Microsoft Word – Sample Exam Protocol Analysis – Solutions.docx
Page 1 of 10
Example of Practical Test 2
Network Protocol Analysis
This is an individual assessment
Assessment Duration: 50 minutes
The sample specifications are designed to assist you in preparation for the actual Practical-Test 2.
You are required to use Wireshark to read and analyze the given capture files.
Note:
You will be given 50 minutes to complete the actual test.
The actual exam is closed book. Any type of reference materials, either from lecture notes
or practical exercises, are NOT allowed.
The usage of personal computing devices, including mobile phones and laptops are NOT
allowed.
Internet access is NOT allowed.
Page 2 of 10
Question 1
Topic: A Protocol analysis on the TCP/IP model of client/server communications.
Scenario: In this scenario, a client host, a Web server and an FTP server are located in the same
network. A DNS server is also located in this network to perform name resolution. You are
required to use Wireshark to analyse a provided capture file (client_server.pcap). This file
captures a series of Web sessions, ping traffic, name resolution processes, and an File Transfer
Protocol (FTP) session.
Task 1: Download the Capture File “Client_server.pcap” from BlackBoard
Use Wireshark to open and analyse the client_server.pcap file.
Task 2: Analyse the TCP/IP Model of Client/server Communications
Event 1
A user enters a Uniform Resource Identifier (URI) http://172.16.0.5/iisstart.htm into a Web
browser.
(5 marks)
1. Use Table 1 to record the IP addresses of the Web client and Web server.
Table 1
IP Address of the Client 172.16.0.100
IP Address of the Server 172.16.0.5
2. Use Table 2 to identify the packets which are related to the TCP 3-way-handshake process of this
Web session in this event.
Table 2
Field SYN SYN, ACK ACK
Packet Number 10 11 12
Source IP address 172.16.0.100 172.16.0.5 172.16.0.100
Destination IP address 172.16.0.5 172.16.0.100 172.16.0.5
Source port number 1447 80 1447
Destination port number 80 1447 80
3. Upon completion of this TCP 3-way-handshake process, use Table 3 to identify the HTTP request
and response packets.
Table 3
HTTP Request HTTP Response
Packet Number 13 14
Page 3 of 10
Event 2
The user triggers another HTTP request by typing a URL into a web browser.
Analyse packets 17 to 21.
(5 marks)
1. Use Table 4 to identify the packets which are related to the TCP 3-way-handshake process
associated with this event.
Table 4
SYN SYN, ACK ACK
Packet Number 17 18 19
Source IP address 172.16.0.100 172.16.0.5 172.16.0.100
Destination IP address 172.16.0.5 172.16.0.100 172.16.0.5
Source port number 1449 8080 1449
Destination port number 8080 1449 8080
2. Upon completion of this TCP 3-way-handshake process, use Table 6 to identify the HTTP request
and response packets and identify the URL entered by the user.
Table 5
HTTP Request HTTP Response
Packet Number 20 21
URL entered by the user http://172.16.0.5:8080/index.htm
Event 3
The user issues a ping command by typing ping cat.inx251.edu.au.
(6 marks)
1. Identify the packets which are associated with this event.
Table 6
Packet Numbers 22 – 31
2. Locate and analyse the DNS query and response messages in relation to this event.
Use Table 7 to answer the following questions.
a) Which packet contains the DNS query message?
b) What are the source port and destination port for the DNS query?
c) What are the source IP and destination IP for the DNS query?
d) What type of DNS query is it (for example SOA, A, MX, NS, or PTR)?
Table 7
DNS Query
Packet Number 22
Source IP address 172.16.0.100
Destination IP address 172.16.0.5
Source port number 62072
Destination port number 53
Type of DNS query (DNS lookup type) A
Use Table 8 to answer the following questions.
e) Which packet contains the DNS response message?
f) What are the source port and destination port for the DNS response?
g) What are the source and destination IP addresses for the DNS response?
LIU Songyan
高亮
LIU Songyan
高亮
LIU Songyan
高亮
LIU Songyan
附注
去除filter
review2
LIU Songyan
附注
http full request URL
review1
Page 4 of 10
h) What is the corresponding IP address to the hostname that has been resolved?
Table 8
DNS Response
Packet Number 23
Source IP address 172.16.0.5
Destination IP address 172.16.0.100
Source port number 53
Destination port number 62072
DNS response (the host IP address) 172.16.0.5
3. Use Table 9 to record the ICMP packets which are related to this event.
Table 9
ICMP Request ICMP Reply
Packet Numbers 24, 26, 28, 30 25, 27, 29, 31
Source IP address 172.16.0.100 172.16.0.5
Destination IP address 172.16.0.5 172.16.0.100
ICMP – Type 8 0
ICMP – Code 0 0
Event 4
The user triggers another HTTP request by typing a URL http://cat.inx251.edu.au:8080/index.htm
into a web browser.
(4 marks)
1. Use Table 10 to identity the packets associated with the TCP 3-way-handshake process for this
event.
Table 10
Field SYN SYN, ACK ACK
Packet Number 36 37 38
Source IP address 172.16.0.100 172.16.0.5 172.16.0.100
Destination IP address 172.16.0.5 172.16.0.100 172.16.0.5
Source port number 1451 80 1451
Destination port number 8080 1451 8080
2. Upon completion of this TCP 3-way-handshake process, use Table 11 to identify the HTTP request
and response packets.
Table 11
Field HTTP Request HTTP Response
Packet Number 39 40
LIU Songyan
附注
xxxx
LIU Songyan
附注
果然不止一个
LIU Songyan
附注
http在hyper能知道王站名字
LIU Songyan
附注
tcp在http的上面
、
Page 5 of 10
Event 5
The user triggers another HTTP request by typing http://dog.inx251.edu.au:8080/index.htm into a
web browser.
(9 marks)
1. Locate and analyse the DNS query and response messages in relation to this event.
Use Table 12 to answer the following questions.
a) Which packet contains the DNS query message?
b) What are the source port and destination port for the DNS query?
c) What are the source IP and destination IP for the DNS query?
d) What type of DNS query is it (for example SOA, A, MX, NS, or PTR)?
Table 12
DNS Query
Packet Number 58
Source IP address 172.16.0.100
Destination IP address 172.16.0.5
Source port number 50348
Destination port number 53
Type of DNS query (DNS lookup type) A
Use Table 13 to answer the following questions.
e) Which packet contains the DNS response message?
f) What are the source port and destination port for the DNS response?
g) What are the source and destination IP addresses for the DNS response?
h) What is the corresponding IP address to the hostname that has been resolved?
Table 13
DNS Response
Packet Number 59
Source IP address 172.16.0.5
Destination IP address 172.16.0.100
Source port number 53
Destination port number 50348
DNS response (the host IP address) 172.16.0.5
2. Use Table 14 to identify the packets which are related to the TCP 3-way-handshake process in this
event.
Table 14
SYN SYN, ACK ACK
Packet Number 60 61 62
Source IP address 172.16.0.100 172.16.0.5 172.16.0.100
Destination IP address 172.16.0.5 172.16.0.100 172.16.0.5
Source port number 1452 8080 1452
Destination port number 8080 1452 8080
3. Upon completion of this TCP 3-way-handshake process, use Table 15 to identify the HTTP request
and response packets.
Table 15
HTTP Request HTTP Response
Packet Number 63 64
Page 6 of 10
Event 6
The user attempts to connect to an FTP server to upload a file.
(5 marks)
1. Use Table 16 to record the credentials used in the FTP authentication process.
Table 16
The username anonymous
The password
2. Upon successful login to the FTP server, the user attempts to upload a file to the FTP server. Use
Table 17 to identify the packet for storing a file to the FTP server and the uploaded filename.
Table 17
Packet Number 107 (STOR holiday.txt)
File Name holiday.txt
3. Use Table 18 to identify the packet to mark once the file transfer is complete.
Table 18
Packet Number 117
LIU Songyan
附注
filter FTP
知道的东西多
Page 7 of 10
Question 2
Topic: Protocol analysis on Internet Control Message Protocol (ICMP).
Description: “tracert” is a Windows-based tool that allows you to test the entire path that a
packet travels through to reach its destination. You are required to use Wireshark to examine the
provided capture file named tracert.pcap to identify the path from the source to reach the
destination.
Task 1: Download the Capture File from BlackBoard
Use Wireshark to open and analyse the tracert.pcap file.
Task 2: Analyse Tracert Traffic
1. Draw an appropriate diagram to illustrate how the Windows-based utility – tracert displays the route
taken from the source host to the destination host.
(2 marks)
Page 8 of 10
2. Use Table 19 to record the path that a series of probe packets have taken to reach the destination.
(10 marks)
Table 19
Source IP Address Type of ICMP
Message
Destination IP Address
Time to Live (TTL)
192.168.0.10 8 (Echo request) 23.49.227.171 1
192.168.0.1 11 (TTL exceeded) 192.168.0.10 64
192.168.0.10 8 (Echo request) 23.49.227.171 2
10.20.20.229 11 (TTL exceeded) 192.168.0.10 254
192.168.0.10 8 (Echo request) 23.49.227.171 3
202.7.173.177 11 (TTL exceeded) 192.168.0.10 246
192.168.0.10 8 (Echo request) 23.49.227.171 4
203.219.35.6 11 (TTL exceeded) 192.168.0.10 249
192.168.0.10 8 (Echo request) 23.49.227.171 5
23.49.227.171 0 (Echo reply) 192.168.0.10 58
Page 9 of 10
Question 3
Topic: A step-by-step Analysis on Address Resolution Protocol (ARP) Process.
Description: To answer this question, you do not need a capture file. You just use the provided
network topology to analyse step by step on the ARP process when a ping command is issued from
PC1 to test the reachability of PC2, which is located on a different network from PC1, as shown in
Figure 1. It is assumed that the ARP cache is initially empty at both PCs.
Figure 1: Network topology.
(10 marks)
Step 1. A ping command has been issued from PC1 (192.168.10.11) to test the reachability of PC2
(192.168.20.22)
Step 2. Fill in the blank.
To reach PC2 from PC1, PC1 relies on the default gateway to forward the ICMP message to PC2. PC1
needs to know the MAC address of its default gateway. PC1 sends an
ARP ___Broadcast (request)___ message. Use Table 20 to record key information in this message.
Table 20
Sender
MAC Address
Sender
IP Address
Target
MAC Address
Target
IP Address
00:00:2F:94:36:AA 192.168.10.11 00:00:00:00:00:00 192.168.10.1
LIU Songyan
高亮
Page 10 of 10
Step 3. Fill in the blank.
Router R1 receives the ARP request message issued by PC1, then R1 replies an
ARP ___Unicast (reply)__ message to PC1. Use Table 21 to record key information in this message.
Table 21
Sender
MAC Address
Sender
IP Address
Target
MAC Address
Target
IP Address
00:00:2F:94:36:BB 192.168.10.1 00:00:2F:94:36:AA 192.168.10.11
Step 4. Upon receipt of this ARP message issued from the router R1, PC1 updates its ARP Cache with the
received ARP message. Use Table 22 to record PC1’s ARP Cache.
Table 22
IP Address MAC Address
192.168.10.1 00:00:2F:94:36:BB
Step 5. Fill in the blank.
The ICMP messages are sent from PC1 to PC2 via R1. R1 needs obtains the MAC address of PC2 in order
to forward the ICMP messages to PC2. Therefore, R1 sends an
ARP ___Broadcast (request)___ message to the 192.168.20.0/24 network. Use Table 23 to record key
information in this ARP message.
Table 23
Sender
MAC Address
Sender
IP Address
Target
MAC Address
Target
IP Address
00:00:2F:94:36:CC 192.168.20.1 00:00:00:00:00:00 192.168.20.22
Step 6
Fill in the blank.
PC2 receives the ARP message sent from router R1, and then replies with an
ARP ___Unicast (reply)___ message to R1. Use Table 24 to record key information in this ARP message.
Table 24
Sender
MAC Address
Sender
IP Address
Target
MAC Address
Target
IP Address
00:00:2F:94:36:DD 192.168.20.22 00:00:2F:94:36:CC 192.168.20.1
Step 7. Upon receipt of this ARP message sent from the R1, PC2 updates its ARP Cache with the received ARP
message. Use Table 25 to record PC2’s ARP Cache.
Table 25
IP Address MAC Address
192.168.20.1 00:00:2F:94:36:CC
Step 8. Finally, R1 is able to forward the ICMP messages originated from PC1 to PC2.
End of Paper
LIU Songyan
高亮