CIS 457 Lab 5: Wireshark Network Layer
This lab should be answered individually, although of course you may discuss with classmates.
Objective: Students will gain a better understanding of IPv4 and ICMP.
What to turn in: Follow the steps in the lab, answering the questions as you go. Turn in your answers in hard copy.
To generate some traffic, we will use the ping program. This program is used to find the reachability and round trip time to a destination. Using mininet, run wireshark on h1, start a packet capture, and send a ping from h2 to h1.
Take a look at an ICMP Echo reply packet.
- 1. How do you know (or, how does wireshark know) this is an ICMP packet?
- 2. What is the default TTL used by Linux based on the packets you can see?
- 3. Why use this TTL and not 255 (the maximum 8 bit value).
- 3. What type of ICMP messages are sent by ping? What type us used for the responses?
- 4. What information contained in the ICMP requests and responses used by ping can be used to match them with each other?
- 5. You may have noticed that these ICMP messages contain no port numbers. Why are they not needed for ICMP?
- 6. The total length field in the IP header does not match the length of the packet. Explain the difference.
Now, lets look at arp. The first packet in your capture should be an ARP request, followed by an ARP reply.
- 7. Look at the request, how do we know (or, how does wireshark know) it is a request?
- 8. How did wireshark know it was ARP?
- 9. Look at a ARP reply. How do we know what request a reply is in response to?
- 10. What is the relationship between the MAC addresses in the ethernet header of the reply and the MAC addresses in the ARP header?