Reading: Section 2.3 in the text shows the IPv4 header (and also the header format for IPv6, TCP, and UDP which we will study later). You should also start reading in Chapter 14 ("The Internet Protocol"), especially section 14.3 that details the IP header fields.
The purpose of this lab assignment is to continue exploring the use of tshark, to experiment with ICMP, and to observe the ARP protocol. In last week's lab you observed some ICMPv6 traffic related to ping, specifically the Echo Request and Echo Reply messages. This lab starts with a similar experiment, except using "regular" ICMP (not the v6 variety). This will illustrate some similarities and some differences between the two flavors of ICMP.
Start by using ping to send ICMP messages to the router on Lemuria's subnetwork at 155.42.107.1. Use a command such as:
$ ping 155.42.107.1
Use ^C (Ctrl+C) to stop ping. Take note of the sequence numbers, time to live, and round trip times reported by ping. You only need to note a couple of lines.
Rerun the experiment above, while using tshark in a separate session to capture all ICMP traffic. For example:
$ tshark -i em1 -f 'icmp' -w lab04-icmp.pcap
Decode your capture using a display filter that only shows ICMP traffic that has the router address (155.42.107.1) as either a source or a destination. Redirect the output of this command to a file for later study. For example:
$ tshark -r lab04-icmp.pcap -V -Y 'ip.addr == 155.42.107.1' > results.txt
When you examine results.txt (e.g., in nano) you should see multiple echo request/reply pairs. Notice the sequence numbers used (the "BE" version). Consider the following questions:
Do a traceroute on www.google.com and copy the output to your report for this lab. Try pinging a few of the router addresses individually (you don't need to capture anything). What do you get for round trip times? Addresses starting with 10.0.0.0/8 are private-use addresses, yet they exist on the route to Google. What do you think is going on there? Can you ping them? Consider: The cluster network is 10.0.0.0/24. Thus, Lemuria thinks any packet for that network should be transmitted on interface em2, not em1. What happens to the echo request messages sent to the private-use addresses on the way to Google?
NOTE: This section does not work as intended. Skip for now! Run the traceroute again, except this time capture the ICMP traffic. The first frame should contain an ICMP echo request message being sent to Google, but with an unusual TTL. The first reply should come from the router at 155.42.107.1. What is that reply?
Try to ping the address 155.42.107.50. This address is not in use on the 155.42.107.0/24 network. When you do this use tshark to capture Address Resolution Protocol (ARP) traffic. Use a capture filter of -f 'arp'. This protocol is used by a host when trying to find the MAC address associated with a particular IP address. Essentially the host asks "Who has such-and-such an IP address?" The machine that does replies with its MAC address. The sending host can then use that MAC address to create a frame for the intended destination.
What do you see in the decoded output of your capture? Notice that ARP, although a layer 3 protocol, is not based on IP (there is no "Internet Protocol" decoded header).
The results of ARP are cached in what is called the "arp cache" so that a future request for a MAC address associated with a particular IP address can be satisfied immediately without using ARP again. Use the following command to inspect the arp cache on Lemuria:
$ arp
The table displayed by arp uses "HWaddress" (hardware address) instead of MAC address, but they are the same thing. Copy the table to your report.
Submit a document to Canvas (PDF preferred, but Word, text, or ODF are all acceptable) containing your answers to the questions above. Be sure to include your name in the file This lab is worth 20 points.
Last Revised: 2023-02-09
© Copyright 2023 by Peter C. Chapin <pchapin@vtc.edu>