2023年12月11日发(作者:)
计算机网络Ethernet-and-ARP
实验: Lab 7 Ethernet and ARP
1. Capturing and analyzing Ethernet frames
STEPS
• First, make sure your browser’s cache is empty. (To do this under Netscape 7.0,
select Edit->Preferences->Advanced->Cache and clear the memory and disk
cache. For Internet Explorer, select Tools->Internet Options->Delete Files. For
Firefox select Tools->Clear Private Data.
• Start up the Wireshark packet sniffer
• Enter the following URL into your browser
/wireshark-labs/ Your
browser should display the rather lengthy US Bill of Rights.
• Stop Wireshark packet capture. First, find the packet numbers (the leftmost
column in the upper Wireshark window) of the HTTP GET message that was
sent from your computer to , as well as the beginning of the
HTTP response message sent to your computer by . You should
see a screen that looks something like this (where packet 4 in the screen shot
below contains the HTTP GET message)
•Since this lab is about Ethernet and ARP, we’re not interested in IP or
higherlayer protocols. So let’s change Wireshark’s “listing of captured packets”
window so that it shows information only about protocols below IP. To have
Wireshark do this, select Analyze->Enabled Protocols. Then uncheck the IP box
and select OK.
QUESTIONS
1. What is the 48-bit Ethernet address of your computer?
The 48-bit Ethernet address of your computer is 3c : 97 : 0e : ff : 69 : 02
2. What is the 48-bit destination address in the Ethernet frame? Is this the
Ethernet address of ? (Hint: the answer is no). What device
has this as its Ethernet address? [Note: this is an important question, and one 3. 4.
5. How many bytes from the very start of the Ethernet frame does the ASCII
“G” in “GET” appear in the Ethernet frame?
54 bytes. There are 14 bytes of Ethernet frame header, 20 bytes of IP header
and 20 bytes of TCP header before HTTP data. So the answer is 54 bytes.
6. What is the hexadecimal value of the CRC field in this Ethernet frame?
There is no CRC field. Because the CRC calculated before the Wireshark
packet sniffer start up.
7. What is the value of the Ethernet source address? Is this the address of your
computer, or of (Hint: the answer is no). What device has
this as its Ethernet address?
The value of the Ethernet source address is 38:22:d6:e6:0e:0d. This is neither
the address of my computer, nor of . It is the Ethernet address
of my default gateway. That is to say, it’s the address of my router, which is the
link used to get off the subnet.
8. What is the destination address in the Ethernet frame? Is this the Ethernet
address of your computer?
The destination address in the Ethernet frame is 3c : 97 : 0e : ff : 69 : 02. This
is the Ethernet address of my computer.
9. Give the hexadecimal value for the two-byte Frame type field. What do the
bit(s) whose value is 1 mean within the flag field?
The hexadecimal value for the two-byte Frame type field is 0x0800.
The bit(s) whose value is 1 within the flag field mean the fragment has not been
fragmented.
10. How many bytes from the very start of the Ethernet frame does the ASCII
“O” in “OK” (i.e., the HTTP response code) appear in the Ethernet frame?
There are 14 bytes of Ethernet frame header, 20 bytes of IP header and 20
bytes of TCP header before HTTP data.
So the HTTP data appears 54 bytes from the very start of the Ethernet frame.
But before the ASCII “O” appears, there are 13 bytes. So before the ASCII
“O” appears, there are 67 bytes.
11. What is the hexadecimal value of the CRC field in this Ethernet frame?
There is no CRC field. Because the CRC calculated before the Wireshark
packet sniffer start up.
2. The Address Resolution Protocol
11. Write down the contents of your computer’s ARP cache. What is the meaning of each column value?
The address of Internet column contains the IP address. The physical address
column contains the MAC address. The type column tells us the information
about type: dynamic or static.
STEPS
• Clear your ARP cache, as described above.
• Next, make sure your browser’s cache is empty. (To do this under Netscape 7.0,
select Edit->Preferences->Advanced->Cache and clear the memory and disk
cache. For Internet Explorer, select Tools->Internet Options->Delete Files.)
• Start up the Wireshark packet sniffer
• Enter the following URL into your browser
/wireshark-labs/ Your
browser should again display the rather lengthy US Bill of Rights.
• Stop Wireshark packet capture. Again, we’re not interested in IP or
higher-layer protocols, so change Wireshark’s “listing of captured packets”
window so that it shows information only about protocols below IP. To have
Wireshark do this, select Analyze->Enabled Protocols. Then uncheck the IP box
and select OK. You should now see an Wireshark window that looks like:
QUESTIONS
(The following answers are based on the ethernet-ethereal-trace-1 trace file)
12 .What are the hexadecimal values for the source and destination addresses in
the Ethernet frame containing the ARP request message?
The hexadecimal values for the source addresses in the Ethernet frame is
00:d0:59:a9:3d:68. The hexadecimal values for the destination addresses in the
Ethernet frame is ff : ff : ff : ff : ff : ff.
13. Give the hexadecimal value for the two-byte Ethernet Frame type field. What
do the bit(s) whose value is 1 mean within the flag field?
The hexadecimal value for the two-byte Ethernet Frame type field is 0x0806.
There is no flag field.
14. Download the ARP specification from
ftp:///innotes/std/. A readable, detailed discussion of
ARP is also at
/users/gorry/course/inet-pages/.
a) How many bytes from the very beginning of the Ethernet frame does the ARP
opcode field begin?
There are 14 bytes of Ethernet frame header. In the ARP data, before the
ARP opcode field begin, there are 6 bytes. So there are 20 bytes before the ARP
opcode field begin.
b) What is the value of the opcode field within the ARP-payload part of the
Ethernet frame in which an ARP request is made?
The value of the opcode field within the ARP-payload part of the Ethernet
frame in which an ARP request is made is 1.
c) Does the ARP message contain the IP address of the sender?
Yes, it contains. In here, the IP address of the sender is 192.168.1.105.
d) Where in the ARP request does the “question” appear – the Ethernet address
of the machine whose corresponding IP address is being queried?
The field “Target MAC address” is set to 00:00:00:00:00:00 to question the
machine’s Ethernet address whose corresponding IP address.
15. Now find the ARP reply that was sent in response to the ARP request.
a) How many bytes from the very beginning of the Ethernet frame does the ARP
opcode field begin?
There are 14 bytes of Ethernet frame header. In the ARP data, before the ARP
opcode field begin, there are 6 bytes. So there are 20 bytes before the ARP opcode
field begin.
b) What is the value of the opcode field within the ARP-payload part of the
Ethernet frame in which an ARP response is made?
The value of the opcode field within the ARP-payload part of the Ethernet
frame in which an ARP response is made is 2
c) Where in the ARP message does the “answer” to the earlier ARP request
appear – the IP address of the machine having the Ethernet address whose corresponding IP address is being queried?
“Sender MAC address” is the answer to the earlier ARP request. In here, it
contain the MAC address of 192.168.1.1, which is 00:06:25:da:af:73
16. What are the hexadecimal values for the source and destination addresses in
the Ethernet frame containing the ARP reply message?
The hexadecimal values for the source addresses in the Ethernet frame
containing the ARP reply message is 00:06:25:da:af:73.
The hexadecimal values for the destination addresses in the Ethernet frame
containing the ARP reply message is 00:d0:59:a9:3d;68.
17. Open the ethernet-ethereal-trace-1 trace file in
/wireshark-labs/. The first and
second ARP packets in this trace correspond to an ARP request sent by the
computer running Wireshark, and the ARP reply sent to the computer running
Wireshark by the computer with the ARP-requested Ethernet address. But there
is yet another computer on this network, as indiated by packet 6 – another ARP
request. Why is there no ARP reply (sent in response to the ARP request in
packet 6) in the packet trace?
This a broadcast ARP packet sent by 192.168.1.104. So every host in the
same subnet will receive the packet. But the ARP is to try find the MAC address
of 192.168.1.117. So only the host which have the IP address of 192.168.1.117 will
reply. Now “my” host’s IP address is 192.168.1.105. So “my” host won’t reply.
And “my” host didn’t receive the reply packet. So there is no ARP reply (sent in
response to the ARP request in packet 6) in the packet trace.
Extra Credit
EX-1. The arp command: arp -s InetAddr EtherAddr allows you to manually
add an entry to the ARP cache that resolves the IP address InetAddr to the physical address EtherAddr. What would happen if, when you manually added
an entry, you entered the correct IP address, but the wrong Ethernet address for
that remote interface?
If I
entered the correct IP address, but the wrong Ethernet address for
that remote interface, then I will get the wrong MAC address when I try to
connect with the IP address that I entered. This is just like what happened in
ARP spoofing.
EX-2. What is the default amount of time that an entry remains in your ARP
cache before being removed. You can determine this empirically (by monitoring
the cache contents) or by looking this up in your operation system
documentation. Indicate how/where you determined this value.
In default, in Windows Server 2003 and Windows XP, the entry in the ARP
cache will store 2 minutes. If an entry is used in this 2 minutes, the deadline will
delay another 2 minutes until it have past 10 minutes. When an entry is stored
for 10 minutes, then it must be removed.
发布评论