Wednesday, December 7, 2011

Wireshark Lab: ICMP




Worked with Tom Vear
1. HOST: 10.37.9.2
    DESTINATION HOST: 143.89.14.34
2. Because the ICMP packet only communicates between routers and hosts. The software can decipher the messages itself, therefore a port number is not assigned and an application layer process is not needed.
3. The ICMP type is 8 and the code number is 0. The ICMP has a data field, sequence number, identifier, and checksum. They are all two bytes.
4. Both the ICMP type and the code number are 0. There is a data field, sequence number, identifier, and checksum. They are all two bytes.

5. HOST: 10.37.9.254
    DESTINATION HOST: 193.51.193.149
6. No, If UDP packets were sent, the IP protocol number would change.
7. They have the same fields as the ping query packets.
8. The error packet isnt the same as the query packets. What it contains is the IP header packet and 8 bytes of the ICMP packet.
9. They are all echo reply messages. These are different because all of the packets made it to the destination before the time to live expired.
10. The jump between packets 15 and 16 represent the large jump. This is the link that crosses the ocean therefore it takes longer.

Monday, December 5, 2011

Wireshark Lab: IP

Worked with Thomas Vear.

1.  216.92.151.75
2. The value of the header is ICMP
3.  Because there are 56 bytes total, 20 of the bytes go to the IP header, and the other 36 are from the IP datagram.
4. The data is not fragmented because the fragment line = 0.


5.  Time to live, Identification, and the header always change.
6. MUST STAY CONSTANT:  header length, version, source IP, desination IP, upper layer protocol, services
MUST CHANGE: identification, header checksum, time to live.
7. The IP header fields change incremently with each change in field.
8. Identification: 60500
Time to live: 254
9. The identification field will change for all of the ICMP time to live requests, but they will not change with a hop router because they are using the same router.

10. Yes, more than one IP datagram was used.
11. The fragment offset is = 0, therefore this is the first fragment. The length is 1500 bytes.
12. It isnt the first fragment, because the offset is not 0.
13. The changes are offset, checksum, flags, total length.
14. 3 packets are created.
15. The fragment offset and checksum will change.

Thursday, December 1, 2011

Wireshark Lab: Ethernet and ARP

1. The ethernet address is 00:23:8b:b4:7d:3a.
2. No, the destination address is 01:00:5e:7f:ff:fa. This is the address of the router i am using.
3. The value is 0x0800
4. There are 52 bytes.



6. The address is 01:00:5e:7f:ff:fa which is the address of my router.
7. 01:00:5e:7f:ff:fa
8. 0x0800
9. 52 bytes.

11. They conain the Physiscal Addresses, IP addresses, MAC addresses, and type of protocol.





12. The source address 00:17:fa:f3:f2:11, The destination address is ff:ff:ff:ff:ff:ff.
13. The value is 0x0806.
14a. 20 bytes
14b. 0x0800
14c. Yes, 10.33.147.255
14d. The host's IP address is being queried
15a. 20 bytes
15b. 0x0002
15c. In the sender MAC address field.
16. Source Address: 00:17:fa:f3:f2:11, Destination Address ff:ff:ff:ff:ff:ff



17. There are not any replies because my computer didnt send the request. The ARP reply is sent back to the ethernet address of the sender.

Wireshark lab DHCP


1. UDP
2. The port numbers are the same.
3. 00:22:15:96:cb:13
4. Option: (t=53,l=1) DHCP Message Type = DHCP Discover
5. The first transaction number is 0xdec5ef20. The second is  0xdec5ef20. ID's are used so the server can tell the difference between a requests.
6.

 The client and server use the address 255.255.255.255 as the desination address. The server uses the computers actual IP address as the source, and the client uses 0.0.0.0.
7. 10.33.147.254
8. The IP address is 10.33.147.254, and the message says Option: (t=53,l=1) DHCP Message Type = DHCP Offer.
9. There is no relay used because 0.0.0.0 is the address.
10. A router shows the client what the gateway is. The subnet mask line shows the client which subnet mask it is.
11. The host requests the IP address. 10.33.147.254 in my experiment.
12. Lease time is the amount of time a DHCP gives an IP address. In my experiment, it is 1 day.
13. The DHCP message cancels the IP address that is given to it by the server. The server does not send an achknowlegement. If the release message is dropped, then the server must wait until the lease time is up before that address can be used again.
14. Yes, there are ARP packets. This is done to make sure that the IP addresses are not already in use.

Wednesday, November 30, 2011

Wireshark Lab: UDP

1. Desination Port, Source Port, checksum, length
2. There are 13 header bytes
3. The total value is the 13 header bytes plus the 21 data bytes.
4. The max number of bytes is 65535-13 = 65522
5. The largest sourceport would be 65535
6. The protocol number is 17.

 7. The checksum is calculated by the 16 bit headers and data added together and they are checked against the key, 0xffff.
8. The destination port of the host packet is the same as the source port of the reply packet.


Monday, November 14, 2011

Wireshark Lab 4: TCP

1. Source ip address: 69.171.227.60,   source port: 80
2. Umass ip address: 128.119.245.12, port: 80


4. The TCP syn has a value of 0, but what identifies it as a syn segment is the value "1 syn:set"
5. The ackknowlegement number is 1. The umass website determines this value because it is acknlowleging the the syn value.


6. The sequence number is 1.
7. POST: 5, 7, 11, 13, 16, 17      Sequence numbers: 1, 249, 725, 1388, 1709, 2196
    ACKS: 8, 10, 12, 14, 19, 20


8.   POST 5: 248           POST 7, 11, 17, 19, 8: 724    
9. The minimum window size is 16425. This does not throttle the buffer because the window size is so large and it will keep growing.
10. No, because one can see using the time graph that the packet rate the time it takes and sequence numbers are increasing proportionally.
11. The reciever typically recieves 16425 bytes of data per packet.
12. 16424/ .82977=  19.79 kb/sec
13. The slow start begins at the start of the connection and ends shortly after. In the text examples, too much data is being sent on purpose so naturally the network will be congested quickly. In this example it is being sent in relatively small amounts so there is no congestion.

Monday, September 26, 2011

Wireshark lab 3: DNS

PART 1

#'s 1, 2, 3


PART 2











PART 3

4. TCP
5. Port 53
6. Destination: 12.22.58.30; They are not the same
7. It is a type A and it doesnt contain any answers
8. www.ietf.org: type A, clas inet addr 12.22.58.30
9. Yes it was sent to 12.22.58.30 which is the first address
10. No


11. Destination Port: 63142           Source Port: 53
12. 10.33.147.196; Yes they are the same
13. It is type A and doesnt contain any answers
14. Yes 44.4.40.10.in-addr.arpa: type PTR, class IN, ecsu-sv26.easternct.edu

16. It was sent to 10.33.147.196 which is my server
17. It was an NS DNS query
18. There are no additional name servers


20. It is sent to 10.40.4.44, which is www.bitsy.edu
21. It is a type A query which has no answers.
22. Yes 44.4.40.10.in-addr.arpa: type PTR, class IN, ecsu-sv26.easternct.edu