IP_ ICMP_ Ethernet and ARP

Document Sample
IP_ ICMP_ Ethernet and ARP Powered By Docstoc
					                                                                                       CS2105/March 2006
                                 CS2105 Computer Networking I
                                   Laboratory Experiment 6

                         IP, ICMP, Ethernet and ARP∗
Objectives:
(1)        Understand the basic functions provided by IP, the IP header format and field
           descriptions.

(2)        Understand the functions of ICMP messages generated by Ping and Traceroute
           programs, and the format and contents of an ICMP message.

(3)        Understand the Ethernet protocol and the functions of ARP.

Part A: IP (Internet Protocol)

1.         Introduction
In the first part of this laboratory experiment, we’ll investigate the IP protocol, focusing on the
IP datagram. We’ll do so by analyzing a trace of IP datagrams sent and received by an
execution of the traceroute program (the traceroute program itself is explored in
more detail in Part B). We’ll investigate the various fields in the IP datagram, and study IP
fragmentation in detail.

Before beginning this experiment, you’ll probably want to review Section 1.6.3 in the text and
Section 3.4 of RFC 2151 [ftp://ftp.rfc-editor.org/in-notes/rfc2151.txt] to update yourself on the
operation of the traceroute program. You’ll also want to read Section 4.4 in the text, and
probably also have RFC 791 [ftp://ftp.rfc-editor.org/in-notes/rfc791.txt] on hand as well, for a
discussion of the IP protocol.

2.         Capturing Packets from an Execution of Traceroute

In order to generate a trace of IP datagrams for this lab, we’ll use the traceroute program to
send datagrams of different sizes towards some destination, X. Recall that traceroute
operates by first sending one or more datagrams with the time-to-live (TTL) field in the IP
header set to 1; it then sends a series of one or more datagrams towards the same destination
with a TTL value of 2; it then sends a series of datagrams towards the same destination with a
TTL value of 3; and so on. Recall that a router must decrement the TTL in each received
datagram by 1 (actually, RFC 791 says that the router must decrement the TTL by at least one).
If the TTL reaches 0, the router returns an ICMP message (type 11 - TTL-exceeded) to the
sending host. As a result of this behavior, a datagram with a TTL of 1 (sent by the host
executing traceroute) will cause the router one hop away from the sender to send an ICMP
TTL-exceeded message back to the sender; the datagram sent with a TTL of 2 will cause the
router two hops away to send an ICMP message back to the sender; the datagram sent with a
TTL of 3 will cause the router three hops away to send an ICMP message back to the sender;
and so on. In this manner, the host executing traceroute can learn the identities of the

∗
    This laboratory experiment is based on the lab work described in Computer Networking by Kurose, etc.
                                                        1
                                                                           CS2105/March 2006
routers between itself and destination X by looking at the source IP addresses in the datagrams
containing the ICMP TTL-exceeded messages.

We’ll also want to run traceroute and have it send datagrams of various lengths. On
Linux/Unix, the traceroute command allows the size of the UDP datagram sent towards
the destination to be explicitly set by indicating the number of bytes in the datagram. This value
is entered in the traceroute command line immediately after the name or address of the
destination. For example, to send traceroute datagrams of 2000 bytes towards server.lab,
the command would be:         %traceroute server.lab 2000

Do the following:

       (1)   Start up the Ethereal packet sniffer on Router−“BenchNo”, and begin Ethereal
             packet capture.

       (2)   On PC1−“BenchNo” (using a Unix platform), enter three traceroute
             commands, one with a length of 56 bytes, one with a length of 2000 bytes, and one
             with a length of 3500 bytes. Select another PC1−“BenchNo” computer as the
             destination in the traceroute commands.

       (3)   When the traceroute program terminates, stop the packet capture in Ethereal.

3.     A Look at the Captured Trace

In your trace, you should be able to see the series of UDP datagrams (in the case of Unix) or
ICMP Echo Request messages (in the case of Windows machine) sent by the local computer
and the ICMP TTL-exceeded messages returned to the computer by the intermediate routers.
Answer the following questions:

Q1.    Select the first ICMP Echo Request message (or UDP datagram) sent by your computer,
       and expand the Internet Protocol part of the packet in the packet details window.




       What is the IP address of your computer? Within the IP packet header, what is the
       value in the upper layer protocol field?

                                                2
                                                                          CS2105/March 2006

Q2.    How many bytes are in the IP header? How many bytes are in the payload of the IP
       datagram? Explain how you determined the number of payload bytes.

Q3.    Has this IP datagram been fragmented? Explain how you determined whether or not
       the datagram has been fragmented.

Next, sort the traced packets according to IP source address by clicking on the Source column
header; a small downward pointing arrow should appear next to the word Source. If the arrow
points up, click on the Source column header again. Select the first ICMP Echo Request
message (or UDP datagram) sent by the local computer, and expand the Internet Protocol
portion in the “details of selected packet header” window. In the “listing of captured packets”
window, you should see all of the subsequent ICMP messages (perhaps with additional
interspersed packets sent my other protocols running on your computer) below this first ICMP.
Use the down arrow to move through the ICMP messages sent by the computer.

Q4.    Which fields in the IP datagram always change from one datagram to the next
       within this series of ICMP messages sent by your computer?

Q5.    Which fields stay constant? Which of the fields must stay constant? Which fields must
       change? Why?

Next (with the packets still sorted by source address), find the series of ICMP TTL-exceeded
replies sent to your computer by the nearest (first hop) router.

Q6.    What is the value in the Identification field and the TTL field?

Q7.    Do these values remain unchanged for all of the ICMP TTL-exceeded replies sent to
       your computer by the nearest (first hop) router? Why?

To study IP fragmentation, sort the packet listing according to time again by clicking on the
Time column.

Q8.    Find the first ICMP Echo Request message (or UDP datagram) that was sent by the local
       computer after you changed the Packet Size in the traceroute command to be 2000.
       Has that message been fragmented across more than one IP datagram?

Q9.    Identify the first fragment of the fragmented IP datagram. What information in the IP
       header indicates that the datagram been fragmented? What information in the IP header
       indicates whether this is the first fragment versus a latter fragment? How long is this IP
       datagram?

Q10.   Identify the second fragment of the fragmented IP datagram. What information in the IP
       header indicates that this is not the first datagram fragment? Are there more fragments?
       How can you tell?

Q11.   What fields change in the IP header between the first and second fragment?

Now find the first ICMP Echo Request message (or UDP datagram) that was sent by your local
computer after you changed the Packet Size in the traceroute command to be 3500.

Q12.   How many fragments were created from the original datagram?

                                               3
                                                                            CS2105/March 2006

Q13.   What fields change in the IP header among the fragments?


Part B: ICMP (Internet Control Message Protocol)

4.     Introduction

In this part, we’ll explore several aspects of the ICMP protocol: ICMP messages generated by
the ping program; ICMP messages generated by the traceroute program; and the format
and contents of an ICMP message. Before attacking this lab, you’re encouraged to review the
ICMP material in the textbook (Section 4.4.3).

5.     ICMP and Ping

Let’s begin our ICMP adventure by going through the following example that captures the
packets generated by the ping program. You may recall that the ping program is a simple
tool that allows anyone (for example, a network administrator) to verify if a host is live or not.
The ping program in the source host sends a packet to the target IP address; if the target is live,
the ping program in the target host responds by sending a packet back to the source host. As
you might have guessed, both of these ping packets are ICMP packets.

In the example, the figure below shows the Command Prompt Window after entering the ping
command, i.e., type either “ping -n 10 hostname” or “c:\windows\system32\ping -n 10
hostname” in the MS-DOS command line (without quotation marks), where hostname is a host
on another continent. The argument “-n 10” indicates that 10 ping messages should be sent.
The source ping program is in Massachusetts and the destination ping program is in Hong
Kong (e.g., the www.ust.hk for the Web server at Hong Kong University of Science and
Technology). From this window we see that the source ping program sent 10 query packets
and received 10 responses. Note also that for each response, the source calculates the
round-trip time (RTT), which for the 10 packets is on average 375 msec.




The figure below provides a screenshot of the Ethereal output, after “icmp” has been entered
into the filter display window. Note that the packet listing shows 20 packets: the 10 ping
queries sent by the source and the 10 ping responses received by the source. Also note that
the source’s IP address is a private address (behind a NAT – Network address Translation) of
the form 192.168.0.0/12; the destination’s IP address is that of the Web server at HKUST.
                                                4
                                                                        CS2105/March 2006
Now let’s zoom in on the first packet (sent by the client); in the figure below, the packet
contents area provides information about this packet. We see that the IP datagram within this
packet has protocol number 01, which is the protocol number for ICMP. This means that the
payload of the IP datagram is an ICMP packet.




The figure below focuses on the same ICMP but has expanded the ICMP protocol information
in the packet contents window. Observe that this ICMP packet is of Type 8 and Code 0 - a
so-called ICMP “echo request” packet. (See Figure 4.21 of text.) Also note that this ICMP
packet contains a checksum, an identifier, and a sequence number.




                                             5
                                                                          CS2105/March 2006

Now, do the following:

       (4)   Start up the Ethereal packet sniffer on Router−“BenchNo”, and begin Ethereal
             packet capture.

       (5)   On your PC1−“BenchNo” computer, enter the ping command with the host
             name or address of another PC1−“BenchNo” computer as the destination.

       (6)   When the ping program terminates, stop the packet capture in Ethereal.

Answer the following questions:

Q14.   What is the IP address of your source host? What is the IP address of the destination
        host? Why is it that an ICMP packet does not have source and destination port
       numbers?

Q15.   Examine one of the ping request packets sent by your local computer. What are the
       ICMP type and code numbers? What other fields does this ICMP packet have? How
       many bytes are the checksum, sequence number and identifier fields?

Q16.   Examine the corresponding ping reply packet. What are the ICMP type and code
       numbers? What other fields does this ICMP packet have? How many bytes are the
       checksum, sequence number and identifier fields?



6.     ICMP and Traceroute

Let’s now continue our ICMP adventure by capturing the packets generated by the
traceroute program. You may recall that the traceroute program can be used to figure
out the path a packet takes from source to destination. Traceroute is discussed in Section
1.6 and in Section 4.4 of the text.

Traceroute is implemented in different ways in Unix/Linux and in Windows. In
Unix/Linux, the source sends a series of UDP packets to the target destination using an
unlikely destination port number; in Windows, the source sends a series of ICMP packets to the
target destination. For both operating systems, the program sends the first packet with TTL=1,
the second packet with TTL=2, and so on. Recall that a router will decrement a packet’s TTL
value as the packet passes through the router. When a packet arrives at a router with TTL=1,
the router sends an ICMP error packet back to the source. In the following, we’ll use the native
Windows tracert program.

The figure below is a Command Prompt window that displays the results of the traceroute
program. The client traceroute program is in Massachusetts and the target destination is in
France. From the figure, we see that for each TTL value, the source program sends three probe
packets. Traceroute displays the RTTs for each of the probe packets, as well as the IP
address (and possibly the name) of the router that returned the ICMP TTL-exceeded message.




                                               6
                                                                      CS2105/March 2006




The figure below displays the Ethereal window for an ICMP packet returned by a router. Note
that this ICMP error packet contains many more fields than the ping ICMP messages.




Do the following:

       (7)   Start up the Ethereal packet sniffer on Router−“BenchNo”, and begin Ethereal
             packet capture.

       (8)   On your PC1−“BenchNo” computer, enter the traceroute command with the
             host name or address of another PC1−“BenchNo” computer as the destination.


                                            7
                                                                          CS2105/March 2006
       (9)   When the traceroute program terminates, stop the packet capture in Ethereal.

Answer the following questions:

Q17.   What is the IP address of your source host? What is the IP address of the destination
       host?

Q18.   If ICMP sent UDP packets instead (as in Unix/Linux), would the IP protocol number
       still be 01 for the probe packets? If not, what would it be?

Q19.   Examine the ICMP echo packet in your screenshot. Is this different from the ICMP
       ping query packets in Part B: 5? If yes, how so?

Q20.   Examine the ICMP error packet in your screenshot. It has more fields than the ICMP
       echo packet. What is included in those fields?

Q21.   Examine the last three ICMP packets received by the source host. How are these
       packets different from the ICMP error packets? Why are they different?


Part C: Ethernet and ARP (Address Resolution Protocol)

7.     Introduction

In this part, we’ll investigate the Ethernet protocol and the ARP. Before beginning this lab,
you’ll probably want to review Sections 5.5 (Ethernet), 5.4.1 (Link layer addressing) and 5.4.2
(ARP) in the text. RFC 826 (ftp://ftp.rfc-editor.org/innotes/std/std37.txt) contains the details
of the ARP protocol, which is used by an IP device to determine the IP address of a remote
interface whose Ethernet address is known.

8.     Capturing and Analyzing Ethernet Frames

Let’s begin by capturing a set of Ethernet frames to study. Do the following:

       (10) First, start up your Web browser on PC1−“BenchNo”, and make sure your
            browser’s cache is empty.

       (11) Start up the Ethereal packet sniffer on Router−“BenchNo”.

       (12) Enter the following URL into your browser:
                 http://server.lab/ethereal-labs/HTTP-ethereal-lab-file3.html
            Your browser should display the rather lengthy US Bill of Rights.

       (13) Stop Ethereal packet capture. First, find the packet numbers (the leftmost column
            in the upper Ethereal window) of the HTTP GET message that was sent from the
            local computer to the server.lab server, as well as the beginning of the HTTP
            response message sent to the local computer by server.lab. You should see a
            screen that looks something like this (where packet 10 in the screen shot below
            contains the HTTP GET message):



                                               8
                                                                             CS2105/March 2006




       (14) Since this part is about Ethernet and ARP, we’re not interested in IP or higher
            layer protocols. So let’s change Ethereal’s “listing of captured packets” window
            so that it shows information only about protocols below IP. To have Ethereal do
            this, select Analyze->Enabled Protocols. Then uncheck the IP box and select OK.
            You should now see an Ethereal window that looks like:




In order to answer the following questions, you’ll need to look into the packet details and
packet contents windows (the middle and lower display windows in Ethereal).

Select the Ethernet frame containing the HTTP GET message. (Recall that the HTTP GET
message is carried inside of a TCP segment, which is carried inside of an IP datagram, which is
carried inside of an Ethernet frame; reread Section 1.7.2 in the text if you find this nesting a bit
confusing). Expand the Ethernet II information in the packet details window. Note that the


                                                 9
                                                                         CS2105/March 2006
contents of the Ethernet frame (header as well as payload) are displayed in the packet contents
window.

Answer the following questions, based on the contents of the Ethernet frame containing the
HTTP GET message.

Q22.   What is the 48-bit Ethernet address of your local computer?

Q23.   What is the 48-bit destination address in the Ethernet frame? Is this the Ethernet
       address of server.lab? What device has this as its Ethernet address? [Note: this is an
       important question, and one that students sometimes get wrong. Re-read pages
       450-451 in the text and make sure you understand the answer here.]

Q24.   Give the hexadecimal value for the two-byte Frame type field. What do the bit(s)
       whose value is 1 mean within the flag field?

Q25.   How many bytes from the very start of the Ethernet frame does the ASCII “G” in
       “GET” appear in the Ethernet frame?

Q26.   What is the hexadecimal value of the CRC field in this Ethernet frame?

Next, answer the following questions, based on the contents of the Ethernet frame containing
the first byte of the HTTP response message.

Q27.   What is the value of the Ethernet source address? Is this the address of your local
       computer, or of the server.lab server. What device has this as its Ethernet address?

Q28.   What is the destination address in the Ethernet frame? Is this the Ethernet address of
       your local computer?

Q29.   Give the hexadecimal value for the two-byte Frame type field. What do the bit(s)
       whose value is 1 mean within the flag field?

Q30.   How many bytes from the very start of the Ethernet frame does the ASCII “O” in “OK”
       (i.e., the HTTP response code) appear in the Ethernet frame?

Q31.   What is the hexadecimal value of the CRC field in this Ethernet frame?

9.     The ARP

In this section, we’ll observe the ARP – Address Resolution Protocol in action. We strongly
recommend that you re-read Section 5.4.2 in the text before proceeding.

ARP Caching

Recall that the ARP protocol typically maintains a cache of IP-to-Ethernet address translation
pairs on your computer. The arp command (in both MSDOS and Linux/Unix) is used to view
and manipulate the contents of this cache. Since the arp command and the ARP protocol have
the same name, it’s understandably easy to confuse them. But keep in mind that they are
different - the arp command is used to view and manipulate the ARP cache contents, while the
ARP protocol defines the format and meaning of the messages sent and received, and defines
the actions taken on message transmission and receipt.
                                              10
                                                                        CS2105/March 2006

Let’s take a look at the contents of the ARP cache on your computer. (For Linux/Unix, the
executable for the arp command can be in various places. Popular locations are /sbin/arp for
linux and /usr/etc/arp for some Unix variants.) The arp command with no arguments will
display the contents of the ARP cache on your computer. Run the arp command.

Q32.   Write down the contents of your computer’s ARP cache. What is the meaning of each
       column value?

In order to observe your computer sending and receiving ARP messages, we’ll need to clear the
ARP cache, since otherwise your computer is likely to find a needed IP-Ethernet address
translation pair in its cache and consequently not need to send out an ARP message. On
Linux/Unix, the arp –d * will clear your ARP cache (root privileges needed for this
command).

Observing ARP in action

Do the following:

       (15) Clear your ARP cache, as described above.

       (16) First, start up your Web browser on PC1−“BenchNo”, and make sure your
            browser’s cache is empty.

       (17) Start up the Ethereal packet sniffer on Router−“BenchNo”.

       (18) Enter the following URL into your browser:
                 http://server.lab/ethereal-labs/HTTP-ethereal-lab-file3.html
            Your browser should again display the rather lengthy US Bill of Rights.

       (19) Stop Ethereal packet capture and shows information only about protocols below
            IP that looks like:




                                             11
                                                                        CS2105/March 2006

In the example above, the first two frames in the trace contain ARP messages (as does the 6th
message). Answer the following questions:

Q33.   What are the hexadecimal values for the source and destination addresses in the
       Ethernet frame containing the ARP request message?

Q34.   Give the hexadecimal value for the two-byte Ethernet Frame type field. What do the
       bit(s) whose value is 1 mean within the flag field?

Q35.   The figure below gives the ARP message format. Now find the ARP reply that was
       sent in response to the ARP request.




       (a)    How many bytes from the very beginning of the Ethernet frame does the ARP
              operation (or opcode) field begin?

       (b)    What is the value of the operation (or opcode) field within the ARP-payload
              part of the Ethernet frame in which an ARP response is made?

       (c)    Where in the ARP message does the “answer” to the earlier ARP request appear
              – the IP address of the machine having the Ethernet address whose
              corresponding IP address is being queried?

       (d)    Does the ARP message contain the IP address of the sender?

Q36.   What are the hexadecimal values for the source and destination addresses in the
       Ethernet frame containing the ARP reply message? What do they imply?



                                         − END −




                                             12

				
DOCUMENT INFO
Shared By:
Stats:
views:216
posted:9/14/2010
language:English
pages:12
Description: TCP/IP protocol must be very familiar to you, but for ICMP protocol you may know nothing. ICMP protocol is a very important agreement, it is extremely important for network security significance. Here we talk about the ICMP protocol. Internet Control Message Protocol (ICMP) is a TCP / IP protocol suite in a sub-protocol for the IP host, passing control messages between routers. Control of news is that network communication barrier, the host is up, routing is available and other news of the network itself. Although these control messages are not transmitted user data, but for the transmission of user data plays an important role.