计网实验IP and TCP Protocoal Analysis with WireSharkVIP

IP and TCP Protocoal Analysis with WireSharkLearning ObjectivesAt completion of this lab, you will be able to:1. Understand the IP protocol, IP fragmentation and re-assembly2. Understand TCP 3-way handshake for connection setup and termination, as well as data exchange 3. Understand ICMP protocol and how the ping program works4. Understand how tracert (traceroute) program worksReport and Feedback on this lab This lab should be done individually.If you do not want to capture the live packets in this lab, you can download my data files for analysis (lab4.zip). Answer all questions with supporting screenshots. Please also fill in the following feedback form and append it to the report. Your feedback is valuable to us so that we can improve this lab, and make the lab better.For each task, please rate the following in the scale of 1 through 5: The degree of difficulty: 1 = too easy; 5 = too difficult The learning experience: 1 = learned nothing; 5 = learned a lot Your interest: 1 = no interest; 5= high interest Time used for the task: in minutes Task Difficulty (15)Learning (15)Interest (15)Time ( min)backgroundTask 1Task 2Task 3Your suggestion/comment:BackgroundYou need to read and answer the questions in this background part before the lab. Read Lectures on IP and ICMP protocols. Read Lectures on TCP protocol.Question 1: In IP header, there is a field called “protocol (type)”. What is it used for? 用来规范数据传输方法，使不同电脑之间可以通信Question 2: How an ICMP message is transported (encapsulation)? ICMP信息封装在IP报文当中。Question 3: Which ICMP messages are used to implement the Ping program? Echo request and echo response。Ping使用type 8 requests 和type 0 replies。Question 4: Use a figure to show the 3-way handshake to establish a connection in the TCP protocol. 第一次握手：主机A发送位码为syn1,随机产生seq number=1234567的数据包到服 务器，主机B由SYN=1知道，A要求建立联机； 第二次握手：主机B收到请求后要确认联机信息，向A发送ack number=(主机A的seq+1),syn=1,ack=1,随机产生seq=7654321的包 第三次握手：主机A收到后检查ack number是否正确，即第一次发送的seq number+1,以及位码ack是否为1，若正确，主机A会再发送ack number=(主机B的seq+1),ack=1，主机B收到后确认seq值与ack=1则连接建立成功。 完成三次握手，主机A与主机B开始传送数据Traceroute (tracert) is an important and useful utility tool for network testing and debugging. Read more on it and learn how to use it: MS Windows tracert command, /resources/documentation/windows/xp/all/proddocs/en-us/tracert.mspx?mfr=true Task 1 Study Windows tracert program and how to find a route In MS Windows, tracert can be used to find a route from the source host, via routers, to destination host. This task is about how tracert works and how we can use it for. Follow the steps to start up the programs and capture the packets.(1) Start up a command windowClick Start on the left corner of your desktop, and choose Run. Then type cmd to start up a DOS command window. In this window, you can also type command tracert /? to learn more on the command, or read more via the link above.(2) Start up the WireShark programStart up Wireshark and begin packet capture.(3) Run the tracert programType the following command to find a route : tracert (4) Stop the WireShark capturingWhen tracert ends, stop the capturing, and save the data to a file (you can open the file to analyze the packets later).(5) Copy the output of tracert to the lab report file. By analyzing the output, we can learn a route from the source to the destination, and how about the response time between the source and intermediate routers.Question 5: How many routers are on the route from your computer to ? What are their IP addresses? 1、542、503、54、335、496、97、88、7Question 6: Based on the output from the tracert, draw the map of the networks based on the output. Show the IP addresses for the source computer, destination computer, and routers.Now look at the captured data. source :7Destination:7Routers:1、542、503、54、335、496、97、88、7(6) analyze the first ICMP messageSince tracert uses ICMP messages to trace the route to the destination computer, you can use “icmp and ip.addr=192.168.x.x” as the display filer in WireShark to only display ICMP messages, where 192.168.x.x should be your computer IP address. Then select the first ICMP Echo Request message sent by your computer, and expand the Internet Protocol and ICMP headers of the packet in the packet details window (as I did below, too view better, you can use zooming). Question 7: What is the value in the protocol type field of IP packet? Why it is this value? What is the type value in ICMP header? What does it mean? How many bytes are there in the IP header? How many bytes are there in the payload of the IP packet? Explain how you determined the number of payload bytes.IP数据包的协议种类是ICMP。The value in the protocol type field of IP packet is ICMP(1)The tpye value in ICMP header is 1.意味着无法连接到主机 Header length ：20 bytes。Payload length：64bytes。Question 8: Has this IP packet been fragmented? Explain how you determined whether or not the packet has been fragmented. What is the Identification for this IP packet?IP数据包的总长度是92字节，payload 长度是64字节，所以没有被分成片段。 Identification：0x66f1（26353）Question 9: What is the TTL value for this IP packet? Why this value is set? Time to live is 3。这个数字可以被认为是网络系统中数据包的数字，TTL电平随着传输的距离增大会降低，当通过3个路由器后，数据被丢弃。(7) Select the first ICMP Time exceeded message, and expand the IP protocol header (as I did below)Question 10: What is the source IP address of this IP packet? And what is the destination IP address of this packet? What is the value in the protocol type field (in IP header) ?source IP address ：7 Destination IP address ：7 Protocol type ：ICMPQuestion 11: What is the ICMP message type carried in the packet? What is the sender of this message?Type 8 。7（百度服务器）(8) Read some other captured packets, and answer the questions:Question 12: What are the values in the Identification field and the TTL field in the ICMP Echo request messages ? Why are TTL values set like this? TTL：64。原始的TTL value 是由我们自己的操作系统决定的。Task 2 IP fragmentationThis task is to learn how IP fragmentation and re-assembly work.(9) Start the WireShark packet capturing(10) In the command window run the command ping to check if is alive, send the ICMP message of size 128 bytes (using length option -l 128): ping -l 128 you will get the output as follows: (11) stop the packet capturing and save the data to a file (my file ping128.pcap)Nowread the captured packets and do the analysis:(12) First, use Filter “icmp” to display only ICMP messages, as follows: Question 13: calculate the round trip delays for 4 ICMP Echo request and Echo reply messages, find the minimum, maximum, and average delays. Compare them with the values given in the output of the ping program. 相差7ms相差5ms相差16ms相差7ms比较之后，易得相同Question 14: what is the value in the Identification field of frame 74? Why are the length 170 byts?1360/8=170Next we analyze the fragmentation.(13) Start the WireShark packet capturing(14) In the command window run the command ping to check if 01 is alive, send the ICMP message of size 3000 bytes (using length option -l 3000): ping 01 -l 3000 you will get the output as follows:(15) In the captured first ICMP Echo request message packet, expands IP protocol header, you will find IP Fragments as I showed below. This ICMP Echo request message was carried in 3 IP packets (fragments). These fragments are found in the packet number 71, 72 and 73, in my example.Question 15: what is the value in the Identification field? On the line IP Fragments (3008 bytes):. Why the payload data is of 3008 bytes?Now analyze these fragments. Remove the display filter, and locate the packet numbers.Question 16: Fill in the following table based on IP headers in these fragments:Packet numberIP IdentificationMore fragment bitFragment offset in bytesFragment offset in 8-bytesHead lengthTotal length1297910x1454Not set296037020681298980x145fNot set296037020681299980x1465Not set29603702068Question 17: How do you know if an IP fragment is the first fragment, and an IP fragment is the last fragment?If the value of Fragment offset is 0 and more fragment is set to 1, it means that this IP fragment is the first fragment. If more fragment is set to 0, it means that this IP fragment is the last fragment.Task 3 TCP operationsIn this task, you will capture packets from HTTP application. Follow the steps to capture packets.(16) Terminate your web browser program.(17) Start the WireShark to capture the packets.(18) Fill in the address and click the link to view some pages. (19) End the packet capturing, and save the data to a file (my file is hdu1.pcap).(20) Use “http and ip.addr=2” as the filter to only display the HTTP data unit, Question 18: What is the IP address for your computer, and what is the IP address for ?我的电脑IP：06杭电IP：3Next, you only need to read and analyze the data communications between your computer and .(19) 3-way handshake to set up a TCP connection.Use “tcp and ip.addr=2” as the display filter (as shown below), and find the 3 TCP segments that perform the connection set up.Question 19: What are port numbers for and your web browser applications? Question 20: what are the 3 packet numbers for connection setup?1由客户端向服务器送一个请求链接：包含ACK=0，SYN=1，序列号是客户端的当前序列号；2服务器接受请求，返回一个确认：包含ACK=1,SYN=1,序列号是服务器的当前的序列号，确认号是来自客户端的序列号+1；3客户端接受到确认，再次返回一个数据，包含ACK=1，SYN=0,序列号是之前的序列号加1，确认号是服务器发过来的序列号+1。Question 21: What is the sequence number of the TCP SYN segment that is sent from the client computer? What are the sequence number and acknowledgment number of the TCP SYNsegment that is sent from the server?What are the window sizes on both sides?thesequencenumberoftheTCPSYNsegmentthatissentfromtheclientcomputer：1206thesequencenumberandacknowledgmentnumberoftheTCPSYNsegmentthatissentfromtheserver：7840Thewindowsizeontheclientsideis63397thewindowsizeontheserversideis65535Question 22: what is the sequence number of the TCP segment that contains the first HTTP GET command to download the small home page ? And what are the sequence number and the acknowledgment number of the TCP segment that positively acknowledges the segment?