Department of Computer Science & Information Systems Department of Computer Science & Information Systems

COMPUTER NETWORKS (CS F303) packet sniffer

LAB-SHEET – 1
packet application (e.g., www
Topic: Packet Sniffing using Wireshark and Traceroute application
analyzer browser, ftp client)

Objectives
operating
● This is an exercise in learning by doing and thinking. system Transport (TCP/UDP)
● Do NOT consult a book or a website or a senior – if you do so, you are not learning :( packet Network (IP)
● However, you are encouraged to consult/discuss/argue with other students in your class. capture copy of all Ethernet
frames sent/received
Link (Ethernet)
(pcap)
● Some of the material is taken up from Wikipedia and the Wireshark labs which come along with Physical

your textbook, i.e. Computer Networking: A Top Down Approach by Kurose and Ross.
to/from network to/from network

One’s understanding of network protocols can often be greatly deepened by “seeing protocols in action” Figure 1: Packet sniffer structure

and by “playing around with protocols” – observing the sequence of messages exchanged between two
protocol entities, delving down into the details of protocol operation, and causing protocols to perform The second component of a packet sniffer is the packet analyzer, which displays the contents of all fields
certain actions and then observing these actions and their consequences. This can be done in simulated within a protocol message. In order to do so, the packet analyzer must “understand” the structure of all
scenarios or in a “real” network environment such as the Internet. In the Wireshark labs you’ll be doing in messages exchanged by protocols. For example, suppose we are interested in displaying the various fields
this course, you’ll be running various network applications in different scenarios using your own computer. in messages exchanged by the HTTP protocol in Figure 1. The packet analyzer understands the format of
You’ll observe the network protocols in your computer “in action,” interacting and exchanging messages Ethernet frames, and so can identify the IP datagram within an Ethernet frame. It also understands the IP
with protocol entities executing elsewhere in the Internet. Thus, you and your computer will be an integral datagram format, so that it can extract the TCP segment (as HTTP uses TCP as underlying transport layer
part of these “live” labs. You’ll observe, and you’ll learn, by doing. protocol) within the IP datagram. Finally, it understands the TCP segment structure, so it can extract the
HTTP message contained in the TCP segment. Finally, it understands the HTTP protocol.
The basic tool for observing the messages exchanged between executing protocol entities is called a packet
sniffer. As the name suggests, a packet sniffer captures (“sniffs”) messages being sent/received from/by There are many packet sniffers available, for example Wireshark packet sniffer, Ethereal Network
your computer; it will also typically store and/or display the contents of the various protocol fields in these Analyzer, Snoop Analyzer Standard, Network Probe, etc. We will be using the Wireshark packet sniffer
captured messages. A packet sniffer itself is passive. It observes messages being sent and received by [https://www.wireshark.org/] for these labs, allowing us to display the contents of messages being
applications and protocols running on your computer, but never sends packets itself. Similarly, received sent/received from/by protocols at different levels of the protocol stack. (Technically speaking, Wireshark
is a packet analyzer that uses a packet capture library in your computer). Wireshark is a free network
packets are never explicitly addressed to the packet sniffer. Instead, a packet sniffer receives a copy of
protocol analyzer that runs on Windows, Linux/Unix, and Mac computers. It operates in computers using
packets that are sent/received from/by application and protocols executing on your machine. Ethernet, serial (PPP and SLIP), 802.11 wireless LANs, and many other link-layer technologies (if the OS
on which it's running allows Wireshark to do so).
Figure 1 shows the structure of a packet sniffer. At the right of Figure 1 are the protocols (in this case,
Internet protocols) and applications (such as a web browser or ftp client) that normally run on your
computer. The packet sniffer, shown within the dashed rectangle in Figure 1 is an addition to the usual
software in your computer, and consists of two parts. The packet capture library receives a copy of every
link-layer frame that is sent from or received by your computer. You know that that messages exchanged
by higher layer protocols such as HTTP, FTP, TCP, UDP, DNS, or IP all are eventually encapsulated in
link-layer frames that are transmitted over physical media such as an Ethernet cable. In Figure 1, the
assumed physical media is an Ethernet, and so all upper-layer protocols are eventually encapsulated within
an Ethernet frame. Capturing all link-layer frames thus gives you all messages sent/received from/by all
protocols and applications executing in your computer.

1|Page 2|Page
 Department of Computer Science & Information Systems
Running Wireshark
When you run the Wireshark program, you’ll get a startup screen, as shown in Figure-2:
packet content
in hexadecimal
The Wireshark interface has five major components:
Figure-2: Start up screen of Wireshark.
Take a look at the screen – you’ll see an “Interface list”. This is the list of network interfaces on your
computer. Once you choose an interface, Wireshark will capture all packets on that interface. In the
example above, there is an Ethernet interface (Gigabit network Connection) along with some other. Use is
for this lab.
Click on “Ethernet” interface to start packet capture (i.e., for Wireshark to begin capturing all packets being
sent to/from that interface), a screen like the one shown in Figure-3 will be displayed, showing information
about the packets being captured. Once you start packet capture, you can stop it by using the Capture pull
down menu and selecting Stop.
3|Page
Department of Computer Science & Information Systems
command
menus
display filter
specification
listing of
captured
packets
details of
selected
packet
header
and ASCII
Figure 3: Wireshark Graphical User Interface, during packet capture and analysis
● The command menus are standard pulldown menus located at the top of the window. Of interest
to us now are the File and Capture menus. The File menu allows you to save captured packet data
or open a file containing previously captured packet data, and exit the Wireshark application. The
Capture menu allows you to begin packet capture.
● The packet-listing window displays a one-line summary for each packet captured, including the
packet number (assigned by Wireshark; this is not a packet number contained in any protocol’s
header), the time at which the packet was captured, the packet’s source and destination addresses,
the protocol type, and protocol-specific information contained in the packet. The packet listing can
be sorted according to any of these categories by clicking on a column name. The protocol type
field lists the highest-level protocol that sent or received this packet, i.e., the protocol that is the
source or ultimate sink for this packet.
● The packet-header details window provides details about the packet selected (highlighted) in the
packet-listing window. (To select a packet in the packet-listing window, place the cursor over the
packet’s one-line summary in the packet-listing window and click with the left mouse button.).
These details include information about the Ethernet frame (assuming the packet was sent/received
over an Ethernet interface) and IP datagram that contains this packet. The amount of Ethernet and
IP-layer detail displayed can be expanded or minimized by clicking on the plus minus boxes to the
left of the Ethernet frame or IP datagram line in the packet details window. If the packet has been
carried over TCP or UDP, TCP or UDP details will also be displayed, which can similarly be
4|Page
 Department of Computer Science & Information Systems Department of Computer Science & Information Systems

expanded or minimized. Finally, details about the highest-level protocol that sent or received this
packet are also provided.
● The packet-contents window displays the entire contents of the captured frame, in both ASCII
and hexadecimal format.
Towards the top of the Wireshark graphical user interface, is the packet display filter field, into which a
protocol name or other information can be entered in order to filter the information displayed in the packet-
listing window (and hence the packet-header and packet-contents windows). In the example below, we’ll
use the packet-display filter field to have Wireshark hide (not display) packets except those that correspond
to HTTP messages.
Taking Wireshark for a Test Run
Experiment-1
7. Find the HTTP GET message that was sent from your computer to the webserver. When you select
the HTTP GET message, the Ethernet frame, IP datagram, TCP segment, and HTTP message
header information will be displayed in the packet-header window. Recall that the HTTP GET
message that is sent to the gaia.cs.umass.edu web server is contained within a TCP segment, which
is contained (encapsulated) in an IP datagram, which is encapsulated in an Ethernet frame. By
clicking on ‘+’ and ‘-‘ right-pointing and down-pointing arrowheads to the left side of the packet
details window, minimize the amount of Frame, Ethernet, Internet Protocol, and Transmission
Control Protocol information displayed. Maximize the amount information displayed about the
HTTP protocol. Your Wireshark display should now look roughly as shown in Figure 4. (Note, in
particular, the minimized amount of protocol information for all protocols except HTTP, and the
maximized amount of protocol information for HTTP in the packet-header window).

The best way to learn about any new piece of software is to try it out! Do the following

1. Start up your favorite web browser.

2. Start up the Wireshark software. You will initially see a window similar to that shown in Figure 2.
Wireshark has not yet begun capturing packets. Select the desired network interface. Packet capture
will now begin - Wireshark is now capturing all packets being sent/received from/by your
computer!

3. Once you begin packet capture, a window similar to that shown in Figure 3 will appear. This
window shows the packets being captured. By selecting Capture pulldown menu and selecting
Stop, you can stop packet capture. But don’t stop packet capture yet. Let’s capture some
interesting packets first. To do so, we’ll need to generate some network traffic. Let’s do so using
a web browser, which will use the HTTP protocol.

4. While Wireshark is running, enter the URL: http://demo.testfire.net/login.jsp

and have that page displayed in your browser. In order to display this page, your browser will
contact the HTTP server and exchange HTTP messages with the server in order to download this
page. The Ethernet frames containing these HTTP messages (as well as all other frames passing
through your Ethernet adapter) will be captured by Wireshark.
Figure-4: GET message details
5. After your browser has displayed the login.jsp page, stop Wireshark packet capture by selecting
stop in the Wireshark capture window. The main Wireshark window should now look similar to 8. Save the packet capture and Exit Wireshark
Figure 3. You now have live packet data that contains all protocol messages exchanged between
your computer and other network entities! The HTTP message exchanges with the web server
should appear somewhere in the listing of packets captured. But there will be many other types of
packets displayed as well (see, e.g., the many different protocol types shown in the Protocol column
in Figure 3). Even though the only action you took was to download a web page, there were
evidently many other protocols running on your computer that are unseen by the user. We’ll learn
much more about these protocols as we progress through the text! For now, you should just be
aware that there is often much more going on than “meets the eye”!

6. Type in “http” (without the quotes, and in lower case – all protocol names are in lower case in
Wireshark) into the display filter specification window at the top of the main Wireshark window.
Then select Apply (to the right of where you entered “http”). This will cause only HTTP message
to be displayed in the packet-listing window. Now try to answer these questions:

5|Page 6|Page
 Department of Computer Science & Information Systems
1. What does \r\n mean after each line?
2. What indicates the end of HTTP message?
3. What is the version of HTTP used? Is it necessary to pass it in message? Why?
4. What type of connection it is: persistent or non-persistent?
5. What is the source IP address and destination IP address?
6. Which Transport layer protocol does HTTP use?
7. What is the source and destination port number?
8. How long did it take from when the HTTP GETT message was sent until HTTP OK reply was
received?
9. What is the difference between date header and Last-modified header in HTTP OK reply?
10. Although URL specifies the host, why do you think that it is again the part of HTTP GET message?
11. Does HTTP work on specific port? How can it be verified from GET and OK messages?
12. You can see a line “Response in Frame: some_number”. What does it mean? Verify your answer.
Experiment-2
1. Clear browsing history. You can do it using tools menu of your Brower.
2. Start Wireshark and apply filter “http” (without quotes) as we are interested in http packets.
3. Type the following URL in your web browser and press enter:
4. http://demo.testfire.net/login.jsp
5. Stop capturing packets and observe different HTTP packets. Observe that there are two embedded
images in the web page.
Q1. How many HTTP GET requests are generated?
Q2. What can be concluded from your answer of Q1 above?
Q3. What is the status code returned in all HTTP response packets?
Q4. When were the objects embedded in web page last modified at the server?
Q5. How many bytes of content are being returned to your browser in each HTTP response
packet?
6. Now, start Wireshark packet capture again and refresh the webpage, i.e., enter URL:
http://demo.testfire.net/login.jsp
Stop capturing packets and observe different HTTP packets again.
Q1. What is the date header value and Last Modified value in HTTP response packets?
Q2. Are two embedded images fetched from the server or were locally cached? How to verify
your answer? Justify the answer to yourself.
In all the above experiments see whether response from the server was in one single packet or multiple
packets. You will have to observe TCP packets for it in each case.
Part 2: Traceroute Program- A handy debugging tool for network administrators
The Traceroute program, written by Van. It lets us see the route that IP datagrams follow from one host to
another.
Although there are no guarantees that two consecutive IP datagrams from the same source to the same
destination follow the same route, most of the time they do.
Traceroute uses ICMP (don’t worry if you do not understand the ICMP protocols at this point in time) and
the TTL field in the IP header. The TTL field (time-to-live) is an 8-bit field that the sender initializes to
some value. The sender initializes to some value. Each router that handles the packet (datagram) is required
7|Page
Department of Computer Science & Information Systems
to decrement the TTL by either one. The purpose of the TTL field is to prevent datagrams from ending up
in infinite loops, which can occur during routing transients.
When a router gets an IP datagram, whose TTL is either 0 or 1 it must not forward the datagram. (A
destination host that receives a datagram like this can deliver it to the application, since the datagram does
not have to be routed. Normally, however, no system should receive a datagram with a TTL of 0.) Instead
the router throws away the datagram and sends back to the originating host an ICMP "time exceeded"
message. The key to Traceroute is that the IP datagram containing this ICMP message has the
router's IP address as the source address.
We can now guess the operation of Traceroute. It sends an IP datagram with a TTL of 1 to the destination
host. The first router to handle the datagram decrements the TTL, discards the datagram, and sends back
the ICMP time exceeded. This identifies the first router in the path. Traceroute then sends a datagram with
a TTL of 2, and we find the IP address of the second router. This continues until the datagram reaches the
destination host. But even though the arriving IP datagram has a TTL of 1, the destination host won't throw
it away and generate the ICMP time exceeded, since the datagram has reached its final destination. How
can we determine when we've reached the destination?
Traceroute sends UDP datagrams to the destination host, but it chooses the destination UDP port number
to be an unlikely value (larger than 30,000), making it improbable that an application at the destination is
using that port. This causes the destination host's UDP module to generate an ICMP "port unreachable"
error when the datagram arrives. All Traceroute needs to do is differentiate between the received ICMP
messages-time exceeded versus port unreachable-to know when it's done.
We're now ready to run traceroute and see the output. To perform the experiment, We'll use a Traceroute
available online at the website https://www.ultratools.com/tools/traceRoute or you can visit to
http://www.traceroute.org/ and choose a traceroute service.
Following is the output we got when, we performed the traceroute for “google.com”. You can directory
write the domain name (like google.com) or the IP address of that domain to run the Traceroute program.
traceroute to 172.217.23.238 (172.217.23.238), 30 hops max, 60 byte packets
1 praha-4d-c1-vl55.masterinter.net (77.93.199.253) 3.650 ms 3.718 ms 3.838 ms
2 vl1387.cr3.r1-8.dc1.4d.prg.masterinter.net (83.167.254.150) 0.148 ms 0.357 ms 0.366 ms
3 72.14.214.168 (72.14.214.168) 0.387 ms 0.376 ms 0.375 ms
4 108.170.245.49 (108.170.245.49) 0.285 ms 0.295 ms 108.170.245.33 (108.170.245.33) 0.274 ms
5 108.170.238.155 (108.170.238.155) 0.365 ms 108.170.238.157 (108.170.238.157) 0.337 ms
108.170.238.155 (108.170.238.155) 0.313 ms
6 prg03s06-in-f14.1e100.net (172.217.23.238) 0.192 ms 0.185 ms 0.235 ms
Lab Exercise-6: Once you run the Traceroute from your computer, the output received by you may not be
exactly same as above. (Note: It is suggested that you try it yourself.)
Now try to answer the following.
1. Explain the meaning of first line of the output.
8|Page
 Department of Computer Science & Information Systems Department of Computer Science & Information Systems

2. The next two lines in the output begin with the TTL, followed by the name of the host or router its
IP address and three different time values. What these time values signifies? COMPUTER NETWORKS (CS F303)
3. How we can calculate the per hop time value? LAB-SHEET – 2
Topic: Learning FTP and DNS using Wireshark
Repeat the above experiment for the BITS Pilani web site and iitd.ac.in and observe the output

Lab Exercise-7: Objectives:

Answer the following: ● To learn the working of FTP protocol using Wireshark
● To understand use and working of DNS protocol.
1. Did you observe the character * in few lines of the output for any of the trace route? If yes, then -------------------------------------------------------------------------------------------------------------------------------
what does it mean?
This lab is divided into three parts.
2. Did you see the last hop in your output as the destination you are looking for? If no, then what
could be the reason for this? In part one, we will continue doing the experiments with Wireshark to analyze and understand various
***** application layers’ protocols. In this lab our focus would be on another very important application layer
protocol called FTP (File Transfer Protocol).
In the second part of the lab, we will try to understand the working principles of domain name system with
the help of Wireshark capture and useful networking command called “nslookup”.
Part 1: Understanding the functioning of File Transfer Protocol (FTP) using Wireshark

FTP: File Transfer Protocol

FTP is a commonly used application over the Internet for file transfer. The file transfer provided by FTP
copies a complete file from one system to another system. To use FTP, we need an account to login on the
FTP server.

Figure 1, shows the arrangement of the client and server and the two connections between them.

Fig. 1

9|Page 1 | Page
 Department of Computer Science & Information Systems Department of Computer Science & Information Systems

2. The help command or ? (question mark) may be executed without being attached to a remote system
FTP Commands and will do a print (usually to the screen) of the FTP commands. The following is an example of an
The commands and replies sent across the control connection between the client and server are in NVT FTP Command to display the FTP Help information.
ASCII (7 bit ASCII). This requires a CR (carriage return), LF (line feed) pair at the end of each line (i.e.,
each command or each reply). The commands are 3 or 4 bytes of uppercase ASCII characters, some with ftp> help
optional arguments. More than 30 different FTP commands can be sent by the client to the server. Table
below shows some of the commonly used commands. 3. The following FTP Command will perform the FTP OPEN (make the connection) and display the
following messages.
Command Description
ABOR abort previous FTP command and any data ftp> open ftp.bits-pilani.ac.in
transfer Username: csis, Password: csis
LIST filelist list files or directories
PASS password password on server 4. The following FTP Command will copy a file from the local system to the remote system and display
PORT n1,n2,n3,n4,n5,n6 client IP address (nl.n2.n3.n4) and port (n5 x 256 the information.
+ n6)
QUIT logoff from server ftp> put C:\Users\Dell\Documents\readme.txt (This file could be anything from your local computer)
RETR filename retrieve (get) a file
STOP filename store (put) a file ftp> quit
You will find that sometimes there is a one-to-one correspondence between what the user types and the
Lab Exercise-2: Understanding FTP protocol details using Wireshark
FTP command sent across the control connection, but for some operations a single user command (what
you type in the terminal) results in multiple FTP commands across the control connection.
Identify TCP Header Fields and Operation Using a Wireshark FTP Session Capture
The FTP server sends file listings back across the data connection, rather than as multiline replies across Step 1: Start a Wireshark capture.
the control connection. Unlike control connection which stays up for the duration of the client-server
connection, the data connection can come and go, as required. a) Close all unnecessary network traffic, such as the web browser, to limit the amount of traffic
during the Wireshark capture.
The usual procedure is as follows:
b) Start the Wireshark capture.
1. The creation of the data connection is under control of the client, because it's the client that issues
the command that requires the data connection (get a file, put a file, or list a directory). Step 2: Log on to the FTP server
2. The client normally chooses an ephemeral port number on the client host for its end of the data
a) From the command prompt, enter ftp ftp.bits-pilani.ac.in
connection. The client issues a passive open from this port or starts listening on this port
3. The client sends this port number to the server across the control connection using the PORT b) Enter Username: csis
command. c) Enter Password: csis
4. The server receives the port number on the control connection, and issues an active open (try to
connect) to that port on the client host. The server's end of the data connection always uses port Step 3: Locate and download the readme.txt file from the server.
20.
Step 4: ftp quit
Lab Exercise-1: An Interactive FTP Session Step 5: Stop the Wireshark capture.
1. To start an FTP interactive session type "ftp" from a DOS Command window. Step 6: View the Wireshark Main Window.

C:\> ftp Wireshark would have captured many packets during the FTP session. To limit the amount of data for
analysis, type tcp and ip.addr = = 172.22.1.29 in the Filter: entry area and click Apply. The IP address,
The DOS prompt should be replaced with the FTP prompt. The FTP program is now running on the local 172.22.1.29, is the address for our FTP server.
system. A connection (or session) to a remote system has not been established.

2 | Page 3 | Page
 Department of Computer Science & Information Systems
Analyze the TCP header fields:
After the TCP filter has been applied, the first three frames in the packet list pane (top section) displays the
transport layer protocol TCP creating a reliable session. The sequence of [SYN], [SYN, ACK], and [ACK]
illustrates the three-way handshake. (Let us not get into details of SYN, SYN, ACK…., we will learn about
them in due course of time!!!)
TCP is routinely used during a session to control datagram delivery, verify datagram arrival, and manage
window size. For each data exchange between the FTP client and FTP server, a new TCP session is started.
At the conclusion of the data transfer, the TCP session is closed. Finally, when the FTP session is finished,
TCP performs an orderly shutdown and termination.
In Wireshark, detailed TCP information is available in the packet details pane (middle section).
Highlight the first TCP datagram from the host computer, and expand the record.
Lab Exercise-3: Understand the working of FTP
Answer the following questions.
1. Did you see an OPTS request going from client to server? What is the purpose of this command?
2. Locate the PORT command in the Wireshark trace and try to correlate it with the command entered by
you in the ftp terminal. Analyze the parameters of PORT command.
3. How the server is able to send PORT command successful, even when the three-way handshake
required to complete the TCP connection that got initiated due to PORT command has not been
completed.
4. The FTP server sends file listings back across the data connection, rather than as multiline replies across
the control connection. Try to verify this fact by listing the remote directory using “dir” command and
analyzing the Wireshark packet capture.
4 | Page
Department of Computer Science & Information Systems
Part 2: Understanding the functioning of Domain Name System DNS Protocol using
Wireshark and nslookup command.
DOMAIN NAME SERVICE (DNS)
The Domain Name System (DNS) is a hierarchical decentralized naming system for computers, services,
or other resources connected to the Internet or a private network. It associates various information with
domain names assigned to each of the participating entities. Most prominently, it translates more readily
memorized domain names to the numerical IP addresses needed for locating and identifying computer
services and devices with the underlying network protocols. By providing a worldwide, distributed
directory service, the Domain Name System is an essential component of the functionality on the Internet
that has been in use since 1985.
The Domain Name System also specifies the technical functionality of the database service that is at its
core. It defines the DNS protocol, a detailed specification of the data structures and data communication
exchanges used in the DNS, as part of the Internet Protocol Suite. Historically, other directory services
preceding DNS were not scalable to large or global directories as they were originally based on text files,
prominently the hosts file.A DNS name server is a server that stores the DNS records for a domain; a DNS
name server responds with answers to queries against its database.
The most common types of records stored in the DNS database are for Start of Authority (SOA), IP
addresses (A and AAAA), SMTP mail exchangers (MX), name servers (NS), pointers for reverse DNS
lookups (PTR), and domain name aliases (CNAME).
In this experiment you will sniff DNS packets.
Experiment 4
1. Clear Browsing history.
2. Start Wireshark and type filter name “dns” to see DNS packets.
3. Start browser and type URL:
https://dst.gov.in
4. Understand that the first task to be done by your system is to get IP address corresponding to the
server. See if there is any DNS packet shown in Wireshark to resolve server hostname. Chances
are that no DNS packet is shown in Wirehasrk. WHY?? Think before reading ahead.
5. Probably you must have thought that DNS resource records are cached locally and clearing
browsing history does not clear DNS records. You were right! So, now follow the following steps.
6. Open command prompt (or terminal) and type
C:\ ipconfig/displaydns
You will see all the cached DNS resource records. Now you need to clear all this. So type
C:\ ipconfig/flushdns
7. Now, repeat steps 2 to 4 above and observe DNS packets exchanged. Answer the following
questions with respect to DNS query message:
Q1. Which transport layer protocol is used?
Q2. What is the transaction ID of the message?
5 | Page
 Department of Computer Science & Information Systems Department of Computer Science & Information Systems

Q3. What is the query section? What is the type of query and what does it signify about the
type of query? Is there any other type of query you can recall? Lab Exercise-5:
Q4. What is the IP address of DNS server? Run the following commands from the command prompt. We have provided here the corresponding output
Q5. What is the destination port number? Remember that it is fixed for all DNS messages. for each command. The output in your terminal may not be exactly same as the output provided here.
Understand and describe the meaning/purpose of the commands and their corresponding output. (e.g.,
8. See the DNS response message and answer the following: Different DNS records, i.e. A, NS, MX, CNAME and their purpose.)
Q1. What is the transport layer protocol?
Q2. What is the transaction ID of this message? Is it same as that of corresponding DNS query
message? Command Output
C:\Users\Dell>nslookup Server: Unknown
Q3. Along with the answer, is there any authoritative name server also? What is its type and
google.com Address: 172.24.2.76
what does it signifies? Non-authoritative answer:
Q4. Is there any other field (for example additional records, etc.)? What it signifies? Name: google.com
9. Verify that when the webpage in step 3 above was fetched, DNS query and response was generated Addresses: 2404:6800:4009:807::200e
first then HTTP query and response. 142.250.192.46
C:\Users\Dell>nslookup Server: Unknown
-type=NS google.com Address: 172.24.2.76
To understand the process of IP address resolution in DNS with the help of Wireshark lets perform the Non-authoritative answer:
following experiment. google.com nameserver = ns4.google.com
google.com nameserver = ns3.google.com
Lab Exercise-4: google.com nameserver = ns2.google.com
google.com nameserver = ns1.google.com
Step 1: Start a Wireshark capture. C:\Users\Dell>nslookup Server: ns2.google.com
google.com Address: 216.239.34.10
a) Close all unnecessary network traffic, such as the web browser, to limit the amount traffic during ns2.google.com Name: google.com
the Wireshark capture. Addresses: 2404:6800:4009:807::200e
b) Start the Wireshark capture. 142.251.42.46

Step 2: Run the following command from the command prompt C:\Users\Dell>nslookup Server: Unknown
8.8.8.8 Address: 172.24.2.76
nslookup www.meity.gov.in Name: dns.google
Address: 8.8.8.8
Step 3: Stop the Wireshark capture. C:\Users\Dell>nslookup Server: dns.google
bits-pilani.ac.in Address: 8.8.8.8
Step 4: View the Wireshark Main Window. dns.google
Non-authoritative answer:
Name: bits-pilani.ac.in
Answer the following questions by observing traffic captured using Wireshark: Address: 103.144.92.33
14.139.243.20
1. Locate the DNS query and response messages. Are they sent over UDP or TCP?
2. To what IP address is the DNS query message sent? Is this the IP address of your default local
DNS server?
3. What is the destination port for the DNS query message? *****
4. What is the source port of DNS response message?
5. Examine the DNS response message. How many “answers” are provided? What do each of these
answers contain?

Repeat the same experiment by running the following command at step 2

nslookup -type=NS www.meity.gov.in and try to answer the same questions on page 6.

6 | Page 7 | Page
 Department of Computer Science and Information Systems
COMPUTER NETWORKS (CS F303) Display Filters Logical Operations
LAB-SHEET – 7
TOPIC: Transport Layer Protocol using Wireshark

Learning Objectives:
To understand the functioning of Transport Layer protocols (i.e. TCP and UDP)
In this lab, we’ll investigate the behavior of the TCP protocol in detail. We will:
● Use of Filter Expressions in Wireshark to select the packets of our interest
● Analyze a trace of the TCP segments sent and received in transferring a 150KB text file from
your computer to a remote server.
● Study TCP’s use of sequence and acknowledgment numbers for providing reliable data transfer;
● Study TCP’s congestion control algorithm – slow start and congestion avoidance – in action
● Analyze TCP’s receiver-advertised flow control mechanism.
● Investigate the performance (throughput and round-trip time) of the TCP connection between your
computer and the server.

Exercise 1: Filter Expression in Wireshark Table: 2

Every field in the packet details pane can be used as a filter string. This will result in showing only the
packets where this field exists. For example, the filter string: tcp will show all packets containing the TCP
Note: The filter toolbar (Click on Expression button to view this) lets you quickly edit and apply display
protocol. Wireshark provides a simple but powerful display filter language that allows you to build quite
filters.
complex filter expressions. You can compare values in packets and combine expressions into more specific
expressions.

Apply the following display filters to your capture and observe the effect of each on the display window:
tcp.port eq 80
tcp.port == 80 || tcp.port == 443
ip.addr == 172.22.24.65
ip.src==172.43.54.65 or ip.dst==172.43.54.65 (use IP address values from your
capture)
ip.len == 1500
Display Filters Comparison Operators

Fig. 1

Table: 1
1|Page 2|Page
 ● Use the Browse button in this form to enter the name of the file (full path name) on your computer
Do as directed: containing Alice in Wonderland (or do so manually). Don’t yet press the “Upload alice.txt file”
button.
● Open the Wireshark program, then open a web browser and start capturing packets on your active ● Now start up Wireshark and begin packet capture (Capture->Start) and then press OK on the
network card. Wireshark Packet Capture Options screen (we’ll not need to select any options here).
● Type www.google.com in the address bar (URL bar) of your web browser and search for anything ● Returning to your browser, press the “Upload alice.txt file” button to upload the file to the
you want. Browse the top two-2-3 results given by google search. Further, click on URLs and gaia.cs.umass.edu server. Once the file has been uploaded, a short congratulations message will be
images on the web pages. displayed in your browser window.
● Stop Wireshark capture and close the browser completely.
● Stop Wireshark packet capture. Your Wireshark window should look similar to the window shown
● Analyze the captured packets and protocols and answer the following questions.
below in figure 3.
 Locate TCP handshake segments and find the sequence number of SYN, SYN+ACK, and ACK
messages of all the TCP connections made by your computer.
 Find out the list of all TCP connections which have been reset.
 List all TCP segments which are sent and received by your machine having header lengths of more
than 20 bytes.
 List all the duplicate ACK TCP segments.
 What filter will you use if you want to find the sequence number of any one out-of-order TCP
segment captured in your trace file?

Exercise 2: Capturing a bulk TCP transfer from your computer to a remote server

We need to obtain a packet trace of the TCP transfer of a file from your computer to a remote web server
using the HTTP POST method. We’re using the POST method rather than the GET method as we’d like to
transfer a large amount of data from your computer to another computer. Of course, we’ll be running
Wireshark during this time to obtain the trace of the TCP segments sent and received from your computer.

Do as directed below:
● Start up your web browser. Go to the http://gaia.cs.umass.edu/wireshark-labs/alice.txt
● Retrieve an ASCII copy of Alice in Wonderland. Store this file somewhere on your
computer.
● Next, go to http://gaia.cs.umass.edu/wireshark-labs/TCP-wireshark-file1.html
● You should see a screen that looks like this:
Fig. 3
Exercise 2: A first look at the captured trace
Filter the TCP packets and then try to analyze behavior of the TCP connection. Look for series of TCP and
HTTP messages between your computer and gaia.cs.umass.edu. You should see the initial three-way
handshake containing a SYN message. You should see an HTTP POST message. You should also see TCP
ACK segments being returned from gaia.cs.umass.edu to your computer.

Answer the following questions.

1. What is the IP address and TCP port number used by the client computer (source) that is
transferring the file to gaia.cs.umass.edu?
2. Explore the details of TCP Packet used to carry the HTTP messages, using the “details of the
selected packet header window”.
3. What is the IP address of gaia.cs.umass.edu? On what port number is it sending and receiving TCP
segments for this connection?

Fig. 2
3|Page 4|Page
Note: To view information about the TCP segments containing the HTTP messages, rather than about the
HTTP messages, select Analyze->Enabled Protocols. Then uncheck the HTTP box and select OK. You
should now see a Wireshark window that looks like:
Note: Wireshark has a nice feature that allows you to plot the RTT for each of the TCP segments sent.
Select a TCP segment in the “listing of captured packets” window that is being sent from the client to
the gaia.cs.umass.edu server. Then select: Statistics->TCP Stream Graph- >Round Trip Time Graph.
8. What is the length of each of the first six TCP segments?
9. What is the minimum amount of available buffer space advertised at the received for the entire trace?
Does the lack of receiver buffer space ever throttle the sender?
10. Are there any retransmitted segments in the trace file? What did you check for (in the trace) in order to
answer this question?
11. How much data does the receiver typically acknowledge in an ACK? Can you identify cases where the
receiver is ACKing every other received segment?
12. What is the throughput (bytes transferred per unit time) for the TCP connection?

Exercise 4: TCP congestion control in action

Let’s now examine the amount of data sent per unit time from the client to the server. We’ll use one of
Wireshark’s TCP graphing utilities - Time-Sequence-Graph(Stevens) - to plot out data.
Select a TCP segment in the Wireshark’s “listing of captured-packets” window. Then select the menu:
Statistics->TCP Stream Graph-> Time-Sequence Graph(Stevens). You should see a plot that was created
from the captured packets which can be described as follows:

● You should see a set of dots stacked above each other.

● Each dot in the plot represents a TCP segment sent, plotting the sequence number of the segment
versus the time at which it was sent.
Fig. 4
● The stacked set of dots represents a series of packets that were sent back-to-back by the sender.
Exercise 3: Understanding TCP Basics
● Use the Time-Sequence-Graph (Stevens) plotting tool to view the sequence number versus time
Answer the following questions for the TCP segments:
plot of segments being sent from the client to the gaia.cs.umass.edu server.
4. What is the sequence number of the TCP SYN segment that is used to initiate the TCP connection ● Identify where TCP’s slow-start phase begins and ends, and where congestion avoidance takes
between the client computer and gaia.cs.umass.edu? Explore the segment that identifies itself as a SYN over?
segment?
5. What is the sequence number of the SYNACK segment sent by gaia.cs.umass.edu to the client computer
in reply to the SYN? What is the value of the Acknowledgement field in the SYNACK segment? How
did gaia.cs.umass.edu determine that value? What is it in the segment that identifies the segment as
a SYNACK segment?
6. What is the sequence number of the TCP segment containing the HTTP POST command? Note that in
order to find the POST command, you’ll need to dig into the packet content field at the bottom of the
Wireshark window, looking for a segment with a “POST” within its DATA field.
7. Consider the TCP segment containing the HTTP POST as the first segment in the TCP connection. What
are the sequence numbers of the first six segments in the TCP connection (including the segment
containing the HTTP POST)? At what time was each segment sent? When was the ACK for each
segment received? Given the difference between when each TCP segment was sent, and when
its acknowledgement was received, what is the RTT value for each of the six segments? What is the
EstimatedRTT value after the receipt of each ACK? Assume that the value of the EstimatedRTT
is equal to the measured RTT for the first segment, and then is computed using the EstimatedRTT
equation for all subsequent segments.

5|Page 6|Page
Exercise 5: UDP Packets Capturing and Analysis
Start capturing packets in Wireshark and then generate UDP packets (by clicking on www.youtube.com or
you can simply generate DNS traffic). It’s also likely that without explicitly doing anything, some UDP
packets (sent by others) will appear in your trace. Note: Simple Network Management Protocol sends
SNMP messages inside of UDP, so it’s likely that you’ll find some SNMP messages (and therefore UDP
packets) in your trace.
Stop the packet capture and then filter the UDP packets sent and received at your host. Pick one of these
UDP packets and expand the UDP fields in the details window.
Answer the following questions:
1. Select one UDP packet from your trace. From this packet, determine how many fields there are
in the UDP header. Name these fields.
2. By consulting the displayed information in Wireshark’s packet content field for this packet,
determine the length (in bytes) of each of the UDP header fields.
3. The value in the Length field is the length of what?
4. What is the maximum number of bytes that can be included in a UDP payload? (Hint: the answer
to this question can be determined by your answer to 2. above)
5. What is the largest possible source port number? (Hint: see the hint in 4.)
6. What is the protocol number for UDP? Give your answer in both hexadecimal and decimal
notation. To answer this question, you’ll need to look into the Protocol field of the IP datagram
containing this UDP segment.
7. Examine a pair of UDP packets in which your host sends the first UDP packet and the second UDP
packet is a reply to this first UDP packet. (Hint: for a second packet to be sent in response to a first
packet, the sender of the first packet should be the destination of the second packet). What is the
relationship between the port numbers in the two packets?
xx—oo—xx
7|Page
COMPUTER NETWORKS (CS F303)
LAB-SHEET –
Topic: Learning IP and ICMP using Wireshark
Objectives:
● To learn the working of IP protocol using Wireshark
● To understand the use and working of the ICMP protocol.
-----------------------------------------------------------------------------------------------------------------------------
In this lab, we will continue doing the experiments with Wireshark to analyze and understand various
network layers’ protocols. In this lab, we will focus on another fundamental network layer protocol
called IP (Internet Protocol) and ICMP (Internet Control Message Protocol).
IP (Internet Protocol):
The Internet Protocol provides the network layer (layer 3) transport functionality in the Internet Protocol
Family (Like, ICMP). The IP protocol is used to transfer packets from one IP address to another. The user
of this layer will give a packet and a remote IP address, and IP is responsible for transferring the packet
to that host. IP doesn't provide any mechanism to detect Packet Loss and Duplicate Packets. IP uses
ICMP to transfer control messages to a remote host, such as "Please don't send me more IP packets, I'm
full". ICMP protocol, which we are going to study in a subsequent lab.
Lab Exercise:
In order to generate a trace of IP datagrams for this lab, we’ll use the traceroute program to send
datagrams of different sizes towards some destination, X. Recall that traceroute operates by first sending
one or more datagrams with the time-to-live (TTL) field in the IP header set to 1; it then sends a series of
one or more datagrams towards the same destination with a TTL value of 2; and so on. Recall that a
router must decrement the TTL in each received datagram by 1, if the TTL reaches 0, the router returns
an ICMP message (type 11 – TTL-exceeded) to the sending host. As a result of this behavior, a datagram
with a TTL of 1 (sent by the host executing traceroute) will cause the router one hop away from the
sender to send an ICMP TTL-exceeded message back to the sender; the datagram sent with a TTL of 2
will cause the router two hops away to send an ICMP message back to the sender; the datagram sent with
a TTL of 3 will cause the router three hops away to send an ICMP message back to the sender; and so on.
In this manner, the host executing traceroute can learn the identities of the routers between itself and
destination X by looking at the source IP addresses in the datagrams containing the ICMP TTL-exceeded
messages.
For Windows:
A Windows traceroute program is pingplotter, available both in free version and shareware versions at
http://www.pingplotter.com. Download and install pingplotter, and test it out by performing a few
traceroutes to your favorite sites.
Linux/ Unix/ Mac OS traceroute command:
Syntax: traceroute <hostname> <datagram size>
Example: > traceroute www.google.com 2000
Do the following steps:
Step 1: Startup Wireshark and begin packet capture (Capture->Start) and then press OK on the Wireshark
Packet Capture Options screen (we’ll not need to select any options here).
Step 2: Enter three traceroute commands (as shown above). ,
One with a length of 56 bytes, one with a length of 2000 bytes, and one with a length of 3500 bytes.
Step 3: Stop Wireshark tracing.
Analysis of traced packets:
In your trace, you should be able to see the series of ICMP Echo Requests (in the case of Windows
machine) or the UDP segment (in the case of Unix) sent by your computer and the ICMP TTL-exceeded
messages returned to your computer by the intermediate routers.
NOTE: If you want to print the packet for later analysis reference, you can perform the following steps:
use File->Print, choose Selected packet only, choose Packet summary line, and select the minimum
amount of packet detail that you need to answer the question.
Figure 1: Wireshark window of marked ICMP request packets
1. Select the first ICMP Echo Request message sent by your computer, and expand the Internet Protocol
part of the packet in the packet details window. What is the IP address of your computer?
2. What is a router and network solicitation message?
3. Within the IP packet header, what is the value in the upper layer protocol field?
4. How many bytes are in the IP header? How many bytes are in the payload of the IP datagram? Explain
how you determined the number of payload bytes.
5. Has this IP datagram been fragmented? Explain how you determined whether or not the datagram has
been fragmented.
Next, sort the traced packets according to IP source address by clicking on the Source column header; a
small downward pointing arrow should appear next to the word Source. If the arrow points up, click on
the Source column header again. Select the first ICMP Echo Request message sent by your computer, and
expand the Internet Protocol portion in the “details of selected packet header” window. In the “listing of
captured packets” window, you should see the subsequent ICMP messages (perhaps with additional
interspersed packets sent by other protocols running on your computer) below this first ICMP. Use the
down arrow to move through the ICMP messages sent by your computer.
Figure 2: Wireshark window of marked ICMP reply packet detailed fields
6. Which fields in the IP datagram always change from one datagram to the next within this series of
ICMP messages sent by your computer?
7. Which fields stay constant? Which of the fields must stay constant? Which fields must change? Why?
Next (with the packets still sorted by source address) find the series of ICMP TTL- exceeded replies sent
to your computer by the nearest (first hop) router.

8. What is the value in the Identification field and the TTL field?

9. Do these values remain unchanged for all of the ICMP TTL-exceeded replies sent to your computer by
the nearest (first hop) router? Why?

Fragmentation with IP:

Sort the packet listing according to time again by clicking on the Time column.

10. Find the first ICMP Echo Request message that was sent by your computer after you changed the
Packet Size in pingplotter to be 2000. Has that message been fragmented across more than one IP
datagram?

Figure 4: Ping reply

12. Print out the second fragment of the fragmented IP datagram. What information in the IP header
indicates that this is not the first datagram fragment? Are there more fragments? How can you tell?

Figure 3: Pingplotter window for editing packet size (Edit -> options -> edit packet size)
11. Print out the first fragment of the fragmented IP datagram. What information in the IP header
indicates that the datagram has been fragmented? What information in the IP header indicates whether
this is the first fragment versus a latter fragment? How long is this IP datagram?
13. What fields change in the IP header between the first and second fragment? Now find the first ICMP
Echo Request message that was sent by your computer after you changed the Packet Size in pingplotter
to be 3500.
14. How many fragments were created from the original datagram?
15. What fields change in the IP header among the fragments?
 ICMP
In this lab, we’ll explore several aspects of the ICMP protocol:
1. ICMP messages generated by the Ping program;
2. ICMP messages generated by the Traceroute program; and
The format and contents of an ICMP message.
ICMP: Internet Control Message Protocol
- ICMP or Internet Control Message Protocol is Internet or Network layer protocol. In general, it
is used to check the reachability of a host or router in a network.
- Ping or traceroute uses ICMP as the inner protocol. Ping uses ICMP echo requests and ICMP Figure 5: terminal window after entering the Ping command.
echo reply messages to check whether the destination host is reachable or not.
At the end of the experiment, your Terminal Window should look something like Figure 5. Make sure
- ICMP packet types:
you have an internet connection or ping will fail. Here is the snapshot for the successful ping to Google.
- ICMP echo request messages.
Note also that for each response, the source calculates the round-trip time (RTT), which for the 04
- ICMP echo reply messages.
packets is on average 15 msec. We can see 0% loss. That means ICMP request packets = ICMP reply
We present this lab in the context of the Microsoft Windows operating system. However, it is packets. There are certain other details like IP address, the amount of data, min and max amount of round
straightforward to translate the lab to a Unix or Linux environment. trip time.

Step 5: Stop Wireshark and put “ICMP” as a filter in Wireshark.

Lab exercise:
1. ICMP and Ping: Ping program is a simple tool that allows anyone (for example, a network Let’s check what happens in Wireshark when we ping to Google or 192.168.1.1.
administrator) to verify if a host is live or not. The Ping program in the source host sends a packet to the
target site or IP address; if the target is live, the Ping program in the target host responds by sending a Here is the ICMP request and reply packets for Google ping.
packet back to the source host. As you might have guessed (given that this lab is about ICMP), both of
these Ping packets are ICMP packets.

How to get an ICMP packet in Wireshark?

Step 1: Open the command line or terminal in Windows or Linux respectively.

Step 2: Start up the Wireshark packet sniffer, and begin Wireshark packet capture.

Step 3: Run the command: Syntax: ping <hostname>

Example: > ping www.google.com or > ping –n 10 www.google.com or > ping 192.168.1.1 (using
IP address)
Figure 6: Wireshark window after entering ICMP in the search/ filter box.
In the terminal or MS-DOS command line (without quotation marks), where the hostname is a host on
Number of ICMP requests: From the capture, we can see there are 4 ICMP request packets. Check the
another continent. The argument “-n 10” indicates that 10 ping messages should be sent. Then run the
marked packets.
Ping program by typing return.

Step 4: When the Ping program terminates, stop the packet capture in Wireshark.

Figure 7: Wireshark window of marked ICMP request packets.
Number of ICMP replies: From the capture, we can see there are 4 ICMP reply packets. Check the
marked packets.
Figure 8: Wireshark window of marked ICMP reply packets.
Analysis of ICMP Request: Now select the ICMP request/ reply packet in Wireshark and look into the
IPv4 layer. As this is an ICMP request packet, we can see the source IP as my system IP address and the
destination IP as Google’s one IP address. Also, the IP layer mentioned the protocol as ICMP.
Now, for the same packet, select the ICMP part in Wireshark. We can see below the important fields:
Figure 9: Important fields of ICMP packet
Answer the following questions by observing your Wireshark screen:
1. What is the IP address of your host? What is the IP address of the destination host?
2. Why is it that an ICMP packet does not have source and destination port numbers?
3. Examine one of the ping request packets sent by your host. What are the ICMP type and code
numbers? What other fields does this ICMP packet have? How many bytes are the checksum, sequence
number, and identifier fields?
4. Examine the corresponding ping reply packet. What are the ICMP type and code numbers? What other
fields does this ICMP packet have? How many bytes are the checksum, sequence number and identifier
fields?
Lab Exercise:
2. ICMP and Traceroute: Let’s now continue our ICMP adventure by capturing the packets generated
by the Traceroute program. The Traceroute program can be used to figure out the path a packet takes
from source to destination. Traceroute is implemented in different ways in Unix/Linux/MacOS and in
Windows. In Unix/Linux, the source sends a series of UDP packets to the target destination using an
unlikely destination port number; in Windows, the source sends a series of ICMP packets to the target
destination. For both operating systems, the program sends the first packet with TTL=1, the second
packet with TTL=2, and so on. Recall that a router will decrement a packet’s TTL value as the packet
passes through the router. When a packet arrives at a router with TTL=1, the router sends an ICMP error
packet back to the source.
Do the following steps:
Step 1: Start up the Wireshark packet sniffer, and begin Wireshark packet capture.
Step 2: Open the terminal and write the tracert command:
Syntax: tracert <hostname> Example: > tracert www.google.com
Step 3: When the Traceroute program terminates, stop packet capture in Wireshark.
Traceroute displays the RTTs for each of the probe packets, as well as the IP address (and possibly the
name) of the router that returned the ICMP TTL-exceeded message.
Figure 10 displays the Wireshark window for an ICMP packet returned by a router. Note that this ICMP
error packet contains many more fields than the Ping ICMP messages.

Figure 10: Wireshark window of ICMP fields expanded for one ICMP error packet.
Answer the following questions:
1. What is the IP address of your host? What is the IP address of the target destination host?
2. If ICMP sent UDP packets instead (as in Unix/Linux), would the IP protocol number still be 01 for the
probe packets? If not, what would it be?
3. Examine the ICMP echo packet in your screenshot. Is this different from the ICMP ping query packets
in the first half of this lab? If yes, how so?
4. Examine the ICMP error packet in your screenshot. It has more fields than the ICMP echo packet.
What is included in those fields?
5. Examine the last three ICMP packets received by the source host. How are these packets different from
the ICMP error packets? Why are they different?
6. Within the tracert measurements, is there a link whose delay is significantly longer than others? (Refer
the traceroute window).
Birla Institute of Technology & Science, Pilani
Pilani Campus
Department of Computer Science and Information Systems
COMPUTER NETWORKS (CS F303)
SECOND SEMESTER 2022-23
LAB-SHEET -
TOPIC: Exploring DHCP and ARP using Wireshark
Learning Objectives:
● To learn about DHCP and understand its working using Wireshark.
o Triggering DHCP Packets by releasing and renewing IP information.
o Analyze DHCP Packers in Wireshark
● To learn about ARP and understand its working using Wireshark.
Dynamic Host Configuration Protocol (DHCP):
DHCP (Dynamic Host Configuration Protocol) is a network management protocol used to dynamically assign an IP
address to any device, or node, on a network so it can communicate using IP. DHCP automates and centrally
manages these configurations rather than requiring network administrators to manually assign IP addresses to all
network devices. DHCP is used extensively in corporate, university and home-network wired and wireless LANs to
dynamically assign IP addresses and other network configuration information to hosts. The other network
configuration information includes subnet mask information, default gateway IP addresses and domain name
system (DNS) addresses.
First, we take a quick look at DHCP. A DHCP server access is required to make configuration changes and see DHCP
in action. Hence, we will only examine DHCP packets that are captured by a host.
The system you are using already has an IP address assigned to it. To see DHCP packets in your system’s network
capture, we must release the DHCP supplied network configuration and renew it. Following steps will help you
perform this experiment.
1. Release current IP address:
Open command prompt as administrator and type ipconfig /release
1 | Page
 Birla Institute of Technology & Science, Pilani
Pilani Campus
Department of Computer Science and Information Systems
2. Start Wireshark packet capture.
3. Renew IP address:
Type ipconfig /renew in the command prompt and wait for it to terminate.
4. DHCP packets can be filtered in Wireshark using “bootp”. From the figure below, we can see that the first
ipconfig renew command caused four DHCP packets to be generated: a DHCP Discover packet, a DHCP
Offer packet, a DHCP Request packet, and a DHCP ACK packet.
Birla Institute of Technology & Science, Pilani
Pilani Campus
Department of Computer Science and Information Systems
Answer the following questions:
1. Are DHCP messages sent over UDP or TCP?
2. Draw a timing datagram illustrating the sequence of the first four-packet Discover/Offer/Request/ACK
DHCP exchange between the client and server. For each packet, indicated the source and destination port
numbers. Are the port numbers the same as in the example given in this lab assignment?
3. What is the link-layer (e.g., Ethernet) address of your host?
4. What values in the DHCP discover message differentiate this message from the DHCP request message?
5. What is the value of the Transaction-ID in each of the first four (Discover/Offer/Request/ACK) DHCP
messages? What are the values of the Transaction-ID in the second set (Request/ACK) set of DHCP
messages? What is the purpose of the Transaction-ID field?
6. A host uses DHCP to obtain an IP address, among other things. But a host’s IP address is not confirmed
until the end of the four-message exchange! If the IP address is not set until the end of the four-message
exchange, then what values are used in the IP datagrams in the four-message exchange? For each of the
four DHCP messages (Discover/Offer/Request/ACK DHCP), indicate the source and destination IP
addresses that are carried in the encapsulating IP datagram.
7. What is the IP address of your DHCP server?
8. What IP address is the DHCP server offering to your host in the DHCP Offer message? Indicate which DHCP
message contains the offered DHCP address.
9. In the example screenshot in this assignment, there is no relay agent between the host and the DHCP
server. What values in the trace indicate the absence of a relay agent? Is there a relay agent in your
experiment? If so, what is the IP address of the agent?
10. Explain the purpose of the router and subnet mask lines in the DHCP offer message.
11. In the DHCP trace file noted in footnote 2, the DHCP server offers a specific IP address to the client (see
also question 8. above). In the client’s response to the first server OFFER message, does the client accept
this IP address? Where in the client’s RESPONSE is the client’s requested address?
12. Explain the purpose of the lease time. How long is the lease time in your experiment?
13. What is the purpose of the DHCP release message? Does the DHCP server issue an acknowledgment of
receipt of the client’s DHCP request? What would happen if the client’s DHCP release message is lost?
14. Clear the bootp filter from your Wireshark window. Were any ARP packets sent or received during the
DHCP packet-exchange period? If so, explain the purpose of those ARP packets.

Address Resolution Protocol (ARP):

The ARP protocol maintains a cache of IP-to-Ethernet address translation pairs on your computer. The arp
command (in both MSDOS and Linux/Unix) is used to view and manipulate the contents of this cache. Since the
arp command and the ARP protocol have the same name, it’s understandably easy to confuse them. But keep in
mind that they are different - the arp command is used to view and manipulate the ARP cache contents, while the
ARP protocol defines the format and meaning of the messages sent and received, and defines the actions taken
on message transmission and receipt.

2 | Page 3 | Page
 Birla Institute of Technology & Science, Pilani
Pilani Campus
Department of Computer Science and Information Systems
We can check ARP entries using arp -a in command prompt/terminal.
Birla Institute of Technology & Science, Pilani
Pilani Campus
Department of Computer Science and Information Systems
7. Back in Wireshark, type “http” in the display filter to filter out the packets corresponding to the HTTP
request for accessing the website. Note down the packet numbers for the GET request and OK response.
8. Filter and remove higher layer protocols by unselecting the IP protocol from Enabled Protocols for display
in Wireshark.
a. To do this, go to Analyze->Enabled Protocols.

Write down the contents of your computer’s ARP cache. What is the meaning of each column value?
b. Type IPv4 in the search box, uncheck IPv4 and press OK.
Now, lets perform an experiment to capture and analyze ARP packets in Wireshark.
1. Clear ARP entries using arp -d *

2. Clear cache of the browser or open incognito mode.

3. Start Wireshark Packet Capture
4. Visit the Website:
http://gaia.cs.umass.edu/wireshark-labs/HTTP-wireshark-lab-file3.html
5. Stop the Wireshark packet capture.
6. (optional) The ARP entries are repopulated and can be checked by entering arp -a in the command prompt
or terminal.

4 | Page 5 | Page
 Birla Institute of Technology & Science, Pilani
Pilani Campus
Department of Computer Science and Information Systems
c. You will be presented with a filtered version of the packet capture.
Birla Institute of Technology & Science, Pilani
Pilani Campus
Department of Computer Science and Information Systems
Now answer the following questions:
1. What are the hexadecimal values for the source and destination addresses in the Ethernet frame
containing the ARP request message?
2. Give the hexadecimal value for the two-byte Ethernet Frame type field. What upper layer protocol does
this correspond to?
3. Download the ARP specification from ftp://ftp.rfc-editor.org/in-notes/std/std37.txt. A readable, detailed
discussion of ARP is also at http://www.erg.abdn.ac.uk/users/gorry/course/inet-pages/arp.html
a. How many bytes from the very beginning of the Ethernet frame does the ARP opcode field begin?
b. What is the value of the opcode field within the ARP-payload part of the Ethernet frame in which
an ARP request is made?
c. Does the ARP message contain the IP address of the sender?
d. Where in the ARP request does the “question” appear – the Ethernet address of the machine
whose corresponding IP address is being queried?
4. Now find the ARP reply that was sent in response to the ARP request.
a. How many bytes from the very beginning of the Ethernet frame does the ARP opcode field begin?
b. What is the value of the opcode field within the ARP-payload part of the Ethernet frame in which
an ARP response is made?
c. Where in the ARP message does the “answer” to the earlier ARP request appear – the IP address
of the machine having the Ethernet address whose corresponding IP address is being queried?
5. What are the hexadecimal values for the source and destination addresses in the Ethernet frame
containing the ARP reply message?
*****

9. Type “arp” in the search box to further filter out the packets from the capture. Look for packets that have
packet number between the request and response packet numbers of the HTTP request for accessing the
website.

6 | Page 7 | Page