MITS4004

IT Networking and Communication

(Research Study)
(42662 Madan Lal Gaire – 40% contribution)
(43003 Sushanta Sapkota – 30% contribution)
(44306 Pradeep Limbu – 30% contribution)

Date: (06/13/2019
A. ICMP and Ping

1. What is the IP address of your host? What is the IP address of the destination host?
Answer:
The IP address of my host is 192.168.0.21

The IP address of the destination host is 192.64.119.160

2. Why is it that an ICMP packet does not have source and destination port numbers?

Page 2 of 15
Answer:
The ICMP packet does not consist of source and destination port numbers because port
numbers are a feature of transport layer protocols such as TCP and UDP. ICMP is a part of
the internetworking layer (IP), so that attribute doesn't exist at that layer. Since it was
designed to communicate network-layer information between hosts and routers and not
between the application layer processes, each ICMP packet has a "Type" and a "Code". The
Type/Code combination identifies the specific message being received. Since the network
software itself interprets all ICMP messages, no port numbers are needed to direct the ICMP
message to an application layer process.

3. Examine one of the ping request packets sent by your host. What are the ICMP type
and code numbers? What other fields does this ICMP packet have? How many bytes
are the checksum, sequence number and identifier fields?
Answer:
After examining the ping request packets, the ICMP type is 8 and the code number is 0.
ICMP packets also consist of checksum, identifier, Sequence numbers and the data fields.
The checksum, sequence number and identifier fields are of two bytes each.

Page 3 of 15
4. Examine the corresponding ping reply packet. What are the ICMP type and code
numbers? What other fields does this ICMP packet have? How many bytes are the
checksum, sequence number and identifier fields?
Answer:
After examining the ping reply packets, the ICMP type is 0 and the code number is 0. ICMP
packets also consist of checksum, identifier, Sequence numbers and data fields. The
checksum, sequence number and identifier fields are two bytes each.

Page 4 of 15
B. ICMP and Traceroute

5. What is the IP address of your host? What is the IP address of the target destination
host?
Answer:
The IP address of my host is 192.168.0.21
The IP address of the target destination host is 128.93.162.84

6. If ICMP sent UDP packets instead (as in Unix/Linux), would the IP protocol number
still be 01 for the probe packets? If not, what would it be?
Answer:
No. If ICMP sent UDP packets instead, the IP protocol number would be 0x11.

7. Examine the ICMP echo packet in your screenshot. Is this different from the ICMP
ping query packets in the first half of this lab? If yes, how so?
Answer:

Page 5 of 15
After examining the ICMP echo packet, it is clear that the ICMP echo packet has the same
fields as the ping query packets like ICMP type, code number, checksum, identifier,
Sequence numbers and data fields.

8. Examine the ICMP error packet in your screenshot. It has more fields than the ICMP
echo packet. What is included in those fields?
Answer:
The ICMP error packet is not the same as the ping query packets. It contains both the IP
header and the first 8 bytes of the original ICMP packet that the error is for.

Page 6 of 15
9. Examine the last three ICMP packets received by the source host. How are these
packets different from the ICMP error packets? Why are they different?
Answer:
The last three ICMP packets are message type 0 (echo reply) rather than 11 (TTL expired).
They are different because the datagrams have made it all the way to the destination host
before the TTL expired.

Page 7 of 15
10. Within the tracert measurements, is there a link whose delay is significantly longer
than others? Refer to the screenshot in Figure 4, is there a link whose delay is
significantly longer than others? On the basis of the router names, can you guess the
location of the two routers on the end of this link?
Answer:
There is a link between steps 8 and 9 that has a significantly longer delay.

Page 8 of 15
In figure 4 from the lab,
There is a link between steps 9 and 10 that has a significantly longer delay, the link is
from New York to Pastourelle, France.

C. Capturing packets from an execution of traceroute

1. Select the first ICMP Echo Request message sent by your computer, and
expand the Internet Protocol part of the packet in the packet details window.
What is the IP address of your computer?
Answer:
IP address of my computer is 192.168.0.21

Page 9 of 15
2. Within the IP packet header, what is the value in the upper layer protocol field?
Answer:
Protocol: ICMP (1)

3. How many bytes are in the IP header? How many bytes are in the payload of the IP
datagram? Explain how you determined the number of payload bytes.
Answer:
Header bytes: 20 (as seen in screenshot)
Payload bytes: 36 (total length 56 minus the 20 header bytes = 36)

4. Has this IP datagram been fragmented? Explain how you determined whether or not the
datagram has been fragmented.
Answer:
From the screenshot, we do not see any IPv4 fragments.I determined this because the
more fragments bit has not been set.

Page 10 of 15
5. Which fields in the IP datagram always change from one datagram to the next within this
series of ICMP messages sent by your computer?
Answer:
The Identification field is incrementing. Time to live is also incrementing.

6. Which fields stay constant? Which of the fields must stay constant? Which fields must
change? Why?
Answer:
The fields that stay constant are:
- Version (since we are using IPv4)
- header length (since these are UDP packets)
- source IP (since all packets are sent from my computer)
- destination IP (since we are sending to the same host)
- Differentiated Services (since all packets are UDP)
- Upper Layer Protocol (since these are UDP packets)
The fields that must stay constant are:
- Version (since we are using IPv4)
- header length (since these are UDP packets)
- source IP (since all packets are sent from my computer)
- destination IP (since we are sending to the same host)
- Differentiated Services (since all packets are UDP)
- Upper Layer Protocol (since these are UDP packets)
The fields that must change are:
- Identification (IP packets have different ids)
- Time to live (traceroute increments each packet)
- Header checksum (since header changes)

7. Describe the pattern you see in the values in the Identification field of the IP datagram
Answer:
The value of the identification field is incremented by 1 on every new outgoing
message.
The first request, values in the identification: 10267

Page 11 of 15
The second request, values in the identification: 10268

According to above two screenshots, the pattern is the IP header Identification field
increment with each UDP request.

8. What is the value in the Identification field and the TTL field?
Answer:
According to the screenshot, Identification is 10267 and TTL is 255.

9. Do these values remain unchanged for all of the ICMP TTL-exceeded replies sent to your
computer by the nearest (first hop) router? Why?
Answer:
The values of identification field changes for all the ICMP TTL‐exceeded replies
since the identification field is a unique value. If two or more IP datagrams have the
same identification value, then it means that these IP datagrams are fragments of a
single large IP datagram. The TLL field does not change because the time to live to
the first hop router is always the same.

Page 12 of 15
D. Fragmentation

10. Find the first ICMP Echo Request message that was sent by your computer after you
changed the Packet Size in pingplotter to be 2000. Has that message been fragmented across
more than one IP datagram?
Answer:
Yes the message has been fragmented across more than one IP datagram.
Note the presence of the IPv4 fragments. I had the setting “Reassemble fragmented IPv4
Datagrams”, so Wireshark shows the fragments together.

11. Print out the first fragment of the fragmented IP datagram. What information in the IP
header indicates that the datagram been fragmented? What information in the IP header
indicates whether this is the first fragment versus a latter fragment? How long is this IP
datagram?
Answer:
The “more fragments” bit is set, indicating the datagram been fragmented and there are more
fragments coming. The “Fragment offset” is zero, indicating this is the first fragment. The
total length of this IP datagram is 1500 bytes.

Page 13 of 15
12. Print out the second fragment of the fragmented IP datagram. What information in the
IP header indicates that this is not the first datagram fragment? Are the more fragments?
How can you tell?
Answer:
The ”Fragment offset” is 185, indicating this is the second fragment.
The “more fragments” bit is clear, indicating this is the last fragment.

13. What fields change in the IP header between the first and second fragment?
Answer:
Total length, more fragments and fragment offset are the fields that change in the IP
header between the first and the second fragment.

14. Now find the first ICMP Echo Request message that was sent by your computer after
you changed the Packet Size in pingplotter to be 3500. How many fragments were created
from the original datagram?
Answer:
Three fragments were created from the original datagram in this case.

Page 14 of 15
15. What fields change in the IP header among the fragments?
Answer:
The fields that change Between fragments 1 and 2 is fragment offset changes.
The fields that change Between fragments 2 and 3 are total length, the more fragments bit,
fragment offset.
Fragment 1:

Fragment 2:

Fragment 3:

Page 15 of 15