Ethernet_ARP1. Capturing and analyzing Ethernet frames: Answer the following questions, based on the contents of the Ethernet frame containing the HTTP GET message. 1. What is the 48-bit Ethernet address of your computer? Ans: 48-bit Ethernet address is 00:d0:59:a9:3d:68 2. What is the 48-bit destination address in the Ethernet frame? Is this the Ethernet address of gaia.cs.umass.edu? (Hint: the answer is no). What device has this as its Ethernet address? Ans: 48-bit Ethernet address is 00:06:25:da:af:73 .No it is not the Ethernet address of gaia.cs.umass.edu .It is the address of the Linksys router that my computer has to go through (i.e. subnet) in order to reach the destination. 3. Give the hexadecimal value for the two-byte Frame type field. What upper layer Protocol does this correspond to? Ans: Hexadecimal value for the two-byte Frame type field is 0x0800. Upper layer protocol corresponds to IP (Internet Protocol) There are 14B Ethernet frame. . answer the following questions. and then 20 bytes of IP header followed by 20 bytes of TCP header before the HTTP data is encountered. How many bytes from the very start of the Ethernet frame does the ASCII “G” in “GET” appear in the Ethernet frame? Ans: The ASCII “G” in “GET” appears 52 bytes from the start of the Ethernet frame. Next. based on the contents of the Ethernet frame containing the first byte of the HTTP response message.4. umass.edu. What device has this as its Ethernet address? Ans: Value of the Ethernet source address is 00:06:25:da:af:73. It is address of the Linksys router.cs. No it is neither the address of my computer nor of gaia.umass.edu (Hint: the answer is no). What is the value of the Ethernet source address? Is this the address of your computer. or of gaia. .cs.5. which is the link used to get onto my subnet. Give the hexadecimal value for the two-byte Frame type field.e. 8.6. . What upper layer protocol does this correspond to? Ans: The hexadecimal value for the two-byte Frame type field 0x0800. 7. which is the Ethernet address of my computer.. the HTTP response code) appear in the Ethernet frame? Ans: ASCII “O” in “OK” appears 4867 bytes from the start of Ethernet frame. The upper layer protocol is IP (Internet Protocol). How many bytes from the very start of the Ethernet frame does the ASCII “O” in “OK” (i. What is the destination address in the Ethernet frame? Is this the Ethernet address of your computer? Ans: Destination address in the Ethernet frame is 00:d0:59:a9:3d:68. . and type indicates the protocol type. The Address Resolution Protocol: The Windows “arp” command with no arguments will display the contents of the ARP cache on your computer. What is the meaning of each column value? Ans: The Internet Address column contains the IP address.2. Write down the contents of your computer’s ARP cache. Run the “arp” command. 9. Physical Address column contains the MAC address. . The upper layer protocol corresponds to ARP (Address Resolution Protocol).abdn.broadcast address.10.txt. Download the ARP specification from ftp://ftp.uk/users/gorry/course/inet-pages/arp. 11. . detailed discussion of ARP is also at http://www.org/in-notes/std/std37. 12. A readable.rfc-editor. a) How many bytes from the very beginning of the Ethernet frame does the ARP opcode field begin? Ans: ARP opcode field begins 20 bytes from the very beginning of the Ethernet Frame.erg. What are the hexadecimal values for the source and destination addresses in the Ethernet frame containing the ARP request message? Ans: Hexadecimal values for the source is 00:d0:59:a9:3d:68 and that of the destination address is ff:ff:ff:ff:ff . What upper layer protocol does this correspond to? Ans: The hexadecimal value for the two-byte Ethernet Frame type field is 0x0806.html. Give the hexadecimal value for the two-byte Ethernet Frame type field.ac. 13.168. Now find the ARP reply that was sent in response to the ARP request.168.1. .1) is being queried.1.105 d) Where in the ARP request does the “question” appear – the Ethernet address of the machine whose corresponding IP address is being queried? Ans: The field “Target MAC address” is set to 00:00:00:00:00:00 to question the machine whose corresponding IP address (192.b) What is the value of the opcode field within the ARP-payload part of the Ethernet frame in which an ARP request is made? Ans: The hexadecimal value of the opcode field within the ARP –payload of the request is Opcode: request (1) c) Does the ARP message contain the IP address of the sender? Ans: Yes the ARP contains the IP address of the sender 192. 1 .168.1.a) How many bytes from the very beginning of the Ethernet frame does the ARP opcode field begin? Ans: The ARP opcode fields begins 20 bytes from the very beginning of the Ethernet frame b) What is the value of the opcode field within the ARP-payload part of the Ethernet frame in which an ARP response is made? Ans: The value of opcode within the ARP payload of the Ethernet frame is Opcode: reply (2) c) Where in the ARP message does the “answer” to the earlier ARP request appear – the IP address of the machine having the Ethernet address whose corresponding IP address is being queried? Ans: The answer to the earlier ARP request appears in the “Sender MAC address” field which contains the Ethernet address 00:06:25:da:af:73 for the sender with the IP address 192. What are the hexadecimal values for the source and destination addresses in the Ethernet frame containing the ARP reply message? Ans: The hexadecimal values for the source address 00:06:25:da:af:73 and for the destination is 00:d0:59:a9:3d:68 15. Open the ethernet-ethereal-trace-1 trace file in http://gaia.cs. but the ARP reply is sent back directly to the sender’s Ethernet address.14. Why is there no ARP reply (sent in response to the ARP request in packet 6) in the packet trace? Ans: No reply in this trace. The first and second ARP packets in this trace correspond to an ARP request sent by the computer running Wireshark. since we are not at the machine that sent the request. But there is yet another computer on this network. as indicated by packet 6 – another ARP request. The ARP request is the broadcast.umass.zip.edu/wireshark-labs/wireshark-traces. and the ARP reply sent to the computer running Wireshark by the computer with the ARP-requested Ethernet address. . but the wrong Ethernet address for that remote interface? Ans: It shows the message stating that “The ARP entry addition failed: The requested operation requires elevation”. . you entered the correct IP address.Extra Credit: EX-1. when you manually added an entry. What would happen if.The arp command: arp -s InetAddr EtherAddr allows you to manually add an entry to the ARP cache that resolves the IP address InetAddr to the physical address EtherAddr. e. which will display the IP address and the cache time. Indicate how/where you determined this value. Ans: The default amount of time that the entry remains in my system ARP cache is 0xb i. You can determine this empirically (by monitoring the cache contents) or by looking this up in your operation system documentation. What is the default amount of time that an entry remains in your ARP cache before being removed. 11 seconds. This time can be obtained in the MS-DOS command prompt window by typing “arp –a”.EX-2. physical address and type . and also along with it we find other internet address. when answering a question you should hand in a printout of the packet(s) within the trace that you used to answer the question asked. TCP (Transmission Control Protocol) 1.zip (that is download the trace and open that trace in Wireshark. Whenever possible. choose Selected packet only.edu/wireshark-labs/wireshark-traces. A first look at the captured trace: Answer the following questions. To print a packet. and select the minimum amount of packet detail that you need to answer the question. by opening the Wireshark captured packet file tcpethereal-trace-1 in http://gaia. . Annotate the printout3 to explain your answer. choose Packet summary line.cs. see footnote 2). use File->Print.umass. .cs.edu? On what port number is it sending and receiving TCP segments for this connection? Ans: IP address of the gaia.umass.cs.12 and the port number is 80 on which it sends and receives TCP segments. What is the IP address of gaia. using the “details of the selected packet header window” (refer to Figure 2 in the “Getting Started with Wireshark” Lab if you’re uncertain about the Wireshark windows.1.102 and the port number used by the client computer (source) is 1161 2. Ans: IP address of the source is 192.umass.119. it’s probably easiest to select an HTTP message and explore the details of the TCP packet used to carry this HTTP message.umass.cs.245.168.edu? To answer this question.edu 128.1. What is the IP address and TCP port number used by the client computer (source) that is transferring the file to gaia. 14 and the TCP port number used is 80 .168. answer the following question: 3. What is the IP address and TCP port number used by your client computer (source) to transfer the file to gaia.edu? Ans: The IP address is 192.umass.cs.If you have been able to create your own trace.73. What is the sequence number of the TCP SYN segment that is used to initiate the TCP connection between the client computer and gaia.umass. The value is 0 in this trace.2. TCP Basics: Answer the following questions for the TCP segments: 4. The SYN flag is set to 1 and it indicates that this segment is a SYN segment.cs. .umass.edu.edu? What is it in the segment that identifies the segment as a SYN segment? Ans: Sequence number of the TCP SYN segment is used to initiate the TCP connection between the client computer and gaia.cs. edu determine that value? What is it in the segment that identifies the segment as a SYNACK segment? Ans: Sequence number of the SYNACK segment value is 0 in this trace. the sequence number of the SYN segment initiated by the client computer is 0.e.5. What is the sequence number of the TCP segment containing the HTTP POST command? Note that in order to find the POST command. you’ll need to dig into the packet content field at the bottom of the Wireshark window. The value of the ACK field in SYNACK segment is 1.umass.umass. What is the sequence number of the SYNACK segment sent by gaia. 6.edu to the client computer in reply to the SYN? What is the value of the Acknowledgement field in the SYNACK segment? How did gaia.edu by adding 1 to the initial sequence number of SYN segment from the client computer i.umass.cs.cs. . The value of the ACK field in the SYNACK segment is determined by gaia. The SYN flag and Acknowledgement flag in the segment are set to 1 and they indicate that this segment is a SYNACK segment.cs. looking for a segment with a “POST” within its DATA field. 5. Consider the TCP segment containing the HTTP POST as the first segment in the TCP connection. and then is computed using the EstimatedRTT equation on page 239 for all subsequent segments. .Ans: 4th segment (or packet) is the TCP segment containing the HTTP POST command. Note: Wireshark has a nice feature that allows you to plot the RTT for each of the TCP segments sent. Select a TCP segment in the “listing of captured packets” window that is being sent from the client to the gaia.umass. What are the sequence numbers of the first six segments in the TCP connection (including the segment containing the HTTP POST)? At what time was each segment sent? When was the ACK for each segment received? Given the difference between when each TCP segment was sent. and when its acknowledgement was received.edu server. what is the RTT value for each of the six segments? What is the EstimatedRTT value (see Section 3. page 239 in text) after the receipt of each ACK? Assume that the value of the EstimatedRTT is equal to the measured RTT for the first segment. 7. Then select: Statistics->TCP Stream Graph->Round Trip Time Graph.3.cs. The sequence number of this segment has the value of 1. 7. Segment 1 sequence number: 1 Segment 2 sequence number: 566 Segment 3 sequence number: 2026 Segment 4 sequence number: 3486 Segment 5 sequence number: 4946 Segment 6 sequence number: 6406 . 8.Ans: The HTTP POST segment is considered as the first segment. 10. and 11 in this trace respectively. 4. 6. 9. 5. 14. and 16 in this trace. Segments 1 – 6 are No. 12. The ACKs of segments 1 – 6 are No. 15. 11443 0.0337 EstimatedRTT after the receipt of the ACK of segment 4: EstimatedRTT = 0.267802 RTT (seconds) 0.070059 0.077405 0.13989 = 0. Sent time Segment 1 Segment 2 Segment 3 Segment 4 Segment 5 Segment 6 0.035557 = 0.125 * 0.125 * SampleRTT EstimatedRTT after the receipt of the ACK of segment 1: EstimatedRTT = RTT for Segment 1 = 0.125 * 0.077294 0.053937 0.035557 0.875 * 0.041737 0.0558 EstimatedRTT after the receipt of the ACK of segment 6: EstimatedRTT = 0.02746 0.875 * 0.11443 = 0.125 * 0.217299 0.0725 second .124085 0.18964 EstimatedRTT = 0.0337+ 0.054690 0.13989 0.0285 + 0.0558 + 0.078157 ACK received time 0.0285 EstimatedRTT after the receipt of the ACK of segment 3: EstimatedRTT = 0.18964 = 0.125 * 0.The sending time and the received time of ACKs are tabulated in the following table.054026 0.875 * 0.02746 + 0.026477 0.875 * 0.070059 = 0.0438 + 0.875 * EstimatedRTT + 0.875 * 0.0438 EstimatedRTT after the receipt of the ACK of segment 5: EstimatedRTT = 0.02746 second EstimatedRTT after the receipt of the ACK of segment 2: EstimatedRTT = 0.169118 0.125 * 0. 8. Ans: What is the length of each of the first six TCP segments? Length of the first TCP segment (containing the HTTP POST): 565 bytes Length of each of the other five TCP segments: 1460 bytes (MSS) . What is the minimum amount of available buffer space advertised at the received for the entire trace? Does the lack of receiver buffer space ever throttle the sender? Ans: The minimum amount of available buffer space advertised at the receiver for the entire trace is 5840 bytes. The receiver window will grow steadily until a maximum receiver buffer size 62780 bytes. .9. The sender is never throttled due to lacking of receiver buffer space by inspecting this trace. We can verify this by checking the sequence numbers of the TCP segments in the trace file. the sequence number of this retransmitted segment should be smaller than those of its neighboring segments.168. there are no retransmitted segments in the trace file. .245.1. all sequence numbers from the source (192. If there is a retransmitted segment.12) are increasing monotonically with respect to time.102) to the destination (128. Are there any retransmitted segments in the trace file? What did you check for (in the trace) in order to answer this question? Ans: No.119.10. In the Time-Sequence-Graph (Stevens) of this trace. By inspecting the amount of acknowledged data by each ACK. The total amount data transmitted can be computed by the difference between the sequence number of .2 on page 247 in the text). The average throughput for this TCP connection is computed as the ratio between the total amount data and the total transmission time. What is the throughput (bytes transferred per unit time) for the TCP connection? Explain how you calculated this value. there are cases where the receiver is ACKing every other segment. 12.11. How much data does the receiver typically acknowledge in an ACK? Can you identify cases where the receiver is ACKing every other received segment (see Table 3. Ans: TCP throughput largely depends on the selection of averaging time period. Ans: acknowledged sequence number 566 2026 3486 4946 6406 7866 9013 10473 11933 13393 14853 16313 acknowledged data 566 1460 1460 1460 1460 1460 1147 1460 1460 1460 1460 1460 ACK 1 ACK 2 ACK 3 ACK 4 ACK 5 ACK 6 ACK 7 ACK 8 ACK 9 ACK 10 ACK 11 ACK 12 … The difference between the acknowledged sequence numbers of two consecutive ACKs indicates the data received by the server between these two ACKs. Hence. Therefore.026477 second for No. the total data are 164091 .4294 seconds. 0.4 segment) and the time instant of the last ACK (i. The whole transmission time is the difference of the time instant of the first TCP segment (i.e.222 Kbytes/sec.0. 4 segment) and the acknowledged sequence number of the last ACK (164091 bytes for No. 1 byte for No.. the total transmission time is 5. Therefore.e.. 5.026477 = 5. .e.455830 second for No. 202 segment). 202 segment).1 = 164090 bytes.4294 = 30.455830 .the first TCP segment (i. the throughput for the TCP connection is computed as 164090/5. 3. Ans: .edu/wireshark-labs/wireshark-traces. Can you identify where TCP’s slowstart phase begins and ends.umass. TCP congestion control in action: Answer the following questions for the TCP segments the packet trace tcp-etherealtrace-1 in http://gaia.cs. and where congestion avoidance takes over? Comment on ways in which the measured data differs from the idealized behavior of TCP that we’ve studied in the text.umass.zip 13. Use the Time-Sequence-Graph (Stevens) plotting tool to view the sequence number versus time plot of segments being sent from the client to the gaia.edu server.cs. In the practice. The identification of the TCP slow start phase and congestion avoidance phase depends on the value of the congestion window size of this TCP sender. we can estimate the lower bound of the TCP window size by the amount of outstanding data because the outstanding data is the amount of data without acknowledgement. Before the end of slow start phase. Hence. some of web objects have very small sizes. this upper bound is not quite useful to infer the TCP window size. In the web application. Answer each of two questions above for the trace that you have gathered when you transferred a file from your computer to gaia. when the HTTP POST segment is sent out. We also know that TCP window is constrained by the receiver window size and the receiver buffer can act as the upper bound of the TCP window size.edu Ans: The idealized behavior of the TCP in the text assumes that TCP senders are aggressive in sending. In this trace. we focus on the lower bound of the TCP window size.e. the receiver buffer is not the bottleneck. the value of the congestion window size cannot be obtained directly from the Time-Sequence-Graph (Stevens) graph.. when the TCP sender can send out data. Nevertheless. .TCP Slow Start begins at the start of the connection. the transmission of these small web objects suffers from the unnecessary long delay because of the slow start phase of TCP. 14. i. therefore. TCP behavior also largely depends on the application. However. there are no data available for transmission.umass. .cs. In this example.