Wireshark lab: ethernet and arp

Wireshark Lab: Ethernet and ARP

Version: 2.0 © 2009 J.F. Kurose, K.W. Ross. All Rights Reserved

Computer Networking: A Topth down Approach, 5 edition.

In this lab, we’ll investigate the Ethernet protocol and the ARP protocol. Before beginning this lab, you’ll probably want to review sections 5.5 (Ethernet), 5.4.1 (linklayer addressing) and 5.4.2 (ARP) in the text. RFC 826(ftp://ftp.rfc-editor.org/innotes/std/std37.txt) contains the gory details of the ARP protocol, which is used by an IP device to determine the IP address of a remote interface whose Ethernet address is known.

1. Capturing and analyzing Ethernet frames
Let’s begin by capturing a set of Ethernet frames to study. Do the following1:  First, make sure your browser’s cache is empty. To do this under MozillaFirefox V3, select Tools->Clear Private Data and check the box for Cache. For Internet Explorer, select Tools->Internet Options->Delete Files. Start up the Wireshark packet sniffer Enter the following URL into your browser http://gaia.cs.umass.edu/wireshark-labs/HTTP-ethereal-lab-file3.html Your browser should display the rather lengthy US Bill of Rights.



If you are unable to run Wireshark liveon a computer, you can download the zip file http://gaia.cs.umass.edu/wireshark-labs/wireshark-traces.zip and extract the file ethernet--ethereal-trace-1. The traces in this zip file were collected by Wireshark running on one of the author’s computers, while performing the steps indicated in the Wireshark lab. Once you have downloaded the trace, you can load it into Wireshark and view the traceusing the File pull down menu, choosing Open, and then selecting the ethernet-ethereal-trace-1 trace file. You can then use this trace file to answer the questions below.

1



Stop Wireshark packet capture. First, find the packet numbers (the leftmost column in the upper Wireshark window) of the HTTP GET message that was sent from your computer to gaia.cs.umass.edu, as well as thebeginning of the HTTP response message sent to your computer by gaia.cs.umass.edu. You should see a screen that looks something like this (where packet 4 in the screen shot below contains the HTTP GET message)



Since this lab is about Ethernet and ARP, we’re not interested in IP or higherlayer protocols. So let’s change Wireshark’s “listing of captured packets” window so that it shows informationonly about protocols below IP. To have Wireshark do this, select Analyze->Enabled Protocols. Then uncheck the IP box and select OK. You should now see an Wireshark window that looks like:

In order to answer the following questions, you’ll need to look into the packet details and packet contents windows (the middle and lower display windows in Wireshark). Select the Ethernet frame containing theHTTP GET message. (Recall that the HTTP GET message is carried inside of a TCP segment, which is carried inside of an IP datagram, which is carried inside of an Ethernet frame; reread section 1.5.2 in the text if you find this nesting a bit confusing). Expand the Ethernet II information in the packet details window. Note that the contents of the Ethernet frame (header as well as payload) aredisplayed in the packet contents window.

Answer the following questions, based on the contents of the Ethernet frame containing the HTTP GET message. Whenever possible, when answering a question you should hand in a printout of the packet(s) within the trace that you used to answer the question asked. Annotate the printout to explain your answer. To print a packet, use File->Print, choose Selectedpacket only, choose Packet summary line, and select the minimum amount of packet detail that you need to answer the question. 1. What is the 48-bit Ethernet address of your computer? 2. What is the 48-bit destination address in the Ethernet frame? Is this the Ethernet address of gaia.cs.umass.edu? (Hint: the answer is no). What device has this as its Ethernet address? [Note: this is an...