Microsoft Word – 471assignment1key.doc
CMPT 471: ASSIGNMENT 1 SOLUTION
PROBLEM 1: [30 points]
For this problem you will submit three files PingPacketList.pcapng, ARPResults.txt and
StationsUP.txt. In addition a written answer for this problem should be included in the
solution file for this assignment, assignment1.doc (or .odt or.pdf).
Write a bash script which will determine and save to a file the IP address and, if there is one,
the corresponding Ethernet address of each address on network 172.17.1.0, OR 172.18.1.0 OR
1.72.19.1.0. Your bash script should work on any host on any one of these three networks. If
you are running your script on network X, you should assume the script will run on a host that
is a member of network X. For example, if you ran the script on May (172.18.1.5) its final
output file would contain one entry for each address on network 172.18.1.0/24. The script
must be consistent with the following requirements.
1) Your bash script should not use command line arguments.
2) Your script must ping address N+1 after it pings address N. Your script may start a ping
for address N+1 before the ping for address N has completed.
3) Each time an address is pinged your ping command should send 3 ping requests.
4) Use only the ping command and commands to directly view or manipulate the ARP
cache to create the contents your first two output files. These two output files are
described in points 3 and 4. DO NOT CHANGE THE LIFETIME FOR THE ENTRIES IN THE
ARP CACHE.
5) (2 points) Your script must capture all the ping requests sent by the script and all the
ping replies in a Wireshark (or TShark) file called PingPacketList.pcapng. For addresses
that do not correspond to actual hosts only requests will be captured.
6) (5 points) Your script must collect one or two ARP cache dumps in one file,
ARPResults, created by the script. (Deduct 2 point if more than twice) If you are
seeing hosts on the network that are not in the ARP cache after pinging all addresses
you may need to make your script more efficient so that entries in the ARP cache are
not removed before you dump the ARP cache. All the actual hosts should have entries
in the ARP cache when you dump it to get full marks. (Deduct 1 point for each
missing/incorrect host Max. 3 points)
7) From the files in 5) and 6) your script will construct a third file containing one single line
entry for each address in the network that could be used for a host. If a host is shown as
up (having an Ethernet Address) there must be an entry for that host in the ARPResults
file.
8) In your bash script you may find some combination of the following commands useful
when constructing your third file from the first two arp, awk, sed, grep, or sort. The
resulting file, StationsUp.txt, will
a. (2 points) Be generated for one network, either 172.17.1.0, OR 172.18.1.0 OR
1.72.19.1.0
b. (2 points) Be generated by any one host on the chosen network.
c. (3 points) Contains 1 line of output for each address that may be used by a
host on the chosen network. The output lines will be in order from 172.1?.1.1 to
172.1?.1.254. (Total of 255 lines )
d. Each line in the file has one of the two following forms
IP address 172.16.1.x is not available
IP address 172.16.1.x has Ethernet address xx.xx.xx.xx.xx.xx
e. (2 points, 1 point each) Contains two summary lines at the end of the file.
The first line indicates how many hosts were reachable (available) and the
second line indicates how many were not
NOTE: If your script indicates existing hosts are unreachable it is probably because
of inefficiencies in your script, remember entries in the ARP cache are not
permanent! (Deduct 1 point if any existing host is shown as
unreachable)
In addition you should also include a paragraph that explains how ARP works on the CMPT 471
virtual networks. In particular explain either why you think the CMPT 471 virtual networks are
running proxy ARP or why you believe they are not running proxy ARP. This paragraph should
be part of the file you submit including the answers to the other problems.
Grading was done by running your scripts, then reviewing the scripts and their results
according to the following criteria.. Remaining marks for PROBLEM 1 are distributed as follows:
(4 points) for having a script that will work on any chosen host on networks 17, 18 and
19. Deduct all 2 points if it works only on one host. Deduct 2 points if it works on only
one network
(5 points) For producing the file PingPacketList
PingPacketList may be in text or pcapng format. It should contain echo response/reply
pairs for each host in the networks, and failed pings for other host addresses in the
network address range. Deduct all points if the file is not created or if its contents are
corrupted.
(5 points) For producing the file ARPResults efficiently.
ARPResults should contain entries for all existing hosts on the chosen network. Check
each existing host is p Deduct all points if the file is not created or if its contents are
corrupted.resent. Deduct 1 point for each missing existing host or extra existing host.
(8 points) for producing file StationsUp correctly and efficiently from the previous files.
If a station is shown as up it must be in the ARPResults file.
(3 points) for a clear and complete explanation of how your script works, this can be
provided as detailed comments in your script and/or as a paragraph or paragraphs in
addition to the script.
(5 points) for your explanation of evidence that proxy ARP is not being used in the
virtual lab..
Point on this question add up to 45, will be scaled to 30 in posted grade
PROBLEM 2: [35 points]
For this problem you will submit a written answer for this problem. This answer should be
included in the solution file for this assignment, assignment1.doc (or .odt or.pdf). You may
copy the tables and diagram into your solution and fill in the blanks to simplify writing your
answers. Written explanations should also be included where they are requested.
Consider the networks illustrated in the diagram on the next page. On the diagram you are given the IP
address and interface name for each Ethernet interface that you will need to solve the problem (on
Company A’s router, on Company B’s router, on Company C’s router and on the ISP’s router). You are
also given the CIDR network prefix and mask length for some networks. You will have to figure out the
CIDR prefix and mask length for other networks. The tables referred to in parts a), b) and c), are below
the diagram on the next page.
a) [14 points] Complete all entries in the partially filled rows of the tables below for Company A and
Company B based on the information provided in the tables A and B and the diagram. Explain how
you determined the values you placed in the tables. Also include any calculations used to determine
these values. Do not add default routes
b) [5 points] Based on the information on the diagram fill in the missing information in the table for
Company C.
c) [8 points] For the IPS’s forwarding table aggregate the entries for each company into a single entry
in the ISP router’s routing table routing table entry.
d) [4 points] Some networks in the diagram on the next page have an empty box next to them. Label
these networks (in the box) with the CIDR network address / prefix length. The network address /
prefix length must have the form 1.2.3.0/21. ( 1.2.3.0 would be the network address, and 21 would
be the number of 1 bits in the mask).
e) [4 points] Consider the router X outside the ISP. The entry in router X’s routing table for the ISP
should be a single aggregated entry. What would be the network address and the netmask for this
entry. Show your work.
eth0
200.199.3.1
200.199.64.0/19
eth2
eth0
200.199.1.1
Router 1
Company A
Router 2
Company B
Router ISP
200.199.8.1
eth2 200.199.31.1
eth1
eth2
200.199.33.1
eth1
200.199.90.1
200.199.3.0/24
200.199.48.0/20
200.199.24.0/21
200.199.80.0/20
eth0
200.199.2.1
Router 3
Company C
eth0
200.199.3.2
200.199.1.0/24
eth1
200.199.2.2
200.199.8.0/22
Internet router X
200.199.111.0
eth2
200.199.60.1
eth1
200.199.32.0/21
eth3
200.199.2.0/24
a) 1 point for each red entry in the table and the corresponding calculation/explanation
TABLE 1 company A’s router SOLUTION #!
first address Last address Number of
addresses
Mask interface
200.199.8.0 200.199.11.255 1024 255.255.252.0 eth2
200.199.24.0 200.199.31.255 2048 255.255.248.0 eth1
Consider 1st row, address length 210 = 1024, implies mask length 32-10=22, number of mask
bits in third group of 8 is 22 – 8 – 8 = 6, from table mask is 255.255.252.0 (or 252 = 255-1-2,
subtract 1 power of two for each 0 bit in the block). Next we subtract 1024 addresses from the
last address 200.199.11.255. This gives 200.199.8.0, the network address. Since the interface
address of the router to the right of routerA in the diagram has interface address 200.199.8.1,
which is part of the network being discussed in this paragraph, the interface should be eth2,
Consider 2nd row, from mask 255-1-2-4 = 248, so three 0 bits in the third block of the mask. This
means the mask has 8+8+(8-3) = 21 bits. Therefore there are 32-21 = 11, 211=2048 addresses in
the block. Thus the network must start on a boundary that is a multiple of 2048 addresses. This
means 200.199.8.0 (already used), 200.199.16.0, 200.199.24.0, 200.199.32.0, 200.199.40.0, …
The block must include the address given to the interface on the router connected to the
network, 200.199.31.1. This gives us the first address 200.199.24.0 and an interface eth1.
TABLE 2 company B’s router
first address Last address # of addresses Mask interface
200.199.80.0 200. 199.95.255 4096 255.255.240.0 eth1
200.199.96.0 200.199.127.255 8192 255.255.224.0 eth2
Consider the 1st row. There 212=4096 addresses in the block. This leaves 32-12=20 bits for the
mask. There are 20-8-8=4 bits in the third block of the mask. This means the mask value will
be 128+64+32+16 =240 so the mask in 255.255.240.0. The network address of the block is
200.199.80.0 so add 4096 Addresses to get 200.199.95.255 for the last address. Checking the
interface addresses on router B shows that the upper interface (eth1) has an address
200.199.90.1 which is an address in the network discussed in this paragraph. Therefore, the
interface for this network will be eth1.
Consider 2nd row, from mask 128+64+32 = 224, so three 1 bits in the third block of the mask.
This means the mask has 8+8+3 = 19 bits. Therefore there are 32-19 = 13, 213=8192 addresses
in the block. Thus the network must start on a boundary that is a multiple of 8192 addresses.
This means 200.199.0.0, 200.199.32.0, 200.199.64.0, 200.199.96.0, 200.199.128.0 … The block
must include the address given to the interface on the router connected to the network,
200.199.111.1. This gives us the first address 200.199.96.0 and an interface eth2.
b) ½ point for each entry red in the table
TABLE 3 company C’s router
Destination size Gateway Mask interface
200.199.32.0 2048 * 255.255.248.0 eth1
200.199.48.0 4096 * 255.255.240.0 eth2
0.0.0.0 omit 200.199.3.2 0.0.0.0 eth0
From the diagram:
The destination values are copied from the CIDR network prefix on the diagram
The number of bits in the mask is given on the diagram as part of the CIDR notation (N in
prefix/N ). The size of the network is then 2(32-N)
For packets going to hosts on networks connected to eth1 and eth2 of Router3 there is no
gateway because Router3 will deliver the packets to their destination. Thus the entry for
Gateway for both these networks is *.
For all other packets, the packets will go through the default entry to the Internet.
Therefore, the gateway address is the address of the interface on the ISP router through
which the packets are arriving from Router3 at the ISP router .
Masks are calculated from the value of N. The provided table can then be used to find the
mask.
a. For first row 211=2048, so 32-11=21 bits in the mask, 21-8-8=5 so from table
255.255.248.0
b. For first row 212=4096, so 32-12=20 bits in the mask, 20-8-8=4 so from table
255.255.240.
c)
Begin with 5 points
Deduct ½ point for each read entry in the table that is not correct
ISP ROUTER
Destination gateway Mask iface
200.199.0.0 200.199.1.1 255.255.224.0 eth2 Company A (aggregated)
200.199.64.0 200.199.2.1 255.255.192.0 eth1 Company B (aggregated)
200.199.32.0 200.199.3.1 255.255.224.0 eth0 Company C (aggregated)
and the corresponding 0.0.0.0 201.111.111.111 0.0.0.0 eth3 To internet (all other
addresses)
The interface IP address is read from the diagram
The gateway IP address can be read from the diagram
Aggregate networks for each of the Companies
o Company A: smallest address is 200.199.8.0 and the largest address is
200.199.31.255. The number of addresses in this range is 32-8=24, 24*256=6144.
The next largest power of 2 is 8192 addresses or a network with a 213 hosts and thus
19 bits in the mask. The legal network are thus 200.199.0.0, 200.199.32.0,
200.199.64.0 … All hosts in both networks must be part of aggregated network. The
only one of the valid networks that contains all the necessary addresses is
200.199.0.0/19. The mask with 19 1 bits give 255.255 for the first half of the mask
because the first sixteen digits of the mask are ones. This leaves 3 additional 1s in
the third block so from the table the mask is 255.255.224.0
o Company B: smallest address is 200.199.80.0 and the largest address is
200.199.127.255. The number of addresses in this range is 128-80=48,
48*256=12288. The next largest power of 2 is 16384 addresses or a network with a
214 hosts and thus 18 bits in the mask. The legal networks are thus 200.199.0.0,
200.19.64.0, 200.19.128.0 …, and because the largest address is 200.199.127.255
and the smallest address is 200.199.80.0 all hosts in the network are part of
network 200.199.64.0/18. A mask with 18 1 bits give 255.255 for the first half of
the mask because there are 16 ones, this leaves 2 ones in the third block so from
the table the mask is 255.255.192.0
o Company C: The smallest address is 200.199.32.0 and the largest address is
200.199.48.0 plus 4095 additional addresses or 200.199.63.255. The number of
addresses in this range is (64-32) * 256 = 8192 = 213. The mask will have 32-13=19
one bits. The legal networks are thus 200.199.0.0, 200.19.32.0, 200.19.64.0 …, and
because the largest address is 200.199.64.255 and the smallest address is
200.199.32.0 all hosts in the network are part of network 200.199.32.0/19. A mask
with 24 one bits give 255.255.255.0 for the mask.
PROBLEM 3: 31 points
In this experiment you will capture packets that illustrate many of the possible paths through
the DHCP state diagram that was discussed in class. You will also observe the operation of
DHCP relay agents. For each of the experiments below capture all UDP packets related to the
operation of the DHCP protocol, this includes broadcast packets. Save the requested Wireshark
capture file for later analysis and for submission with your assignment. Include answers to all
questions asked in the description of the procedure below in your analysis.
To prepare for the series of experiments answer the following questions
• A DHCP server uses the /etc/dhcp3/dhcpd.conf file to record the configuration information
for the DHCP server.
• Look at the configuration file for the DHCP server and observe the setting for renew and
rebind timers. Are the timers the same for all hosts in the lab?
• DO NOT MODIFY THE DHCP CONFIGURATION FILE
• Check the directory /var/lib/dhcp3/ on any of the hosts (other than routers) in the virtual
471 network lab. Previous leases will be stored in a file named dhclient.leases in this
directory. Please note that previous leases may have very old dates, or may not be present.
This is NOT an error. The IPv4 addresses in the virtual network are normally statically
allocated; leases are only generated when someone manually runs the dhclient software.
At some times during the experiment you will release the IPv4 address allocated to an interface
on net 16, 17, 18, or 19. To prevent this from causing serious problems for you or your
classmates be very careful
• When you use the dhclient software ALWAYS specify an interface
• If you do not specify and interface the dhclient software will assume you mean ALL
interfaces. If you release IPv4 addresses on all interfaces you release the IPv4 address on
eth0, you will no longer be able to reach the host. If this happens, you will need to send an
email to the class email address (cmpt-471- ) or the CS helpdesk at
.ca requesting that the machine be restarted.
To reduce the probability of conflicts caused by multiple students running these experiments at
the same time please respect the following rules. This rules are needed because you will need
to restart hosts during your experiment. Following these rules will make the experiment easier
for all.
The following machines should be used only to run Wireshark and collect packets.
SPRING, SUMMER, FALL, AUTUMN, WINTER, EQUINOX and SOLSTICE
Each student should not open more than 1 Wireshark window on any given machine
Each student should not open more than a total of 4 Wireshark windows
No student should open a Wireshark window on net 0 or any (eth0 or any)
Choose one host from the above list on each of the four networks. On each of your four
chosen machines, start Wireshark on eth1. Use a capture filter to select the packets you
want to save during your experiment.
The following machines should be used only to run dhclients,
APRIL, MAY, JUNE, JULY, AUGUST, SEPTEMBER, OCTOBER, NOVEMBER, YEAR
No student should use more than one of these machines at any given time.
When you log in to one of these hosts check to make sure no one else is presently using the
host for the experiment. If someone else is using the host log out and try a different host
When you finish using one of these hosts make sure you restart the machine using
“sudo shutdown –r now” Don’t forget the –r or the machine will turn off and not turn back
on.
. _________________________________________________________________________
EXPERIMENT 1 INSTRUCTIONS:
Granting an initial DHCP lease to a host, and normal renewal of that lease
1. Choose one host on net 17 from the list of hosts to be used for dhclients.
2. Log on to your chosen host.
3. Check to see if another student is using the host (ps au will tell you who is logged in and
how long ago they last executed a command on the machine). If anyone using the
machine has been idle for less than 50 minutes try another machine.
4. Determine how long the machine has been running since it was last restarted using the
“uptime” command. Check the previous DHCP leases are recorded on your machine. If
there are any previous leases examine them to determine the most recent lease’s expiry
time (Note lease time is given in UTC so you must subtract 7 hours to give our local time
before you compare to current time). If the most recent lease expired no more than 5
minutes after the machine was last booted or other students are logged into the machine
(but haven’t used the machine in the last 50 minutes) restart the machine using “sudo
shutdown –r now” Don’t forget the –r or the machine will turn off and not turn back on.
5. Release any previous leases by executing the command sudo dhclient –r eth1 (this will
also delete the old lease file)
6. Wait at least 30 seconds
7. Observe your captures and make sure you capture the generated DHCP messages; you
should see DHCPRELEASE message
8. Start a DHCP client using the command sudo dhclient –d eth1
9. Observe your captures and make sure you capture the generated DHCP messages; you
should see DHCPDISCOVER, DHCPREQUEST, DHCREPLY and DHCPACK (and perhaps DHCP
NACK) DHCP messages captured in each of your four Wireshark windows. (you may not
see all messages in all windows, you may see duplicates in some windows)
10. In the window where you started the dhclient you will also see a message telling you how
long before your DHCP renewal will begin. The time to renewal given in this message is
the time until the DHCP renewal timer expires.
11. Wait until the DHCP lease is renewed. When you see the DHCPREQUEST and DHCPACK
packets associated with the renewal in your four Wireshark capture windows terminate
the dhclient (cntl C)
12. Restart the machine using “sudo shutdown –r now” Don’t forget the –r or the machine
will turn off and not turn back on.
13. Save the packets captured in each of your Wireshark windows in files called
exp1net16.pcap, exp1net17.pcap, exp1net18.pcap and exp1net19.pcap. Later you should
filter out any remaining packets not related to your experiment using display filter before
submitting the capture files. If you set your capture filter well this will be little or no
work.
Analyze in detail the packets you captured during your experiments. Your analysis will consist
of the answers to each of the following questions. For each questions refer to the packets you
captured in your experiment to provide evidence for you statements. You may also use
contents of configuration files as evidence.
1. [4 points] Referring to an example in your captured packets explain the use of the
transaction ID in DHCP messages.
All DHCP messages sent or received by a particular DHCP client have the same transaction
ID. The transaction ID is used to associate requests and responses traveling between the
server and a particular client.
Below we see an example with the same transaction ID for all the DHCP packets (request
and reply) used to acquire a new lease.
Wintere1
Springe1
When a DHCP client is terminated and a new DHCP client is started (by starting a new
dhclient process) the new DHCP client will have a transaction ID different from the
transaction ID of the terminated client.
As an example the DHCPRELEASE message terminates a dhclient. In the captures above
the DHCPRELEASE message, which would be releasing a previous lease has a different
transaction ID from all the other DHCP that are generated by a new dhclient.
1 point for each piece of evidence (1/2 explanation, ½ support from data.
Other valid evidence accepted)
2. [4 points] Which hosts or routers are the DHCP servers? Give at least three pieces of
evidence that support your choice of the location of the DHCP server or servers.
The DHCP server is located on march (172.18.1.3)
(1 point for finding the DHCP server)
Inside each DHCPOFFER datagram, for example frame 5 in springe1.pcap, the DHCP
server is identified in one of the options: Option: (t=54,l=4) DHCP Server Identifier =
172.18.1.3.
All DHCPACK and DHCPOFFER packets with March as the source are unicast to relay
clients on February or January or December (unicast to the first relay client the
requesting DHCP DISCOVER or DHCP REQUEST passed through from august) or unicast
to the requesting source
The packets on net 19 from March
On host march the DHCP configuration file /etc/dhcpd.conf contains the configuration
file for DHCP on the virtual network. No other host on the networks has a dhcpd.conf
that could be used to configure one or more networks for DHCP service.
The only host on the virtual networks running a dhcpd3 process (DHCP server process)
is March. Routers would be the likely candidates
Running the same command on January february or december does not show a dhcpd
process
1 point for each piece of evidence (1/2 explanation, ½ support from data.
Other valid evidence accepted)
3. [4 points] Which hosts or routers are DHCP relay clients? Give at least three pieces of
evidence that support your choice of the location or locations of the DHCP relay client or
clients.
The DHCP relay clients are located on January (172.16.1.253, February (172.18.1.2) and
December (172.16.1.12,). 1 point for finding the three relay clients (deduct ½ for
each relay missed, maximum deduction 1 point)
There are several pieces of evidence that indicate these are these routers are running
dhcprelays.
All DHCPACK and DHCPOFFER packets not being unicast from the DHCP server to the
host running the DHCP client have January, February or December as the destination.
From march on net 19
If we ran a dhclient on net 16 we would expect to see those packets unicast to january
and december. For example
Inside each relayed DHCPDISCOVER or DHCPREQUEST datagram the DHCP relay client
address shows that January and February are relay clients
From DHCPDISCOVER captured on equinox, from DHCPREQUEST captured on
winter
frame 2 frame 5
.
On december, january, and february there is a dhcrelay process (DHCP relay client
process) running. This process is not running on any other hosts in the virtual
networks. (See question 6 where each of these processes is illustrated.
1 point for each piece of evidence (1/2 explanation, ½ support from data.,
other valid evidence accepted)
4. [6 points] Explain how you can tell by looking at the ttl in the IP header and the HOPS in the
DHCP message if a DHCP message has been forwarded or relayed (by a DHCP relay client)
when it passes through a router? Refer to packets in your capture as an example.
Host January is a router and is also a relay client. To determine what happens to packets
when they are relayed or forwarded by January we need to consider the forwarded
packet and the relayed packet in two places. We need to look at the packet
1. before it reaches january, when it is on network 17
2. after it has passed through January, when it is on network 16.
By comparing the values we can see how the router January has changed each packet
First consider forwarding. When a packet is forwarded by a router the ttl (time to live)
of the packet is decremented. If the decremented value is 0 the packet is dropped.
Consider an example of a packet forwarded through router January.
On net 17, spring1.pcapng, frame 8 On net 16, equinoxe1.pcapng,
frame
Before January After January
The only change is the reduction of the ttl by 1 when the frame passes through January.
Thus, the frame is forwarded by January
Next consider relaying.
On net 17, spring1.pcapng, frame 2 On net 18, equinoxe1.pcapng,
frame 2
Before January After January
When the frame passes through January the Relay agent is set to be January, and hops is
increased by 1. This indicates that the packet has been relayed by January.
The ttl goes from 128 to 64, this is because the relayed frame is a new frame with a new
initailzed ttl.
3 points forwarding, 3 points relay
3 points broken down to 2 points for explanation 1 point for evidence from
captures, configuration files or other direct evidence (output from command
line queries to the system)
5. [6 points] Consider the DHCP messages you collected during the experiment. Explain step
by step how a single DHCPREQUEST message sent by the dhclient travels from the client to
the DHCP server. Discuss how the packet is forwarded or relayed or both at each router
referring to the ttl and HOPS and the answer to question 4. Follow all copies of the packets
resulting from the single DHCPREQUEST sent by the dhclient to their destination. Refer to
packets in your capture files. Then, explain step by step how the DHCPACK messages sent
in response to the discussed DHCPREQUEST messages travel from the DHCP server to the
DHCP client that sent the original DHCPREQUEST. Again, discuss how the packet is
forwarded, relayed or both at each router. Follow all copies of the message from their
source to their destination indicating.
PLEASE NOTE: IN MY SOLUTION I GIVE MULTIPLE PIECES OF EVIDENCE FOR THE PATH OF
THE PACKETS AT EACH STEP. I ONLY EXPECT ONE PIECE OF EVIDENCE IN EACH STEP IN
STUDENT SOLUITONS.
FIRST PATH
The DHCPDISCOVER is broadcast by august, it is visible as frame 2 of springe1.pcapng.
Frame 2 will reach all hosts on the network segment. This list of hosts on the network
segment includes both January and February. Both January and February will receive the
DHCPDISCOVER in frame 2. Both January and February are dhcprelays so both of those
routers will relay the packet.
Let’s consider the packet relayed by January first. We can tell the broadcast
DHCPDISCOVER in frame 2 of springe1.pcapng reaches January and is relayed to net16 to
become frame 2 in equinoxe1.pcapng because
frame 2 in springe1.pcapng and frame2 in equinoxe1.pcapng both have identical ttl =
64
frame 2 in equinoxe1.pcapng is relayed because hops = 1
frame2 in equinoxe1.pcapng is relayed by January because the relay agent address in
the packet is January’s address, and the source address of the frame is January.
Frame 2 in equinoxe1.pcapng can then be followed onto net18 and seen as frame 2 in
wintere1.pcapng . We can tell frame 2 in equinoxe1 is forwarded by February to become
frame 2 in wintere1.pcapng because
The IP identification field of frame 2 in both files is 0xc661 indicating they are the
same frame
Both frames have hops=1 and relay agent January so the frame was not relayed
In equinoxe1.pcapng the ttl is 64, in wintere1.pcang the ttl is 63 indicating the packet
was forwarded by December.
After being forwarded by December the frame travels to march where the dhcp server is
located. The resulting DHCP offer is sent by march onto net19. This offer is frame 1 in file
solsticee1.pcapng. We can tell this is the DHCPOFFER sent in response to the
DHCPDISCOVER in frame 2 in file wintereq.pcapng because
The unicast IP destination of the packet is January, the relay client that first
relayed the original request
The relay client address inside the packet is January
After traveling though network 19 the DHCPOFFER is forwarded by router December onto
network 17. We can see that packet 4 in the file springe1.pcapng is the same DHCPOFFER
seen in frame 1 of solsticee1.pcapng because
The source address is March
The destination address is January
The relay agent in the DHCP message is January
When the packet in frame 4 of springe1.pcapng reaches the relay client on January it is
sent by the relay client to the requesting host (august). We see the packet going from
January to august in frame 5 or springe1.pcapng. We can tell this is the packet that just
passed through the relay client on January because
The hops in the packet is now two showing it was relayed back to the original
requesting host
The relay agent is January in the DHCPOFFER message
The source address in January and the destination address is august
SECOND PATH
Next we can follow the original broadcast packet in frame 2 of springe1.pcapng to the
other router (February) on net 17.
We can see the frame relayed by february in springe1.pcapng in frame 3. Frame 3 has a
ttl of 64 (not forwarded), a hops of 1 (relayed) and a relay agent in the packet of February
so it is the broadcast frame relayed by February.
Next we can see that when the frame 3 in springe1.pcapng passes through router January
it becomes frame 3 in equinoxe1.pcapng. Frame 3 in equinoxe1.pcapng has a hop count
of 1, a ttl of 63, and a relay agent February indicating it is the packet relayed by February
and forwarded by January.
Next we can see that when frame 3 in equinoxe1. pcapng passes through router
december
It becomes the frame 3 in wintere1.pcapng. Frame 3 in wintere1.pcapng has a hop count
of 1, a tll of 62, and a relay agent February indicating it is the packet relayed by February
and forwarded by January and December.
Next we can see that when frame 3 in wintere1.pcapng pass through router march it is
processed by the dhcp server then sent onto net19 to be recorded in solsticee1.pcapng as
frame 2. Frame 2 of solsticee1.pcapng has a destination address of February (the relay
clidnt the relayed it), a relay agent of February, and is thus a DHCPOFFER generated In
response to the DHCPDISCOVER march received.
Next we can see that the DHCPOFFER in frame 2 of solsticee1.pcapng pass through the
relay client on February and become frame 6 in file springe1.pcapng. Frame 6 has hops of
2 and an unchanged ttl so it has been relayed.
6 points for following either path described above, It is not necessary to
follow both paths.
6. [3 points] On the hosts / routers that run DHCP relay clients look at the running process for
the DHCP relay client using a ps aux command (piped to select all DHCP processes). Online
or in RFCs determine how to run the dhclient software and determine from the parameters
of the running process what
1. The IP destination that each relay client is unicasting its own relayed packets to.
2. The interfaces that accept packets and send them to the relay client on each of the
hosts that are running a DHCP relay client
On december, january, and february there is a dhcrelay process (DHCP relay client
process) running. This process is not running on any other hosts in the virtual
networks.
(1 point for evidence)
In each example we see two arguments –s and –e.
The –s option indicates the IP address of the DHCP server, march. (1 point)
By default packets are accepted from all interfaces. The –e option tells you which
interfaces to exclude (not receive relays from or send relalys to). In the case of the
virtual lab the admin network (eth0) is excluded, so eth1 and eth2 on each router can
be used to receive or relay. (1 point)
7. [4 points] Consider the locations of the DHCP relay clients given in 3) and the paths taken
by the packets during a renewal discussed in 5) and the configuration of the DHCP relay
clients discussed in 6). Combine the information to explain how the paths discussed in 5)
are a result of the configuration of the relay clients and the routing in the networks.
All relay clients send DHCP messages to the same server, March. So all packets are
unicast by each relay client to March. Because relay clients can receive packets from both
directions (both eth1 and eth2) each DHCP packet broadcast by a client will be forwarded
by both routers on the network it is connected to.
Two observations that are true (2 point each, no additional evidence from
captures required)
Your answers to questions 1-7 should be no more than 2 pages of single spaced typed text (12
point). This 2 pages does not include images from your captures or examples from
configuration files.