Saturday, November 26, 2011

Wireshark Lab: DHCP






DHCP
ipconfig /release”.
ipconfig /renew
Answer the following questions:
  1. Are DHCP messages sent over UDP or TCP?

They are sent over UDP


2. Draw a timing datagram illustrating the sequence of the first four-packet
Discover/Offer/Request/ACK DHCP exchange between the client and server. For
each packet, indicated the source and destination port numbers. Are the port
numbers the same as in the example given in this lab assignment?



The Discover packet has a source port of 68 and destination port of 67
The Offer packet has a source port of 67 and a destination port of 68
The Request packet has a source port of 68 and a destination of 67
The ACK packet has a source port of 67 and a destination of 68

All of this corresponds to the example given in the lab.


  1. What is the link-layer (e.g., Ethernet) address of your host?


Source: DellComp_4f:36:23 (00:08:74:4f:36:23)
4. What values in the DHCP discover message differentiate this message from the
DHCP request message?

The message type value for a discover message is a 1, but the message type value for a request packet is a 3. This is how you can differentiate the two.

5. What is the value of the Transaction-ID in each of the first four
(Discover/Offer/Request/ACK) DHCP messages? What are the values of the
Transaction-ID in the second set (Request/ACK) set of DHCP messages? What is
the purpose of the Transaction-ID field?

The Transaction ID in the first four messages: 0x3e5e0ce3
The transaction ID in the second set of messages is 0x257e55a3
The transaction ID identifies if a message is part of a set of messages related to one transaction






6. A host uses DHCP to obtain an IP address, among other things. But a host’s IP
address is not confirmed until the end of the four-message exchange! If the IP
address is not set until the end of the four-message exchange, then what values are
used in the IP datagrams in the four-message exchange? For each of the four
DHCP messages (Discover/Offer/Request/ACK DHCP), indicate the source and
destination IP addresses that are carried in the encapsulating IP datagram.

Discover source 0.0.0.0 Destination 255.255.255.255
Offer source 192.168.1.1 Destination 255.255.255.255
Request source 0.0.0.0 Destination 255.255.255.255
Ack DHCP 192.168.1.1 Destination 255.255.255.255


7. What is the IP address of your DHCP server?

DHCP server address 192.168.1.1


8. What IP address is the DHCP server offering to your host in the DHCP Offer
message? Indicate which DHCP message contains the offered DHCP address.
The DHCP server offers 192.168.1.1 as the ip address in the DHCP offer message.
Option: (t=53,l=1) DHCP Message Type = DHCP Offer


9. In the example screenshot in this assignment, there is no relay agent between the
host and the DHCP server. What values in the trace indicate the absence of a relay
agent? Is there a relay agent in your experiment? If so what is the IP address of
the agent?

The ip address being 0.0.0.0 indicates the absence of a relay agent. There is no relay agent in my experiment.

10. Explain the purpose of the router and subnet mask lines in the DHCP offer
message.

The IP address for the router identifies the default  internet gateway. The subnet mask defines the subnet that is available.

11. In the example screenshots in this assignment, the host requests the offered IP
address in the DHCP Request message. What happens in your own experiment?
The same thing occurs the host requests the offered ip address.
Option: (t=50,l=4) Requested IP Address = 192.168.1.101


12. Explain the purpose of the lease time. How long is the lease time in your
experiment?
The lease time is the amount of the time the user is aloud connection to the router
Option: (t=51,l=4) IP Address Lease Time = 1 day

13. What is the purpose of the DHCP release message? Does the DHCP server issue
an acknowledgment of receipt of the client’s DHCP request? What would happen
if the client’s DHCP release message is lost?

The DHCP release message tells the dhcp server that you want to cancel the ip address offered. The DHCP server will not issue an ack of recipt of the client’s DHCP request. If the release message is lost then the dhcp server retains the ip address until the lease time expires.


14. Clear the bootp filter from your Wireshark window. Were any ARP packets sent
or received during the DHCP packet-exchange period? If so, explain the purpose
of those ARP packets.
Yes, there were arp packets sent and received to map the mac address with the ip address.






Posted by at 1 comment:

Wireshark Lab: Ethernet and ARP






Wireshark Lab: Ethernet and
ARP

http://gaia.cs.umass.edu/wireshark-labs/HTTP-ethereal-lab-file3.html

  1. What is the 48-bit Ethernet address of your computer?


My  48-bit Ethernet address is 00:11:11:1e:94:3a

2. What is the 48-bit destination address in the Ethernet frame?  Is this the Ethernet
address of gaia.cs.umass.edu? (Hint: the answer is no).  What device has this as its
Ethernet address? [Note: this is an important question, and one that students
sometimes get wrong.  Re-read pages 468-469 in the text and make sure you
understand the answer here.]


The 48-bit destination address in the Ethernet frame is 00:11:50:53:95:77.
This is not the Ethernet address of gaia.cs.umass.edu.  It is the mac address for my router or internet gateway address.



3. Give the hexadecimal value for the two-byte Frame type field.  What do the bit(s)
whose value is 1 mean within the flag field?

Type: IP 0x0800

4. How many bytes from the very start of the Ethernet frame does the ASCII “G” in
“GET” appear in the Ethernet frame?

After 432 bits or 54 bytes the G in get appears.

5. What is the hexadecimal value of the CRC field in this Ethernet frame?

There is no hexadecimal value for crc in the Ethernet frame









6. What is the value of the Ethernet source address?  Is this the address of your
computer, or of gaia.cs.umass.edu (Hint: the answer is no).   What device has this
as its Ethernet address?

The Source address is 00:11:50:53:95:77. This address is the address of my belkins router/internet gateway address.

7. What is the destination address in the Ethernet frame?  Is this the Ethernet address
of your computer?  

The Destination address is 00:11:11:1e:94:3a. This is the Ethernet address of my computer.

8. Give the hexadecimal value for the two-byte Frame type field.  What do the bit(s)
whose value is 1 mean within the flag field?

The two-byte frame type field is 0x0800. The bit that is valued to 1 says to not fragment the set.






9. How many bytes from the very start of the Ethernet frame does the ASCII “O” in
“OK” (i.e., the HTTP response code) appear in the Ethernet frame?

The o in the ok starts after 104 bits or 13 bytes.


10. What is the hexadecimal value of the CRC field in this Ethernet frame.

There is no crc field in this Ethernet frame.

11. Write down the contents of your computer’s ARP cache.  What is the meaning of
each column value?


The first column is the internet address of the computer then its physical address and finally what type it is and it is dynamic.
12. What are the hexadecimal values for the source and destination addresses in the
Ethernet frame containing the ARP request message?

The source address is (00:11:50:53:95:77)
The Destination address is (00:11:11:1e:94:3a)

13. Give the hexadecimal value for the two-byte Ethernet Frame type field.  What do
the bit(s) whose value is 1 mean within the flag field?

The hexadecimal value is Type: ARP (0x0806)

14. Download the ARP specification from ftp://ftp.rfc-editor.org/innotes/std/std37.txt. A readable, detailed discussion of ARP is also at

http://www.erg.abdn.ac.uk/users/gorry/course/inet-pages/arp.html.  
a) How many bytes from the very beginning of the Ethernet frame does the
ARP opcode field begin?   

It begins 42 bytes from the beginning of the Ethernet frame



b) What is the value of the opcode field within the ARP-payload part of the
Ethernet frame in which an ARP request is made?

The value of the opcode field within the ARP-payload is 0x0001

c) Does the ARP message contain the IP address of the sender?
Yes

d) Where in the ARP request does the “question” appear – the Ethernet
address of the machine whose corresponding IP address is being queried?

The question appears in the mac destination address.


15. Now find the ARP reply that was sent in response to the ARP request.  
a) How many bytes from the very beginning of the Ethernet frame does the
ARP opcode field begin?   

It is 10 bytes from the beginning

b) What is the value of the opcode field within the ARP-payload part of the
Ethernet frame in which an ARP response is made?



Its is 2

c) Where in the ARP message does the “answer” to the earlier ARP request
appear – the IP address of the machine having the Ethernet address whose
corresponding IP address is being queried?

Sender MAC address: Intel_1e:94:3a (00:11:11:1e:94:3a)


16. What are the hexadecimal values for the source and destination addresses in the
Ethernet frame containing the ARP reply message?

Source: Intel_1e:94:3a (00:11:11:1e:94:3a)
Destination: Belkin_53:95:77 (00:11:50:53:95:77)


17. Open the ethernet-ethereal-trace-1 trace file in
http://gaia.cs.umass.edu/wireshark-labs/wireshark-traces.zip. The first and second
ARP packets in this trace correspond to an ARP request sent by the computer
running Wireshark, and the ARP reply sent to the computer running Wireshark by
the computer with the ARP-requested Ethernet address.  But there is yet another
computer on this network, as indiated by packet 6 – another ARP request.  Why is
there no ARP reply (sent in response to the ARP request in packet 6) in the packet
trace?

Since the ip address of the computer and arp request do not match. The computer will not receive the request.
Posted by at No comments:

Wireshark Lab: UDP








1. Select one packet. From this packet, determine how many fields there are in the
UDP header. (Do not look in the textbook! Answer these questions directly from
what you observe in the packet trace.) Name these fields.

The UDP header contains 4 fields. They are source Port, Destination port, Length and checksum.

2. From the packet content field, determine the length (in bytes) of each of the UDP
header fields.
The UDP has four fields  at two bytes each so in total it is 8 bytes
Source Port is 2 bytes
Destination port is 2 bytes
Length is 2 bytes
Checksum is 2 bytes




3. The value in the Length field is the length of what? Verify your claim with your
captured UDP packet.

The  value in the length field is the length of the header and the data inside in bytes.

4. What is the maximum number of bytes that can be included in a UDP payload.

The maximum length with the header included is 65535 but the actual maximum number of bytes with the header excluded is 65527

5. What is the largest possible source port number?

The largest possible source port number is 65535


6. What is the protocol number for UDP? Give your answer in both hexadecimal and
decimal notation. (To answer this question, you’ll need to look into the IP
header.)

The protocol number is 17 in decimal or 11 in hexadecimal

7. Search “UDP” in Google and determine the fields over which the UDP checksum
is calculated.

After searching on google the checksum I found the Checksum is the 16-bit one's complement of the one's complement sum of a pseudo header of information from the IP header, the UDP header, and the data, padded with zero octets at the end (if necessary) to make a multiple of two octets


8. Examine a pair of UDP packets in which the first packet is sent by your host and
the second packet is a reply to the first packet. Describe the relationship between
the port numbers in the two packets.


In the first packet sent by my host the source port of the UDP packet is the same as the destination port of the reply packet. Also the destination port of the UDP packet sent by my host computer matches the source port of the reply packet.
Posted by at 1 comment:
Subscribe to: Posts (Atom)