Microsoft Word – Sample Exam Protocol Analysis.docx
Page 1 of 10
Example of Practical Test 2
Network Protocol Analysis
This is an individual assessment
Assessment Duration: 50 minutes
The sample specifications are designed to assist you in preparation for the actual Practical-Test 2.
You are required to use Wireshark to read and analyze the given capture files.
Note:
You will be given 50 minutes to complete the actual assessment.
The actual exam is closed book. Any type of reference materials, either from lecture notes
or practical exercises, are NOT allowed.
The usage of personal computing devices, including mobile phones and laptops are NOT
allowed.
Internet access is NOT allowed.
Page 2 of 10
Question 1
Topic: A Protocol analysis on the TCP/IP model of client/server communications.
Scenario: In this scenario, a client host, a Web server and an FTP server are located in the same
network. A DNS server is also located in this network to perform name resolution. You are
required to use Wireshark to analyse a provided capture file (client_server.pcap). This file
captures a series of Web sessions, ping traffic, name resolution processes, and an File Transfer
Protocol (FTP) session.
Task 1: Download the Capture File “client_server.pcap” from BlackBoard
Use Wireshark to open and analyse the client_server.pcap file.
Task 2: Analyse the TCP/IP Model of Client/server Communications
Event 1
A user enters a Uniform Resource Identifier (URI) http://172.16.0.5/iisstart.htm into a Web
browser.
(5 marks)
1. Use Table 1 to record the IP addresses of the Web client and Web server.
Table 1
IP Address of the Client
IP Address of the Server
2. Use Table 2 to identify the packets which are related to the TCP 3-way-handshake process of this
Web session in this event.
Table 2
Field SYN SYN, ACK ACK
Packet Number
Source IP address
Destination IP address
Source port number
Destination port number
3. Upon completion of this TCP 3-way-handshake process, use Table 3 to identify the HTTP request
and response packets.
Table 3
HTTP Request HTTP Response
Packet Number
Page 3 of 10
Event 2
The user triggers another HTTP request by typing a URL into a web browser.
Analyse packets 17 to 21.
(5 marks)
1. Use Table 4 to identify the packets which are related to the TCP 3-way-handshake process
associated with this event.
Table 4
SYN SYN, ACK ACK
Packet Number
Source IP address
Destination IP address
Source port number
Destination port number
2. Upon completion of this TCP 3-way-handshake process, use Table 6 to identify the HTTP request
and response packets and identify the URL entered by the user.
Table 5
HTTP Request HTTP Response
Packet Number
URL entered by the user
Event 3
The user issues a ping command by typing ping cat.inx251.edu.au.
(6 marks)
1. Identify the packets which are associated with this event.
Table 6
Packet Numbers
2. Locate and analyse the DNS query and response messages in relation to this event.
Use Table 7 to answer the following questions.
a) Which packet contains the DNS query message?
b) What are the source port and destination port for the DNS query?
c) What are the source IP and destination IP for the DNS query?
d) What type of DNS query is it (for example SOA, A, AAAA, MX, NS, or PTR)?
Table 7
DNS Query
Packet Number
Source IP address
Destination IP address
Source port number
Destination port number
Type of DNS query (DNS lookup type)
Use Table 8 to answer the following questions.
e) Which packet contains the DNS response message?
f) What are the source port and destination port for the DNS response?
g) What are the source and destination IP addresses for the DNS response?
Page 4 of 10
h) What is the corresponding IP address to the hostname that has been resolved?
Table 8
DNS Response
Packet Number
Source IP address
Destination IP address
Source port number
Destination port number
DNS response (the host IP address)
3. Use Table 9 to record the ICMP packets which are related to this event.
Table 9
ICMP Request ICMP Reply
Packet Numbers
Source IP address
Destination IP address
ICMP – Type
ICMP – Code
Event 4
The user triggers another HTTP request by typing a URL http://cat.inx251.edu.au:8080/index.htm
into a web browser.
(4 marks)
1. Use Table 10 to identity the packets associated with the TCP 3-way-handshake process for this
event.
Table 10
Field SYN SYN, ACK ACK
Packet Number
Source IP address
Destination IP address
Source port number
Destination port number
2. Upon completion of this TCP 3-way-handshake process, use Table 11 to identify the HTTP request
and response packets.
Table 11
Field HTTP Request HTTP Response
Packet Number
Page 5 of 10
Event 5
The user triggers another HTTP request by typing http://dog.inx251.edu.au:8080/index.htm into a
web browser.
(9 marks)
1. Locate and analyse the DNS query and response messages in relation to this event.
Use Table 12 to answer the following questions.
a) Which packet contains the DNS query message?
b) What are the source port and destination port for the DNS query?
c) What are the source IP and destination IP for the DNS query?
d) What type of DNS query is it (for example SOA, A, AAAA, MX, NS, or PTR)?
Table 12
DNS Query
Packet Number
Source IP address
Destination IP address
Source port number
Destination port number
Type of DNS query (DNS lookup type)
Use Table 13 to answer the following questions.
e) Which packet contains the DNS response message?
f) What are the source port and destination port for the DNS response?
g) What are the source and destination IP addresses for the DNS response?
h) What is the corresponding IP address to the hostname that has been resolved?
Table 13
DNS Response
Packet Number
Source IP address
Destination IP address
Source port number
Destination port number
DNS response (the host IP address)
2. Use Table 14 to identify the packets which are related to the TCP 3-way-handshake process in this
event.
Table 14
SYN SYN, ACK ACK
Packet Number
Source IP address
Destination IP address
Source port number
Destination port number
3. Upon completion of this TCP 3-way-handshake process, use Table 15 to identify the HTTP request
and response packets.
Table 15
HTTP Request HTTP Response
Packet Number
Page 6 of 10
Event 6
The user attempts to connect to an FTP server to upload a file.
(5 marks)
1. Use Table 16 to record the credentials used in the FTP authentication process.
Table 16
The username
The password
2. Upon successful login to the FTP server, the user attempts to upload a file to the FTP server. Use
Table 17 to identify the packet for storing a file to the FTP server and the uploaded filename.
Table 17
Packet Number
File Name
3. Use Table 18 to identify the packet to mark once the file transfer is complete.
Table 18
Packet Number
Page 7 of 10
Question 2
Topic: Protocol analysis on Internet Control Message Protocol (ICMP).
Description: “tracert” is a Windows-based tool that allows you to test the entire path that a
packet travels through to reach its destination. You are required to use Wireshark to examine the
provided capture file named tracert.pcap to identify the path from the source to reach the
destination.
Task 1: Download the Capture File from BlackBoard
Use Wireshark to open and analyse the tracert.pcap file.
Task 2: Analyse Tracert Traffic
1. Draw an appropriate diagram to illustrate how the Windows-based utility – tracert displays the route
taken from the source host to the destination host.
(2 marks)
Page 8 of 10
2. Use Table 19 to record the path that a series of probe packets have taken to reach the destination.
(10 marks)
Table 19
Source IP Address Type of ICMP
Message
Destination IP Address
Time to Live (TTL)
192.168.0.10 1
64
2
254
3
246
4
249
5
23.49.227.171 58
Page 9 of 10
Question 3
Topic: A step-by-step Analysis on Address Resolution Protocol (ARP) Process.
Description: To answer this question, you do not need a capture file. You just use the provided
network topology to analyse step by step on the ARP process when a ping command is issued from
PC1 to test the reachability of PC2, which is located on a different network from PC1, as shown in
Figure 1. It is assumed that the ARP cache is initially empty at both PCs.
Figure 1: Network topology.
(10 marks)
Step 1. A ping command has been issued from PC1 (192.168.10.11) to test the reachability of PC2
(192.168.20.22)
Step 2. Fill in the blank.
To reach PC2 from PC1, PC1 relies on the default gateway to forward the ICMP message to PC2. PC1
needs to know the MAC address of its default gateway. PC1 sends an
ARP _____________ message. Use Table 20 to record key information in this message.
Table 20
Sender
MAC Address
Sender
IP Address
Target
MAC Address
Target
IP Address
Page 10 of 10
Step 3. Fill in the blank.
Router R1 receives the ARP request message issued by PC1, then R1 replies an
ARP ____________ message to PC1. Use Table 21 to record key information in this message.
Table 21
Sender
MAC Address
Sender
IP Address
Target
MAC Address
Target
IP Address
Step 4. Upon receipt of this ARP message issued from the router R1, PC1 updates its ARP Cache with the
received ARP message. Use Table 22 to record PC1’s ARP Cache.
Table 22
IP Address MAC Address
Step 5. Fill in the blank.
The ICMP messages are sent from PC1 to PC2 via R1. R1 needs obtains the MAC address of PC2 in order
to forward the ICMP messages to PC2. Therefore, R1 sends an
ARP _____________ message to the 192.168.20.0/24 network. Use Table 23 to record key information in
this ARP message.
Table 23
Sender
MAC Address
Sender
IP Address
Target
MAC Address
Target
IP Address
Step 6
Fill in the blank.
PC2 receives the ARP message sent from router R1, and then replies with an
ARP ___________ message to R1. Use Table 24 to record key information in this ARP message.
Table 24
Sender
MAC Address
Sender
IP Address
Target
MAC Address
Target
IP Address
Step 7. Upon receipt of this ARP message sent from the R1, PC2 updates its ARP Cache with the received ARP
message. Use Table 25 to record PC2’s ARP Cache.
Table 25
IP Address MAC Address
Step 8. Finally, R1 is able to forward the ICMP messages originated from PC1 to PC2.
End of Paper