程序代写 COMP30023: Computer Systems

School of Computing and Information Systems
COMP30023: Computer Systems

Practical Week 11

Copyright By PowCoder代写 加微信 powcoder

Sniffing packets with Wireshark, and understanding IP addresses

1 Wireshark
You have come across Wireshark in a previous lab. Review that lab if you have forgotten how to use it. Here
we will use Wireshark to study some of the protocols you have come across in this course. It is easiest to run
this section on your local computer rather than the VM.

1.1 IP carrying TCP
1. Start a capture using the shark fin at the top left

2. Select any packet with protocol TCP or something that runs over TCP, like TLS or HTTP

3. Expand the “Internet Protocol” line in the bottom frame, using the triangle on the left of the line

4. Expand the lines “Differentiated Services” and “Flags”

5. Match each field to the location in the IP header shown in the lecture slides

6. Try to understand what each value means.

• Does this packet support Explicit congestion notification (ECN)?
• What does “Header length 20 (5)” mean? Why are there two numbers?
• Look at the identification number. Compare that with another packet you capture. Are they the

7. Repeat this for a few other packets that you capture.

• Which IP header fields seem to have the same value in most packets, and which seem to vary?

1.2 IP carrying UDP
1. Repeat the above for packets with protocol UDP or something that runs over UDP, like DNS.

2. Which IP header fields have the same values as for the TCP case, and which are different?
In particular, are there any fields that are the same for all TCP packets, and the same for all UDP packets,
but differ between TCP and UDP packets? Which ones?

1.3 Monitoring HTTP requests
1. Start a new capture (using the shark fin at the top left).

2. Visit http://example.com and stop the capture.

3. Enter into the filter: http.host matches “example.com”.
Q: What packet(s) do you see?

4. Now right click on the first packet and Follow the HTTP Stream.

http://example.com

1.4 Address Resolution Protocol (ARP)
The internet protocol runs on top of other network protocols. Each of these network protocols has its own
addressing scheme. IP hosts find the names of hosts on the underlying network (called the “link layer” by most
TCP/IP people) such as ethernet or WiFi using the Address Resolution Protocol (ARP).

Whenever an IP host wants to send to another IP node on the same network, such as the router, it must have
that node’s address. This is typically called a MAC address, and sometimes erroneously called a hardware
address. This is usually cached, but if the host is contacting a new node or if the cache has been cleared it will
issue an ARP request. We will now watch as we force your computer to issue an ARP request.

1. Open a command window.

2. You will now clear the ARP cache. The instructions below will tell you to type some commands. Before
you press 〈enter〉 on the final command, start a new capture in Wireshark by clicking on the blue fin icon
at the far left of the toolbar.

Windows Open the command window as administrator.

8 Ways To Open Command Prompt As Administrator In Windows 10

netsh interface ip delete arpcache
Mac or FreeBSD Enter the command

Linux First find the default gateway using arp by itself. This will probably list a single address and a

single interface. If so, the interface should match the one you are sniffing and the address will be
your gateway address. Then type the command

sudo arp -i interface_you_are_sniffing -d gateway_address

Wait a few seconds and then stop the Wireshark capture. (If you forgot to start it, just repeat the above
steps, remembering to start Wireshark before pressing enter)

3. Type arp into the filter text box below the toolbar. This should bring up two ARP packets. If not, repeat
the above steps and access the web between clearing the cache and stopping the capture.

4. Click on the line of the first ARP packet, and observe the destination Ethernet address. This will be a
“special” addresses: ff:ff:ff:ff:ff:ff. What does that mean, and why is this mode used?

5. Click on the line of the second ARP packet. What is its source address? Can you relate that to the
contents of the first ARP packet?

1.5 Monitoring your project code
Now use Wireshark to capture the packets to and from your DNS server.
Do the packets contain what you expected them to contain?

2 Understanding IP addresses
Look at the routing table on your computer – either your VM or your local computer. In Linux, this is done by
the command route with no arguments. On Windows, it is done by opening a command window (Windowskey-
R then type cmd), and typing the command route print. On MacOS, type the command netstat -rn. If
your computer doesn’t have many routes, you can use the sample output below.
For each network address (or as many as you have time for)

1. Work out how many bits of the address make the network address, and how many bits make the host

2. Work out how many addresses are in that network.

This will be very repetitive if you go through each address below. Only do the ones that will give you different
Notice that some have a destination netmask of 255.255.255.255. In those cases, that isn’t the network mask
of the network the destination is on. That is saying that this is the actual (network|host) address, and that
routing decisions need to be based on matching the entire 32 bits.
Can you identify the “default routes”, used when no other network address matches?

8 Ways To Open Command Prompt As Administrator In Windows 10

===========================================================================
Interface List
20…00 05 9a 3c 7a 00 ……Cisco AnyConnect Secure Mobility Client Virtual Miniport Adapter for Windows x64
17…b0 5c da e5 e6 e7 ……Intel(R) Ethernet Connection (4) I219-V
13…0a 00 27 00 00 0d ……VirtualBox Host-Only Ethernet Adapter
11…02 00 4c 4f 4f 50 …… Adapter
26…f4 d1 08 4d 6c 74 ……Microsoft Wi-Fi Direct Virtual Adapter #3
3…f6 d1 08 4d 6c 73 ……Microsoft Wi-Fi Direct Virtual Adapter #4

14…f4 d1 08 4d 6c 73 ……Intel(R) Dual Band Wireless-AC 8265 #2
18…f4 d1 08 4d 6c 77 ……Bluetooth Device (Personal Area Network)
1………………………Software Loopback Interface 1

===========================================================================

IPv4 Route Table
===========================================================================
Active Routes:

Network Destination Netmask Gateway Interface Metric
0.0.0.0 0.0.0.0 192.168.0.1 192.168.0.13 50
0.0.0.0 0.0.0.0 10.1.16.1 10.1.20.177 2
10.1.16.0 255.255.248.0 On-link 10.1.20.177 257
10.1.20.177 255.255.255.255 On-link 10.1.20.177 257
10.1.23.255 255.255.255.255 On-link 10.1.20.177 257
113.197.7.0 255.255.255.0 192.168.0.1 192.168.0.13 50
127.0.0.0 255.0.0.0 On-link 127.0.0.1 331
127.0.0.1 255.255.255.255 On-link 127.0.0.1 331
127.255.255.255 255.255.255.255 On-link 127.0.0.1 331
138.44.4.0 255.255.255.224 192.168.0.1 192.168.0.13 50
138.44.4.128 255.255.255.224 192.168.0.1 192.168.0.13 50
138.44.66.144 255.255.255.240 192.168.0.1 192.168.0.13 50
138.44.71.0 255.255.255.192 192.168.0.1 192.168.0.13 50
138.44.72.0 255.255.252.0 192.168.0.1 192.168.0.13 50
138.44.128.96 255.255.255.224 192.168.0.1 192.168.0.13 50
138.44.132.0 255.255.254.0 192.168.0.1 192.168.0.13 50
138.44.160.0 255.255.255.224 192.168.0.1 192.168.0.13 50
138.44.162.96 255.255.255.224 192.168.0.1 192.168.0.13 50
138.44.162.144 255.255.255.240 192.168.0.1 192.168.0.13 50
138.44.163.199 255.255.255.255 192.168.0.1 192.168.0.13 50
138.44.163.202 255.255.255.255 192.168.0.1 192.168.0.13 50
138.44.163.203 255.255.255.255 192.168.0.1 192.168.0.13 50
138.44.164.0 255.255.255.192 192.168.0.1 192.168.0.13 50
138.44.166.0 255.255.254.0 192.168.0.1 192.168.0.13 50
138.44.177.64 255.255.255.224 192.168.0.1 192.168.0.13 50
169.254.0.0 255.255.0.0 On-link 169.254.250.142 281
169.254.0.0 255.255.0.0 10.1.16.1 10.1.20.177 2
169.254.250.142 255.255.255.255 On-link 169.254.250.142 281
169.254.255.255 255.255.255.255 On-link 169.254.250.142 281
182.255.102.208 255.255.255.240 192.168.0.1 192.168.0.13 50
182.255.102.240 255.255.255.240 192.168.0.1 192.168.0.13 50
182.255.112.8 255.255.255.255 192.168.0.1 192.168.0.13 50
182.255.112.11 255.255.255.255 192.168.0.1 192.168.0.13 50
182.255.112.21 255.255.255.255 192.168.0.1 192.168.0.13 50
192.168.0.0 255.255.255.0 On-link 192.168.0.13 306
192.168.0.0 255.255.255.0 10.1.16.1 10.1.20.177 2
192.168.0.1 255.255.255.255 On-link 192.168.0.13 51
192.168.0.13 255.255.255.255 On-link 192.168.0.13 306
192.168.0.255 255.255.255.255 On-link 192.168.0.13 306
192.168.56.0 255.255.255.0 On-link 192.168.56.1 281
192.168.56.0 255.255.255.0 10.1.16.1 10.1.20.177 2
192.168.56.1 255.255.255.255 On-link 192.168.56.1 281
192.168.56.255 255.255.255.255 On-link 192.168.56.1 281
202.158.223.128 255.255.255.224 192.168.0.1 192.168.0.13 50
203.21.130.30 255.255.255.255 192.168.0.1 192.168.0.13 51
224.0.0.0 240.0.0.0 On-link 127.0.0.1 331
224.0.0.0 240.0.0.0 On-link 192.168.56.1 281
224.0.0.0 240.0.0.0 On-link 192.168.0.13 306
224.0.0.0 240.0.0.0 On-link 169.254.250.142 281
224.0.0.0 240.0.0.0 On-link 10.1.20.177 257
255.255.255.255 255.255.255.255 On-link 127.0.0.1 331
255.255.255.255 255.255.255.255 On-link 192.168.56.1 281
255.255.255.255 255.255.255.255 On-link 192.168.0.13 306
255.255.255.255 255.255.255.255 On-link 169.254.250.142 281
255.255.255.255 255.255.255.255 On-link 10.1.20.177 257

===========================================================================
Persistent Routes:

IPv6 Route Table

===========================================================================
Active Routes:

If Metric Network Destination Gateway
14 306 ::/0 fe80::be30:d9ff:fece:1de2
20 36 ::/0 On-link
1 331 ::1/128 On-link
14 51 2001:8004:11d0:4e2a::cb15:821e/128 fe80::be30:d9ff:fece:1de2
14 306 2001:8004:1d62:4439::/64 On-link
20 36 2001:8004:1d62:4439::/64 On-link
14 306 2001:8004:1d62:4439:1f0:b68f:96da:d51a/128 On-link
14 306 2001:8004:1d62:4439:25c1:6438:7d45:2984/128 On-link
20 291 fe80::/64 On-link
14 306 fe80::1f0:b68f:96da:d51a/128 On-link
20 291 fe80::300a:2945:9ff8:5cb7/128 On-link
20 291 fe80::5e9f:c20c:51b4:5e34/126 On-link
20 291 fe80::5e9f:c20c:51b4:5e36/128 On-link
13 281 fe80::a02e:bac4:b4e0:60ea/128 On-link
11 281 fe80::b4c0:3f1c:a775:fa8e/128 On-link
1 331 ff00::/8 On-link
13 281 ff00::/8 On-link
14 306 ff00::/8 On-link
11 281 ff00::/8 On-link

===========================================================================
Persistent Routes:

A Sample solutions
A.2 IP carrying TCP
RFC 3168, Section 5

The not-ECT codepoint ’00’ indicates a packet that is not using ECN.
The CE codepoint ’11’ is set by a router to indicate congestion to
the end nodes. Routers that have a packet arriving at a full queue
drop the packet, just as they do in the absence of ECN.

From lecture slides:
Header length in 32 bit words; min 5, max 15, so need to multiply the value indicated by the 4 bits by 4

Identification stay the same when fragmentation occurs, should be different otherwise.

A.3 IP carrying UDP
The version field will be the same (4). IP address and TTL of out-going packets will be the same.
The header length will be the same for most packets, only differing for those with options.
Packet ID and checksum will be different for (almost) every packet.
The protocol field will be different (UDP, 17, instead of TCP, 6)

I observed 2 requests:
GET / HTTP/1.1 and GET /favicon.ico HTTP/1.1

After right clicking, you should see the request and response stream.
If you click on one of the response packets, e.g. HTTP/1.1 200 OK, you may observe that the body is garbled.
This is because gzip content-encoding is used.

First frame (ARP Request)
Frame: Destination is Broadcast (ff:ff:ff:ff:ff:ff)
Sender MAC/IP: your MAC/IP
Target MAC: 00:00:00:00:00:00, Target IP: IP address of device which we want the MAC address of

Second frame (ARP Response)
Frame: Destination (your MAC address, Source of previous frame)
Sender MAC/IP: MAC of Sender (the MAC we want), IP of Sender (Target IP of ARP request)
Destination MAC/IP: See Sender of ARP request

A.6 IP addresses
Example from 172 VM:
172.26.128.0 0.0.0.0 255.255.240.0 U 0 0 0 eth0

1. Subnet mask indicates 20 network bits (8+8+4 1s). Therefore, 12 host bits.

2. 212 addresses

Example of default route:
default 172.26.128.1 0.0.0.0 UG 1024 0 0 eth0

IP carrying TCP
IP carrying UDP
Monitoring HTTP requests
Address Resolution Protocol (ARP)
Monitoring your project code

Understanding IP addresses
Sample solutions
IP carrying TCP
IP carrying UDP
IP addresses

程序代写 CS代考 加微信: powcoder QQ: 1823890830 Email: powcoder@163.com