Transcription

Wireshark Lab: Ethernet &ARP SOLUTIONSupplement to Computer Networking: A Top-DownApproach, 7th ed., J.F. Kurose and K.W. Ross 2005-2016, J.F Kurose and K.W. Ross, All Rights ReservedThe solutions below are based on the trace file ethernet--ethereal-trace-1 in the zip ark-traces.zip .Shown below is the screen shot expanding the view of the Ethernet frame carrying theHTTP GET:

1. What is the 48-bit Ethernet address of your computer? The Ethernet address of mycomputer is 00:09:5b:61:8e:6d2. What is the 48-bit destination address in the Ethernet frame? Is this the Ethernetaddress of gaia.cs.umass.edu? (Hint: the answer is no). What device has this as itsEthernet address? [Note: this is an important question, and one that studentssometimes get wrong. Re-read pages 468–469 in the text and make sure youunderstand the answer here.] The destination address 00:0c:41:45:90:a8 is notthe Ethernet address of gaia.cs.umass.edu. It is the address of my Linksys router,which is the link used to get off the subnet.3. Give the hexadecimal value for the two-byte Frame type field. What upper layerprotocol does this correspond to? The hex value for the Frame type field is0x0800. This corresponds to the IP protocol (the frame type filed indicates thatthe nest layer above IP – the layer to which the payload of ths Ethernet frame will

be passed – is IP.4. How many bytes from the very start of the Ethernet frame does the ASCII “G” in“GET” appear in the Ethernet frame? The ASCII “G” appears 52 bytes from thestart of the Ethernet frame. There are 14 B Ethernet frame, and then 20 bytes ofIP header followed by 20 bytes of TCP header before the HTTP data isencountered.Here is a screenshot of the Ethernet frame containing the HTTP OK response:5. What is the value of the Ethernet source address? Is this the address of yourcomputer, or of gaia.cs.umass.edu (Hint: the answer is no). What device has thisas its Ethernet address? The source address 00:0c:41:45:90:a8 is neither theEthernet address of gaia.cs.umass.edu nor the address of my computer. It is theaddress of my Linksys router, which is the link used to get onto my subnet.

6. What is the destination address in the Ethernet frame? Is this the Ethernet addressof your computer? The destination address 00:09:5b:61:8e:6d is the address ofmy computer.7. Give the hexadecimal value for the two-byte Frame type field. What do the bit(s)whose value is 1 mean within the flag field? The hex value for the Frame typefield is 0x0800. This value corresponds to the IP protocol (see also answer to 3.above).8. How many bytes from the very start of the Ethernet frame does the ASCII “O” in“OK” (i.e., the HTTP response code) appear in the Ethernet frame? The ASCII“O” appears 52 bytes from the start of the Ethernet frame. Again, there are 14bytes of Ethernet frame, and then 20 bytes of IP header followed by 20 bytes ofTCP header before the HTTP data is encountered.9. Write down the contents of your computer’s ARP cache. What is the meaning ofeach column value? The Internet Address column contains the IP address, thePhysical Address column contains the MAC address, and the type indicates theprotocol type.Here is a screenshot showing the ARP request message:

10. What are the hexadecimal values for the source and destination addresses in theEthernet frame containing the ARP request message? The hex value for the sourceaddress is 00:d0:59:a9:3d:68. The hex value for the destination address isff:ff:ff:ff:ff:ff, the broadcast address.11. Give the hexadecimal value for the two-byte Ethernet Frame type field. What dothe bit(s) whose value is 1 mean within the flag field? The hex value for theEthernet Frame type field is 0x0806, for ARP.12. Download the ARP specification from ftp://ftp.rfc-editor.org/innotes/std/std37.txt.A readable, detailed discussion of ARP is also t-pages/arp.html.a) How many bytes from the very beginning of the Ethernet frame does theARP opcode field begin? The ARP opcode field begins 20 bytes from thevery beginning of the Ethernet frame.b) What is the value of the opcode field within the ARP-payload part of theEthernet frame in which an ARP request is made? The hex value for

opcode field withing the ARP-payload of the request is 0x0001, forrequest.c) Does the ARP message contain the IP address of the sender? Yes, the ARPmessage containing the IP address 192.168.1.105 for the sender.d) Where in the ARP request does the “question” appear – the Ethernetaddress of the machine whose corresponding IP address is being queried?The field “Target MAC address” is set to 00:00:00:00:00:00 to questionthe machine whose corresponding IP address (192.168.1.1) is beingqueried.Here is the screenshot for the ARP reply message:13. Now find the ARP reply that was sent in response to the ARP request.a) How many bytes from the very beginning of the Ethernet frame does theARP opcode field begin? The ARP opcode field begins 20 bytes from thevery beginning of the Ethernet frame.b) What is the value of the opcode field within the ARP-payload part of theEthernet frame in which an ARP response is made? The hex value for

opcode field withing the ARP-payload of the request is 0x0002, for reply.c) Where in the ARP message does the “answer” to the earlier ARP requestappear – the IP address of the machine having the Ethernet address whosecorresponding IP address is being queried? The answer to the earlier ARPrequest appears in the”Sender MAC address” field, which contains theEthernet address 00:06:25:da:af:73 for the sender with IP address192.168.1.1.14. What are the hexadecimal values for the source and destination addresses in theEthernet frame containing the ARP reply message? The hex value for the sourceaddress is 00:06:25:da:af:73 and for the destination is 00:d0:59:a9:3d:68 .15. Open the ethernet-ethereal-trace-1 trace file k-traces.zip. The first and secondARP packets in this trace correspond to an ARP request sent by the computerrunning Wireshark, and the ARP reply sent to the computer running Wireshark bythe computer with the ARP-requested Ethernet address. But there is yet anothercomputer on this network, as indicated by packet 6 – another ARP request. Whyis there no ARP reply (sent in response to the ARP request in packet 6) in thepacket trace? There is no reply in this trace, because we are not at the machinethat sent the request. The ARP request is broadcast, but the ARP reply is sentback directly to the sender’s Ethernet address.