Wireshark Lab: ICMP



Worked with Tom Vear
1. HOST: 10.37.9.2
    DESTINATION HOST: 143.89.14.34
2. Because the ICMP packet only communicates between routers and hosts. The software can decipher the messages itself, therefore a port number is not assigned and an application layer process is not needed.
3. The ICMP type is 8 and the code number is 0. The ICMP has a data field, sequence number, identifier, and checksum. They are all two bytes.
4. Both the ICMP type and the code number are 0. There is a data field, sequence number, identifier, and checksum. They are all two bytes.

5. HOST: 10.37.9.254
    DESTINATION HOST: 193.51.193.149
6. No, If UDP packets were sent, the IP protocol number would change.
7. They have the same fields as the ping query packets.
8. The error packet isnt the same as the query packets. What it contains is the IP header packet and 8 bytes of the ICMP packet.
9. They are all echo reply messages. These are different because all of the packets made it to the destination before the time to live expired.
10. The jump between packets 15 and 16 represent the large jump. This is the link that crosses the ocean therefore it takes longer.

Wireshark Lab: IP

Worked with Thomas Vear.

1.  216.92.151.75
2. The value of the header is ICMP
3.  Because there are 56 bytes total, 20 of the bytes go to the IP header, and the other 36 are from the IP datagram.
4. The data is not fragmented because the fragment line = 0.

5.  Time to live, Identification, and the header always change.
6. MUST STAY CONSTANT:  header length, version, source IP, desination IP, upper layer protocol, services
MUST CHANGE: identification, header checksum, time to live.
7. The IP header fields change incremently with each change in field.
8. Identification: 60500
Time to live: 254
9. The identification field will change for all of the ICMP time to live requests, but they will not change with a hop router because they are using the same router.

10. Yes, more than one IP datagram was used.
11. The fragment offset is = 0, therefore this is the first fragment. The length is 1500 bytes.
12. It isnt the first fragment, because the offset is not 0.
13. The changes are offset, checksum, flags, total length.
14. 3 packets are created.
15. The fragment offset and checksum will change.

Wireshark Lab: Ethernet and ARP

1. The ethernet address is 00:23:8b:b4:7d:3a.
2. No, the destination address is 01:00:5e:7f:ff:fa. This is the address of the router i am using.
3. The value is 0x0800
4. There are 52 bytes.

6. The address is 01:00:5e:7f:ff:fa which is the address of my router.
7. 01:00:5e:7f:ff:fa
8. 0x0800
9. 52 bytes.

11. They conain the Physiscal Addresses, IP addresses, MAC addresses, and type of protocol.

12. The source address 00:17:fa:f3:f2:11, The destination address is ff:ff:ff:ff:ff:ff.
13. The value is 0x0806.
14a. 20 bytes
14b. 0x0800
14c. Yes, 10.33.147.255
14d. The host's IP address is being queried
15a. 20 bytes
15b. 0x0002
15c. In the sender MAC address field.
16. Source Address: 00:17:fa:f3:f2:11, Destination Address ff:ff:ff:ff:ff:ff

17. There are not any replies because my computer didnt send the request. The ARP reply is sent back to the ethernet address of the sender.

Wireshark lab DHCP

1. UDP
2. The port numbers are the same.
3. 00:22:15:96:cb:13
4. Option: (t=53,l=1) DHCP Message Type = DHCP Discover
5. The first transaction number is 0xdec5ef20. The second is  0xdec5ef20. ID's are used so the server can tell the difference between a requests.
6.

 The client and server use the address 255.255.255.255 as the desination address. The server uses the computers actual IP address as the source, and the client uses 0.0.0.0.
7. 10.33.147.254
8. The IP address is 10.33.147.254, and the message says Option: (t=53,l=1) DHCP Message Type = DHCP Offer.
9. There is no relay used because 0.0.0.0 is the address.
10. A router shows the client what the gateway is. The subnet mask line shows the client which subnet mask it is.
11. The host requests the IP address. 10.33.147.254 in my experiment.
12. Lease time is the amount of time a DHCP gives an IP address. In my experiment, it is 1 day.
13. The DHCP message cancels the IP address that is given to it by the server. The server does not send an achknowlegement. If the release message is dropped, then the server must wait until the lease time is up before that address can be used again.
14. Yes, there are ARP packets. This is done to make sure that the IP addresses are not already in use.