Microsoft Word – 471quiz4sol.docx
QUIZ 4 CMPT 471 SOLUTION
1. [3 points] What is the difference between a capture filter and a display filter when you are
using wireshark? Your answer should be no more 3 sentences long.
A capture filter is applied to incoming packets before saving packets to a file. (1 point) If an
arriving packet is blocked by the filter that packet will not be saved in the Wireshark output
file. (1 point)
A display filter does not prevent the packets from being recorded in the file, it simply filters
the packets in the file and displays only those that pass through the filter to the Wireshark
GUI. (1 point)
2. [3 points] The lease offered to a DHCP server has a duration of 10000 seconds. Consider each of
the following statements. Which of the following statements are true?
A. The rebind timer will expire after approximately 5000 seconds
B. The lease timer will expire before the rebind timer
C. All the DHCDISCOVER messages are sent when no lease is valid
D. All the DHCPREQUEST messages sent by the host after the rebind timer expires will be
unicast
E. All the DHCPREQUEST messages sent by the host after the renew timer expires will be
broadcast
C
All of the statements are true
None of the statements are true
C D E
A C
A is FALSE
The rebind timer expires at 87.5% of the lease time which is 8750 seconds not 5000 seconds
B is FALSE
The rebind timer is set to be 87.5% of the lease time so it will expire before the lease time has
expired
C is TRUE
DHCPDISCOVER messages are sent when we are in INIT state. A host only goes into INIT state
when it boots if it does not have a valid lease when it boots.
D is FALSE
DHCPREQUEST messages after the rebind timer expires are broadcast
E is FALSE
DHCPREQUEST messages after the renew timer are unicast until the rebind timer expires
Because the blue phrase was missing in the posted exam all students should be
given the points for this problem.
3. [3 points] Which of the following statements about DNS is false?
A query answered from the cache of the local DNS server will provide an authoritative
response
DNS is used to obtain the IP address of a host based upon its FQDN
A DNS server Q has a database for a domain X. The address record of host Y is in that
database. If Q answers a query for the IP address of Y the answer it provides will be
authoritative
When a zone is delegated to an authority A by authority B, the management of the
authority A is responsible for supplying the DNS names and IP addresses of at least two
geographically separated DNS servers to authority A.
A cache only DNS server has a database that includes the IP addresses of all the root
servers.
A is FALSE
An authoritative response must come from the DNS server which has the queried address in
its database. A response from a cache cannot be authoritative.
B is TRUE
C is TRUE
Since the DNS server Q has the database for domain X and host Y is in domain X it is in the
database for domain X, the response from DNS server Q will be authoratative
D is FALSE
Authority B has delegated part of its zone to Authority A. So Authority A will provide the DNS
names and IP addresses of at least two geographically separated DNS servers to authority B.
The statement in the problem has authority A sending the information to itself.
E is TRUE
ACCEPT EITHER A OR D as the correct answer
4. [3 points]
Give one reason why semantically opaque addresses might be preferred over EUI
addresses.
EUI addresses are based on the Ethernet address of the interface. The interface Ethernet
address can be easily derived from the EUI address. This will allow an outside user to gain
private information on the hosts in the network using the EUI addresses. (1 point)
Semantically opaque addresses are based on a key that is not derivable from the
semantically opaque address. No information about the local network is leaked by using
the semantically opaque address. (½ point)
Give one reason why semantically opaque addresses might be preferred over temporary
privacy addresses.
Temporary privacy addresses change over time and when the host using the address
reboots. Semantically opaque addresses are constant over time and do not change when
the host reboots. (½ point)
Semantically opaque addresses change only when the key is changed. This makes the use
of semantically opaque addresses reasonable for routers and servers that need a constant
address so they can be reached reliably. (½ point)
This is not true of temporary private addresses. It is necessary to use EUI addresses along
with the temporary private addresses to provide stable addresses for servers and routers.
(½ point)
5. [4 points] What capture filter would you use if you wanted to capture DNS packets arriving or
leaving IP address 123.111.22.3?
DNS should use well know port 53 for the server socket. So if we filter those packets with
either source port or destination port 53 we should capture the DNS packets. ( IF the app does
not use the well known port then it is not possible to filter directly for DNS)
But only some DNS packets are wanted so we also have to filter so that we are only saving
packets with source or destination IP address 123.111.22.3,
Filter is thus
port 53 and host 123.111.22.3 (1 for port, 1 for 53, 1 for and, 1 for IP address)
6. [4 points]Answer each of the following questions.
Why would a DHCP relay client would be used.
When a DHCP server on another network is allocating addresses for the network attached
to the relay client(1 point)
When is the hops value in the DHCP message changed, and how is it changed?
Each time the IP datagram containing the DHCP message is relayed by a relay client the
hops value will be incremented by 1. (1 point)
When is the TTL value in the IPv4 header changed, and how is it changed?
Each time the IP datagram containing the DHCP message is forwarded the ttl in the IP
header is decremented (1 point) by the number of seconds taken for the packet to travel
to the router. The value is rounded up the nearest second (almost always 1).
How do we tell if an IPv4 packet has been relayed or forwarded, based on the answers to
the previous two questions?
If the value of hops is N before the packet goes through the router/relay client and the
value of hops is N+1 after it has passed through the relay client then the packet has been
relayed. The ttl should be unchanged. (½ point)
If the value of ttl is N before the packet goes through the router/relay client and the value
of ttl is N-1 after the the packet goes through the router/relay client then the packet has
been forwarded. The value of hops in the DHCP message should be unchanged. (½ point)
7. [5 points] Consider TCP and flow control.
Explain, step by step, how a cumulative ACK is used to recover from a lost ACK. Mention each
Packet and Ack as it is sent/received in the order that those packets are sent and received.
Begin by considering the first TCP segment sent from host A to host B Host A will continue
sending the second TCP segment as soon as it completes sending the first TCP segment. It will
send the third TCP segment as soon as it has completed sending the second TCP segment
(1 point)
Meanwhile, Host B will receive the first TCP segment and send an ACK for the next octet to be
received, octet P. Host B will receive the second TCP segment and send an ACK for the next
octet to be received, octet Q. Host B will receive the third TCP segment and send an ACK for
the next octet, octet R(1 point)
The value of the cumulative ACK is always the first octet that host B has not received
(½ point)
Host A receives the first ACK and knows that the next octet the receiver expects is octet P(½ point)
The second ack is lost(½ point)
The third ack is received and tells the source that the receiver has all octets up to but not
including octet R. Now the source knows the next octet needed even though the previous ack
was not received.(1 point)