By Juan Marcos Miguel

Laboratory Session 06

1. ICMP and ping

d. Analyze the output of the ping command (not yet the traffic capture,
which we will analyze later) and answer the following points (d.1-d.5):
d.1. Include a screenshot showing the terminal with the output of the ping
command.

d.2. How many ping packets did your machine send? How do you know?
It sent 13 packets. It appears in the lower part of the terminal, after the info of each
individual packet, along with statistics regarding total time and percentage of lost packets.

d.3. What is the IP address of doc00X.lab.it.uc3m.es (or wherever you pinged, for
the rest of the sections assume we are referring to the successful ping)?
163.117.144.106

d.4. The output of the ping execution shows, for each ICMP message sent, a time
value and a ttl value. Find and explain what those values are, and think of at least
one way the ping calculate them (not necessarily how it actually does it, just one
way it could be done).

Group 3: Juan Marcos, Nixi Chen and David Pérez

By Juan Marcos Miguel

The time values are the time spent between the Echo Request packet is sent and the Echo
Reply packet is received. One way to calculate this is simply store the moment in which
the packet is sent and when the packet is received, get the time value of that moment
and subtract.

The ttl means Time To Live. It is a value used to prevent packets to wander the network
endlessly. When a packet is created, the ttl is sent to some value (normally 64, but the
default value changes between operating systems, and it can be modified manually), and
its value is decreased by 1 each time it goes through a router. If the value reaches 0
without reaching the destination, the packet is dropped. Since this value is stored in the
datagram header, it needs not to be calculated, it can just be read from there.

d.5. Use the ping command again but this time with the machine gbien.tel.uva.es
(machine located in Valladolid). Compare the results in the time and ttl values with
those obtained in section d.4.

As it can be seen, the time taken to receive the response is much higher than in the
previous case, and the time to live of the reply packets is lower. This is due to the fact the

Group 3: Juan Marcos, Nixi Chen and David Pérez

By Juan Marcos Miguel

packets must travel a longer distance and go through many more routers (which cause
delay and reduce the ttl) to reach the destination.

e. Using a display filter, keep the ICMP packets generated by the ping to
doc00X.lab.it.uc3m.es in section b. Which filter did you use? Include a
screenshot showing the Wireshark window with the traffic resulting from
applying the filter

To show only the packets sent by the ping command I use:

icmp && (ip.src == 163.117.144.114 && ip.dst ==
163.117.144.106)

To show also the packets received as reply I instead use:

icmp && (ip.src == 163.117.144.106 || (ip.src ==
163.117.144.114 && ip.dst == 163.117.144.106))

The result is this for both the packets sent and the replies:

And this for only the packets sent:

Group 3: Juan Marcos, Nixi Chen and David Pérez

By Juan Marcos Miguel

g. Based on what you see in Wireshark, draw the first packet sent by your
machine due to the ping command. Specifically plot the various headers
present in the packet, and in the correct order. It is not necessary to draw all
the fields within each header, but do indicate all the address fields (with their
value) in each header.
Ethernet frame headers
Field Binary value Hex Value Meaning
Destination MAC 1011 0100 0010 1110 b4:2e:99:82:c3:9c Destination MAC
address 1001 1001 1000 0010 address:
1100 0011 1001 1100 b4:2e:99:82:c3:9c
Source MAC 1011 0100 0010 1110 b4:2e:99:82:c3:31 Source MAC
address 1001 1001 1000 0010 address:
1100 0011 0011 0001 b4:2e:99:82:c3:31
Type 0000 1000 0000 0000 0800 The layer 3 is an
IPv4 datagram
IP datagram headers
Field Binary value Hex Value Meaning
Version 0100 4 IPv4
Header Length 0101 5 5 32-bit words (20
bytes)
Type of Service 0000 0000 00 Default
Total Length 0000 0000 0101 0100 54 84 bytes
Identification 0111 1011 0001 1100 7b1c ID value
Reserved to 0 0 0000 Always 0
DF (Don’t 1 The packet cannot
Fragment) be fragmented
MF (More to 0 There are no more
Follow) fragments to follow
this one
Fragment Offset 0 0000 This is the first
fragment
TTL (Time To Live) 0100 0000 40 Time to live = 64
Protocol 0000 0001 01 ICMP
Header Checksum 0101 0111 1100 0101 57c5 Used to detect
errors
Source IP Address 1010 0011 0111 0101 a3 75 90 72 Source IP address:
1001 0000 0111 0010 163.117.144.114
Destination IP 1010 0011 0111 0101 a3 75 90 6a Destination IP
Address 1001 0000 0110 1010 address:
163.117.144.106
ICMP headers
Field Binary value Hex Value Meaning
Type 0000 1000 08 Echo (ping) request
Code 0000 0000 00
Identifier 0000 0110 1110 1101 06 ed Used to identify the
packet
Sequence Number 0000 0000 0000 0001 00 01 Also used to
identify the packet

Group 3: Juan Marcos, Nixi Chen and David Pérez

By Juan Marcos Miguel

i. In fact, two identifiers and two sequence numbers appear in the decoded
information. Are there really two identifiers and two sequence numbers in
the ICMP message? Search the Internet for an explanation.
No, there are not two identifiers nor two sequence numbers, just one, as it can be seen
in the table above. What is happening is that Wireshark displays this in two formats: big
endian (BE) and little endian (LE). Big endian means that the most significant bytes are
sent first, while in little endian the least significant bytes are stored first. One or other
format is used depending on the device, and there is no way of telling which one is the
intended one from the packet, so Wireshark just represent them in both ways so the user
can decide the one more suited in each case. This time the identifier and sequence
number in big endian are 0x06ed and 0x0001 respectively and in little endian 0xed06 and
0x0100. In this case, since this is the first packet and the sequence number is intended to
order the packets sent, it is likely that big endian was the way the values were coded.

j. Examine the rest of the Echo Requests sent by your machine, you will see
that the identifier is the same for all of them, while the sequence number is
increasing. Why is that, how do you imagine the ping command uses these
fields? Think that on the Internet, IP packets can get lost and jumbled, and
the effect that has on what the ping is trying to do.
The packets share the same identifier so that they can be identified correctly as part of
the same ping. The sequence number is increased to count the packets sent and to
correctly associate them with their respective replies (in case they arrive), as the Echo
Replies also have the same identifier and sequence number as the corresponding request.
This way, the ping command can check how many packets receive replies, allowing to
analyse if the destination is reachable, the time to get a reply from it and the percentage
of packets lost in the way.

k. Now examine the corresponding Echo Reply packets. What is the type and
code for these packets? How many bytes are in the other fields of the ICMP
header: checksum, sequence number and identifier?
The type and code are both 0, which matches with the type and code of an Echo Reply.
The checksum uses 2 bytes, the identifier uses also 2 bytes and the sequence number 2
bytes more, adding to 8 bytes.

Group 3: Juan Marcos, Nixi Chen and David Pérez

By Juan Marcos Miguel

2. ICMP and traceroute

o. Analyze the output of the traceroute command (not the traffic capture,
which we will analyze later). You will notice that for each TTL value the
source machine (your machine) has sent three packets. And the output of
the command shows the RTT for each of these packets, as well as the IP
address and in some cases the name of the router that returned the ICMP
TTL-exceeded packet. Now answer the following points:
o.1) Include a screenshot showing the output of the traceroute command. Repeat
the command execution but now also include the "-n" option and include a
screenshot of the output of this new execution. Explain the effect of the "-n".

After including the -n option, we get the following result:

Group 3: Juan Marcos, Nixi Chen and David Pérez

By Juan Marcos Miguel

According to the Linux manual, the -n option makes the command not try to map IP
addresses to host names when displaying them. This means that the command just
displays the IP addresses of the routers without showing its names (This does not affect
some of the routers, as even without the -n option, the command is unable to find the
host name, so it just displays its IP address).

o.2) Through how many routers do your packets traverse until they reach
www.uio.no?
The packets go through 21 routers before reaching the destination host (www.uio.no),
being a total of 22 including the destination.

o.3) What is the IP address of the server www.uio.no?

The address of uio.no, as it can be seen in the screenshots, is 129.240.118.130

o.4) If you look at the RTT measurements you have obtained with the traceroute
command, there are hops where the delay increases significantly more than
others (i.e. comparing the RTT to one router with the RTT to the previous router,
the growth is higher than in other cases). Looking at the names of the routers
(output of the command without the "-n" option) that are at the ends of those
links, can you imagine what is the physical location of those routers? Compare
locations with increments in the RTT between hops.
IP address Host name RTT Time from Location
(average) previous
163.117.144.2 gateway Madrid,
0,432667 0,432667 Spain
163.117.31.2 rtr-dep-it.uc3m.es Madrid,
1,935 1,502333 Spain
163.117.49.202 - Madrid,
1,047667 -0,88733 Spain
193.145.15.137 - Madrid,
1,835 0,787333 Spain
130.206.216.1 ae2-103.telmad.rt4.mad.red.rediris.es Madrid,
2,485 0,65 Spain
62.40.124.192 rediris.mx1.mar.fr.geant.net Marseille,
16,21967 13,73467 France
62.40.98.73 ae8.mx1.gen.ch.geant.net Geneva,
22,46067 6,241 Switzerland
62.40.98.183 ae6.mx1.par.fr.geant.net 29,595 7,134333 Paris, France
62.40.98.178 ae5.mx1.lon2.uk.geant.net 36,10833 6,513333 London, UK
62.40.98.36 ae6.mx1.lon.uk.geant.net 37,02667 0,918333 London, UK
62.40.124.130 nordunet-gw.mx1.lon.uk.geant.net 36,86433 -0,16233 London, UK
109.105.97.126 dk-uni.nordu.net Copenhagen,
53,65833 16,794 Denmark
109.105.97.2 dk-bal2.nordu.net Copenhagen,
58,43467 4,776333 Denmark
109.105.97.246 no-hmg9.nordu.net Stockholm,
70,131 11,69633 Sweden
109.105.102.5 hmg9-gw.uninett.no 69,44367 -0,68733 Oslo, Norway

Group 3: Juan Marcos, Nixi Chen and David Pérez

By Juan Marcos Miguel

128.39.255.66 tullin-gw1.uninett.no 69,449 0,005333 Oslo, Norway

128.39.230.18 oslo-gw1.uninett.no 69,632 0,183 Oslo, Norway
128.39.65.18 uio-gw8.uio.no 69,606 -0,026 Oslo, Norway
129.240.100.69 knh-gw1.uio.no 69,71433 0,108333 Oslo, Norway
129.240.100.66 ojd-gw1.uio.no 69,63667 -0,07767 Oslo, Norway
129.240.25.162 ojd-mrom-gw1.uio.no 69,899 0,262333 Oslo, Norway
129.240.118.13 lb-w3d-prod-vip-vortex-www.uio.no Oslo, Norway
0 69,48633 -0,41267

The table contains info regarding the location of the hosts based on the host names, the
RTT differences and info gathered from various IP-locating APIs. As it can be seen, the
biggest RTT differences correspond in general to big geographical distances, going from
one country to another. There are, however, some hops that may seem strange if we look
at the RTT differences.

The first ones are the ones with negative differences, which may seem strange since the
packet going through more routers should mean it spends more time in the network. The
most likely answer for this is that the packets suffered delays in the routers (due to
congestion, or other causes) that changes for its packet. If one set of packets suffer less
delay than the previous ones, they may spend less time travelling the network even if they
travel to a further router.

The other strange hops are the ones that go through a big distance but have small RTT
difference or that are close but have big RTT. There may be various reasons for these
cases: first, the locations written in the table are imprecise, the host names normally do
not contain much information and the IP-locating APIs are really inaccurate, to the point
that different APIs may provide very different locations (differences of a thousand
kilometres or more). Delays may also come into play here but since the differences are so
big. Finally, all the cases of small delay and big distances, belong to hosts that are part of
the Uninett network. This is an internal network for universities and research centres in
the north of Europe, so it may be the case that have higher speed connections between
their hosts.

p. Using a display filter, locate among the captured packets, the

packets generated by the executed traceroute. Include a screenshot
showing the Wireshark window with the filter applied to capture the
traceroute traffic (you cannot include all the captured traffic, only the
first packets).

Group 3: Juan Marcos, Nixi Chen and David Pérez

By Juan Marcos Miguel

q. Regarding the first IP packet generated by your machine (due to the

traceroute), what does the IP packet contain in the data field, to which
machine is the IP packet addressed, what value appears in the TTL field?
The first packet generated by the traceroute is addressed to 129.240.118.130 (uio.no), it
has a TTL of 1 and contains an ICMP packet of Type 8 and Code 0 (Echo (ping) request).

r. Examine the first ICMP reporting an error (TTL exceeded), which device
generated this message, from which source IP address, what type and
code does the ICMP message have, what does the message contain (in the
data field of the ICMP message)?
The first ICMP reporting a TTL exceeded comes from the IP address 163.117.144.2, which
according to the traceroute command results corresponds to the gateway router, which
is the one in charge of connecting the Local Area Network of the original host to the rest
of external networks (the Internet). The ICMP packet is type 11 and code 0 (Time-to-live
exceeded). The data field of the ICMP message contains the original datagram sent that
the router that generated the error received (it actually contains the IP header and at least
8 bytes of the payload of the original packet, but in this case, it contains the whole payload
(the ping request)).

Group 3: Juan Marcos, Nixi Chen and David Pérez

By Juan Marcos Miguel

s. Examine the last ICMP packets received by your machine, what are the
differences between these packets and the rest of the previous ICMP
packets received, why are they different?
The last packets received are clearly different, since instead of being error ICMP messages,
they are ping replies (ICMP type 0 code 0). This happens because the ping requests that
arrive at the destination host have enough TTL to avoid being discarded by any routers in
the way, so instead of being discarded and an error message being sent, the packets reach
the destination host, which responds to the Echo (ping) Requests with Echo (ping) Replies.

Group 3: Juan Marcos, Nixi Chen and David Pérez