Learning Outcomes
After this lab session you will have very good understanding of:
• NAT and IP/port rewriting
• NAT Translation Table
• DHCP and relevant message exchanges
• DHCP configuration parameters
Network Address Translation (NAT)
In this lab, we’ll use network traces from a simple web request from a client PC in a home network to a www.google.com server. Within the home network, the home network router provides a NAT service. There are two sets of networks traces for this part of the lab session. The first one (NAT_home-side.pcap) contains captured packets from the client PC (see figure below). Because we are also interested in the packets being sent by the NAT router to the ISP, the second file (NAT_ISP_side.pcap) contains captured packets from the home router (see figure below). Client-to-server packets captured by Wireshark at this point will have undergone NAT translation.
Open the NAT_home_side.pcap file with Wireshark and answer the following questions.
• What is the IP address of the client?
• The client actually communicates with several different Google servers. The main Google server that will serve up the main Google web page has IP address 64.233.169.104. In order to display only those frames containing HTTP messages that are sent to/from this Google, server, enter the expression “http && ip.addr == 64.233.169.104” (without quotes) into the Filter: field in Wireshark (if nothing shows up then you must re-enable the HTTP protocol which was disabled some labs ago, under Analyze -> Enabled Protocols).
• Consider now the HTTP GET request sent from the client to the Google server (whose IP address is IP address 64.233.169.104) at (relative) time 7.109267. What are the source and destination IP addresses and TCP source and destination ports on the IP datagram carrying this HTTP GET request?
• At what time is the corresponding 200 OK HTTP message received from the Google server? What are the source and destination IP addresses and TCP source and destination ports on the IP datagram carrying this HTTP 200 OK message?
In the following, we’ll focus on the two HTTP messages (GET and 200 OK). Our goal below will be to locate these two HTTP messages in the trace file (NAT_ISP_side.pcap) captured on the link between the router and the ISP (see the figure above). Because these captured frames will have already been forwarded through the NAT router, some of the IP address and port numbers will have been changed as a result of NAT translation.
Open the NAT_ISP_side trace file with Wireshark. Note that the timestamps in this file and in NAT_home_side are not synchronised since the packet captures at the two locations shown in the figure above were not started simultaneously.
• In the NAT_ISP_side trace file, find the HTTP GET message was sent from the client to the Google server at time 7.109267 (where t=7.109267 is time at which this was sent as recorded in the NAT_home_side trace file). At what time does this message appear in the NAT_ISP_side trace file? What are the source and destination IP addresses and TCP source and destination ports on the IP datagram carrying this HTTP GET (as recording in the NAT_ISP_side trace file)?
• Are any fields in the HTTP GET message changed? Which of the following fields in the IP datagram carrying the HTTP GET are changed: Version, Header Length, Flags, Checksum. If any of these fields have changed, give a reason (in one sentence) stating why this field needed to change.
• In the NAT_ISP_side trace file, at what time is the first 200 OK HTTP message received from the Google server? What are the source and destination IP addresses and TCP source and destination ports on the IP datagram carrying this HTTP 200 OK message? Which of these fields are the same, and which are different than your answer to question 4 above?
Can you fill in a NAT translation table entries for the TCP connection considered above?
Dynamic Host Configuration Protocol (DHCP)
DHCP is used extensively in corporate, university and home-network wired and wireless LANs to dynamically assign IP addresses to hosts (as well as to configure other network configuration information).
Download and open with Wireshark the packet traces in the file dhcp-ethereal-trace-1.pcap.
These traces were created by following the steps below (you could re-create them only if you are working on your own windows-based machine). Otherwise just ignore them:
• Begin by opening the Windows Command Prompt application (which can be found in your Accessories folder). Run “ipconfig /release”. The executable for ipconfig is in C:\windows\system32. This command releases your current IP address, so that your host’s IP address becomes 0.0.0.0. 1. Start up the Wireshark packet sniffer, as described in the introductory Wireshark lab and begin Wireshark packet capture.
• Now go back to the Windows Command Prompt and enter “ipconfig /renew”. This instructs your host to obtain a network configuration, including a new IP address. Wait until the “ipconfig /renew” has terminated. Then enter the same command “ipconfig /renew” again.
• When the second “ipconfig /renew” terminates, enter the command “ipconfig/release” to release the previously-allocated IP address to your computer.
• Finally, enter “ipconfig /renew” to again be allocated an IP address for your computer.
• Stop Wireshark packet capture.
Now let’s take a look at the resulting Wireshark window. To see only the DHCP packets, enter into the filter field “bootp” (DHCP derives from an older protocol called BOOTP. To see DHCP packets in the current version of Wireshark, you need to enter “bootp” and not “dhcp” in the filter). The first ‘ipconfig renew’ command caused four DHCP packets to be generated: a DHCP Discover packet, a DHCP Offer packet, a DHCP Request packet, and a DHCP ACK packet. Answer the following questions:
• Are DHCP messages sent over UDP or TCP?
• What is the link-layer (e.g., Ethernet) address of the client host?
• What values in the DHCP discover message differentiate this message from the DHCP request message?
• What is the value of the Transaction-ID in each of the first four (Discover/Offer/Request/ACK) DHCP messages? What are the values of the Transaction-ID in the second set (Request/ACK) set of DHCP messages? What is the purpose of the Transaction-ID field?
• A host uses DHCP to obtain an IP address, among other things. But a host’s IP address is not confirmed until the end of the four-message exchange! If the IP address is not set until the end of the four-message exchange, then what values are used in the IP datagrams in the four-message exchange? For each of the four DHCP messages (Discover/Offer/Request/ACK DHCP), indicate the source and destination IP addresses that are carried in the encapsulating IP datagram.
• What is the IP address of the DHCP server?
• What IP address is the DHCP server offering to the client host in the DHCP Offer message? Indicate which DHCP message contains the offered DHCP address.
• In the client’s response to the first server OFFER message, does the client accept this IP address? Where in the client’s RESPONSE is the client’s requested address?
• Explain the purpose of the lease time. How long is the lease time in the traces?
• What is the purpose of the DHCP release message? Does the DHCP server issue an acknowledgment of receipt of the client’s DHCP request? What would happen if the client’s DHCP release message is lost?
Files
NAT_home_side.pcap
NAT_ISP_side.pcap
dhcp-ethereal-trace-1.pcap