sender IP Address: 192.168.47.2
d) Where in the ARP request does the “question” appear – the Ethernet address of the machine whose corresponding IP address is being queried? Answer Target MAC Address is queried. It displays 00:00:00:00:00:00 (00:00:00:00:00:00) It means broadcast target IP address and tries to find matching target IP Address
13
13. Now find the ARP reply that was sent in response to the ARP request. a) How many bytes from the very beginning of the Ethernet frame does the ARP opcode field begin? Answer From the very beginning of the Ethernet frame, it is 20 bytes
14
b) What is the value of the opcode field within the ARP-payload part of the Ethernet frame in which an ARP response is made? Answer Opcode: reply (2) c) Where in the ARP message does the “answer” to the earlier ARP request appear – the IP address of the machine having the Ethernet address whose corresponding IP address is being queried? Answer: Target MAC Address was queried from 00:00:00:_00:00:00(00:00:00:00:00:00) to Giga-Byt_52:49:84 (40:8d:5c:52:49:84). And also, Target IP Address changed from 192.168.47.1 to 192.168.47.15
15
14. What are the hexadecimal values for the source and destination addresses in the Ethernet frame containing the ARP reply message? Answer Source: TP-LinkT_e6:67:2c (10:fe:ed:e6:67:2c) Destination: Giga-Byt_52:49:84 (40:8d:5c:52:49:84)
16
15. Open the ethernet-ethereal-trace-1 trace file in http://gaia.cs.umass.edu/wireshark-
labs/wireshark-traces.zip. The first and second ARP packets in this trace correspond to an ARP
request sent by the computer running Wireshark, and the ARP reply sent to the computer
running Wireshark by the computer with the ARP-requested Ethernet address. But there is yet
another computer on this network, as indicated by packet 6 – another ARP request. Why
is there no ARP reply (sent in response to the ARP request in packet 6) in the packet trace?
Answer
Packet 6 we can see the requested packet and machine whose corresponding IP address is
being queried however since we are using given trace file, we can’t see reply file It doesn’t have
reply in the file. What we can see is previous packet 1 and 2 request, reply, 3way hand shaking
and data files. I assumed that Wire Shark stopped to capture reply packets before it replies.
3. Extra Credit
EX-1. The arp command:
arp -s InetAddr EtherAddr
allows you to manually add an entry to the ARP cache that resolves the IP address InetAddr to
the physical address EtherAddr. What would happen if, when you manually added an entry, you
entered the correct IP address, but the wrong Ethernet address for that remote interface?
EX-2. What is the default amount of time that an entry remains in your ARP cache
before being removed. You can determine this empirically (by monitoring the
cache contents) or by looking this up in your operation system documentation.
Indicate how/where you determined this value.
Answer
Yes. It allows me to manually add only static IP possible. During this example, I tried a couple of
tasks. Overwriting, Deleting existing IP and Assign new IP and Ethernet address. First, overwrite
to exist dynamic address but it doesn’t allow me to do that. Second, I was trying to delete
router IP Address which is 192.168.47.1, and it allowed me to delete the IP however it came
back again It should came back because the packet is send to the mac address of the router
interface that is the default gateway. Lastly, I assigned IP and Ethernet address manually, and it
was successfully upload and IP was static. According TechNet by Microsoft, Static IP is
permanent unless user manually delete the IP and problem that manually updated when
network and interface changed. On the other hand, Dynamic ARP cache has time-out value and
remove it after specific period of time. It maximum stays 10 minutes before removed.
17
Add new IP Address and Ethernet
18
Delete IP Address 192.168.47.8 and tried to overwrite existing IP Address 192.168.47.1
19
Re-added IP Address and Ethernet Address and ping to re-added IP address. Two different ping result: 1) ping to fake IP Address had loss 100% 2) ping to exist IP Address had no loss.