Reading: Section 2.3 in the text shows the IPv4 header (and also the header format for IPv6, TCP, and UDP which we will study later). You should also start reading in Chapter 14 ("The Internet Protocol"), especially section 14.3 that details the IP header fields.
The purpose of this lab assignment is to explore the IP protocol using tshark.
There is a server program running on Lemuria that provides the "daytime" service (see RFC-867). The server is listening on port 9001. To see what it does, try running the daytime client that is also installed on Lemuria using a command such as:
$ dtclient 127.0.0.1 9001
This causes the client to connect to the server using the special "loopback" IP address of 127.0.0.1, and port 9001. The server sends the date and time to the client which displays that information.
There is a script running on node4 of the cluster (IP address 10.0.0.4) that queries the daytime server every 15 seconds. Eight IP packets are exchanged with each query: 3 to form the TCP connection, 1 to hold the actual data, and 4 more to close the TCP connection.
Proceed as follows:
Run tshark on the em2 interface (that connects to the cluster) and capture frames going to/from port 9001. Save the frames in a capture file. See my TShark Quick Start for more information on how to run tshark. You only need to capture 8 frames, or one entire query between the client and server.
Display the raw data for only frame #1 using tshark's -x option. The Ethernet frame header is the first 14 bytes, which we will ignore for now. The IP header starts with the 15th byte. Copy the entire tshark output into your report for this lab.
Manually decode the IP header by expanding the hex values into binary (when necessary) and comparing the result to the definition of the IP header in RFC-791, Section 3.1. What is the value of each field? What is its meaning? Don't worry too much about the value stored in the "Type of Service" field; it is being used differently today than as described in RFC-791. However, check the "Header Checksum" field by computing the checksum yourself (see this Wikipedia article for the details) and see if it agrees with what is in that field.
Use tshark's -V option to check your work above. Copy tshark's "dissected" output into your report for just the IP header.
Frame #4 contains the actual data sent from the server to the client. Use tshark's -V option to dissect that frame. Verify that the IP packet it contains is going in the expected direction (from server to client). How can you tell? Check the data inside the contained TCP segment. The data is at the end of the display. Does it look correct? What is it?
OPTIONAL: Connect to Lemuria a second time. In one session issue the following command to capture all ICMP traffic on Lemuria's main local area network (LAN) interface:
$ tshark -i em1 -f 'icmp' -w saved-trace.pcap
In a second session issue the following command to trace the route to a Google web server:
$ traceroute www.google.com
Note that hop 11 and 12 tend to time out. However, more distant hops will respond. Let the trace complete and then stop the capture.
You will likely capture ICMP traffic unrelated to your trace. You can use a display filter to remove that extraneous traffic. Use a command such as:
$ tshark -r saved-trace.pcap -V -Y 'icmp.type == 11 && icmp.code == 0' > results.txt
This command selects only ICMP messages of type 11 ("time to live exceeded") and code 0 ("time to live exceeded in transit"). There is still quite a bit of data so the output is redirected to the file results.txt. You can bring that file into nano to inspect it. What you are seeing are all the packets returned by intermediate routers during the trace. Note that there are three packets from each router because traceroute makes three attempts at each hop level. The returned ICMP packets contain the IP packet that expired, so you can see the attempt to reach the final destination and the attempted time to live.
Submit a document to Canvas (PDF preferred, but Word, text, or ODF are all acceptable) containing your answers to the questions above. Also include the full tshark commands you used. Be sure to include your name in the file. This lab is worth 20 points.
Last Revised: 2023-01-26
© Copyright 2023 by Peter C. Chapin <pchapin@vtc.edu>