BC - MTTMT-đã chuyển đổi

Lab 1: Getting started
1. List 3 different protocols that appear in the protocol column in the unfiltered
packet-listing window in step 7 above.
Answer:
- TCP, UDP, HTTP
1|Page
2. How long did it take from when the HTTP GET message was sent until the HTTP OK
reply was received?
Answer:
- 36.620934 – 36.366112 = 0.254822000s.
3. What is the Internet address of the gaia.cs.umass.edu (also known as

wwwnet.cs.umass.edu)? What is the Internet address of your computer?
Answer:
- The Internet address of the gaia.cs.umass.edu is: 128.119.245.12

- The Internet address of your computer is: 10.10.40.22
4. Print the two HTTP messages displayed in step 9 above. To do so, select Print
from the Wireshark File command menu, and select “Selected Packet Only” and
“Print as displayed” and then click OK.
Answer:
2|Page
- HTTP GET message:
- HTTP RESPONSE message
3|Page
Lab 2: HTTP
1. Is your browser running HTTP version 1.0 or 1.1? What version of HTTP is the
server running?
- HTTP GET message:
- HTTP RESPONSE message:
Answer: Both my browser and server are running HTTP version 1.1.
4|Page
2. What languages (if any) does your browser indicate that it can accept to the
server?
Answer: vi-VN, en-US.
3. What is the IP address of your computer? Of the gaia.cs.umass.edu server?

Answer:
- The Internet address of the gaia.cs.umass.edu is: 128.119.245.12

- The Internet address of my computer is: 10.10.40.22
4. What is the status code returned from the server to your browser?
Answer: - The status code returned was 200 OK.
5|Page
5. When was the HTML file that you are retrieving last modified at the server?
Answer:
- Thu, 19 Nov 2020 06:59:01 GMT.
6. How many bytes of content are being returned to your browser?

Answer:
- 128 bytes.
6|Page
7. By inspecting the raw data in the packet content window, do you see any headers within
the data that are not displayed in the packet-listing window? If so, nameone.
Answer: No, I don’t see it.
8. Inspect the contents of the first HTTP GET request from your browser to the server. Do
you see an “IF-MODIFIED-SINCE” line in the HTTP GET?
Answer: No, I don’t see it.
9. Inspect the contents of the server response. Did the server explicitly return the contents of
the file? How can you tell?
Answer:
- Yes. It’s displayed in “Line-based text data” field in first HTTP RESPONSE
message.
7|Page
10. Now inspect the contents of the second HTTP GET request from your browser to the
server. Do you see an “IF-MODIFIED-SINCE:” line in the HTTP GET? If so, what
information follows the “IF-MODIFIED-SINCE:” header?
Answer:
- Yes. “If-Modified-Since: Thu, 19 Nov 2020 06:59:01 GMT\r\n”.
11. What is the HTTP status code and phrase returned from the server in response tothis
second HTTP GET? Did the server explicitly return the contents of the file? Explain.
Answer:
- Status code: 304
- Response Phrase: Not Modified
- The server did not return the contents of the file because the file was not modified
and it was display from the cache, not reload on the page.
8|Page
12. How many HTTP GET request messages did your browser send? Which packet
number in the trace contains the GET message for the Bill of Rights?
Answer:
- Only 1 HTTP GET request.
- Packet number 8 contains the GET message for the Bill of Rights.
13. Which packet number in the trace contains the status code and phrase associated
with the response to the HTTP GET request?
Answer:
- Packer number 14 contains the status code and phrase associated with the response to the
HTTP GET request
14. What is the status code and phrase associated with the response to the HTTP GET
request?
Answer:
- Status code: 200
- Response Phrase: OK
9|Page
15. How many data-containing TCP segments were needed to carry the single HTTP
response and the text of the Bill of Rights?
Answer:
- 4 data-containing TCP segments were needed to carry the single HTTP response and the
text of the Bill of Rights
16. How many HTTP GET request messages were sent by your browser? To which
Internet addresses were these GET requests sent?
Answer:
- There are 3 HTTP GET request messages. There messages were sent to address:
128.119.245.12
17. Can you tell whether your browser downloaded the two images serially, or
whether they were downloaded from the two web sites in parallel? Explain.
Answer:
- My browser downloaded the two images serially.
18. What is the server’s response (status code and phrase) in response to the initial
HTTP GET message from your browser?
Answer:
- Status code: 401.
- Response Phrase: Unauthorized
10 | P a g e
19. When your browser’s sends the HTTP GET message for the second time, what
new field is included in the HTTP GET message?
Answer:
- The new field that is now included is the authorization field. This is included
because we sent the server a username and password to server.
11 | P a g e
Lab 3: DNS
1. Run nslookup to obtain the IP address of a Web server in Asia. What is the IP address of
that server?
Answer: I performed nslookup for www.rediff.com. Its IP address is 208.184.138.70
2. Run nslookup to determine the authoritative DNS servers for a university in Europe.
Answer: I performed nslookup for a European University in Ioannina Greece. Its IP address
is 128.238.29.22
3. Run nslookup so that one of the DNS servers obtained in Question 2 is queried for the mail
servers for Yahoo! mail. What is its IP address?
Answer: the IP address of the mail server(s) is 18.72.0.3
12 | P a g e
4. Locate the DNS query and response messages. Are then sent over UDP or TCP?
Answer: They are sent over UDP
5. What is the destination port for the DNS query message? What is the source port of DNS
response message?
Answer: The destination port for the DNS query is 53 and the source port of the DNS
response is 53.
13 | P a g e
6. To what IP address is the DNS query message sent? Use ipconfig to determine the IP
address of your local DNS server. Are these two IP addresses the same?
Answer: It’s sent to 192.168.1.1, which is the IP address ofone of my local DNS servers.
7. Examine the DNS query message. What “Type” of DNS query is it? Does the query
message contain any “answers”?
Answer: It’s a type A Standard Query and it doesn’t contain any answers.
8. Examine the DNS response message. How many “answers” are provided? What do each of
these answers contain?
Answer: There were 2 answers containing information about the name of the host, the type
ofaddress, class, the TTL, the data length and the IP address.
Answers
www.ietf.org: type A, class IN, addr 209.173.57.180
Name:
www.ietf.org
Type: A (Host
address) Class:
14 | P a g e
IN (0x0001)
Time to live: 30 minutes
Data length: 4
Addr: 209.173.57.180
www.ietf.org: type A, class IN, addr 209.173.53.180
Name:
www.ietf.org
Type: A (Host
address) Class:
IN (0x0001)
Time to live: 30 minutes
Data length: 4
Addr: 209.173.53.180
9. Consider the subsequent TCP SYN packet sent by your host. Does the destination IP
address of the SYN packet correspond to any of the IP addresses provided in the DNS
response message?
Answer: The first SYN packet was sent to 209.173.57.180 which corresponds to the first IP
address provided in the DNS response message.
10. This web page contains images. Before retrieving each image, does your host issue new
DNS queries?
Answer: No
11. What is the destination port for the DNS query message? What is the source port of DNS
response message?
15 | P a g e
Answer: The destination port ofthe DNS query is 53 and the source port of the DNS
response is 53.
12. To what IP address is the DNS query message sent? Is this the IP address of your default
local DNS server?
Answer: It’s sent to 192.168.1.1 which as we can see from the ipconfig –all screenshot, is
the default local DNS server.
Answer: The query is oftype A and it doesn’t contain any answers.
14. Examine the DNS response message. How many “answers” are provided? What do each of
these answers contain?
Answer: The response DNS message contains one answer containing the name ofthe host,
the type ofaddress, the class, and the IP address.
Answers
www.mit.edu: type A, class IN, addr 18.7.22.83
Name: www.mit.edu
Type: A (Host
address) Class:
IN (0x0001)
Time to live: 1 minute
Data length: 4
Addr: 18.7.22.83
15. Provide a screenshot.

Answer:
16 | P a g e
local DNS server?
Answer: It was sent to 128.238.29.22 which is my default DNS server.
Answer: It’s a type NS DNS query that doesn’t contain any answers.
18. Examine the DNS response message. What MIT nameservers does the response message
provide? Does this response message also provide the IP addresses of the MIT namesers?
Answer: The nameservers are bitsy, strawb and w20ns. We can find their IP addresses if
we expand the Additional records field in Wireshark as seen below.
Answers
mit.edu: type NS, class inet, ns bitsy.mit.edu
17 | P a g e
mit.edu: type NS, class inet, ns strawb.mit.edu
mit.edu: type NS, class inet, ns w20ns.mit.edu
Additional records
bitsy.mit.edu: type A, class inet, addr 18.72.0.3
strawb.mit.edu: type A, class inet, addr 18.71.0.151
w20ns.mit.edu: type A, class inet, addr 18.70.0.160
19. Provide a screenshot.

Answer:
local DNS server? If not, what does the IP address correspond to?
Answer: The query is sent to 18.72.0.3 which corresponds to
bitsy.mit.edu.
18 | P a g e
Answer: It’s a standard type A query that doesn’t contain any answers.
22. Examine the DNS response message. How many “answers” are provided? What does each
of these answers contain?
Answer: One answer is provided in the DNS response message. It contains the following:
Answers
www.aiit.or.kr: type A, class inet, addr 222.106.36.102
Name: www.aiit.or.kr
Type: Host address
Class: inet
Time to live: 1 hour
Data length: 4
Addr: 222.106.36.102
Lab 4: TCP
1. What is the IP address and TCP port number used by the client computer (source) that is
transferring the file to gaia.cs.umass.edu? To answer this question, it’s probably easiest to
select an HTTP message and explore the details of the TCP packet used to carry this HTTP
message, using the “details of the selected packetheader window” (refer to Figure 2 in the
“Getting Started with Wireshark” Lab if you’re uncertain about the Wireshark windows.
Answer:
19 | P a g e
- The IP address is 192.168.1.102.
- TCP port number is 1161.
2. What is the IP address of gaia.cs.umass.edu? On what port number is it sending

and receiving TCP segments for this connection?
Answer:
- Depend on the question 1 we have answered and the pictures were showed
above, the IP address of gaia.cs.umass.edu is: 128.119.245.12, the port number
of gaia.cs.umass.edu for sending and receiving TCP segments for this connection
is: 80.
3. If you have been able to create your own trace, answer the following question. What
is the IP address and TCP port number used by your client computer (source) to
transfer the file to gaia.cs.umass.edu?
Answer:
- My IP address source is 192.168.1.9 sending on port 56840.
20 | P a g e
4. What is the sequence number of the TCP SYN segment that is used to initiate the
TCP connection between the client computer and gaia.cs.umass.edu? What is it
in the segment that identifies the segment as a SYN segment?
Answer:
- The sequence number of the TCP SYN segment is: 0.
- The SYN flag is set to 1 and it identifies the segment as a SYN segment.
21 | P a g e
5. What is the sequence number of the SYNACK segment sent by gaia.cs.umass.edu
to the client computer in reply to the SYN? What is the value of the
ACKnowledgement field in the SYNACK segment? How did gaia.cs.umass.edu
determine that value? What is it in the segment that identifies the segment as a
SYNACK segment?
Answer:
- The sequence number of the SYNACK segment is: 0
- The value of the ACKnowledgement field in the SYNACK segment is: 1
- The value of the ACKnowledgement field in the SYNACK segment is
determined by gaia.cs.umass.edu by adding 1 to the initial sequence number of
SYN segment from the client computer
- The SYN and ACK flags is set to 1 and they identify the segment as a SYNACK
segment.
22 | P a g e
6. What is the sequence number of the TCP segment containing the HTTP POST
command? Note that in order to find the POST command, you’ll need to dig into
the packet content field at the bottom of the Wireshark window, looking for a
segment with a “POST” within its DATA field.
Answer:
- The sequence number of the TCP segment containing the HTTP POST command
is: 1.
23 | P a g e
7. Consider the TCP segment containing the HTTP POST as the first segment in theTCP
connection. What are the sequence numbers of the first six segments in theTCP connection
(including the segment containing the HTTP POST)? At whattime was each segment sent?
When was the ACK for each segment received?Given the difference between when each
TCP segment was sent, and when itsacknowledgement was received, what is the RTT value
for each of the sixsegments? What is the EstimatedRTT value (see page 249 in text) after
thereceipt of each ACK? Assume that the value of the EstimatedRTT is equal
tothemeasured RTT for the first segment, and then is computed using
theEstimatedRTTequation on page 249 for all subsequent segments.
Answer:
- Segment 1 sequence number: 1
24 | P a g e
- The sending time and the received time of ACKs are in the following table.
Sent time ACK RTT(seconds)

Segment 1 0.026477 0.053937 0.02746
Segment 2 0.041737 0,077294 0.035557
Segment 3 0,054026 0.124085 0.070059
Segment 4 0.054690 0.169118 0.11443
Segment 5 0.077405 0.217299 0.13989
Segment 6 0.078157 0.267802 0.18964
EstimatedRTT after the receipt of the ACK of segment 1:

EstimatedRTT = RTT for Segment 1 = 0.02746 sec
EstimatedRTT = 0.875 * 0.02746 + 0.125 * 0.035557 = 0.0285 sec
EstimatedRTT = 0.875 * 0.0337+ 0.125 * 0.11443 = 0.0438 sec
25 | P a g e
8. What is the length of each of the first six TCP segments?
Answer:
- Length of the first TCP segment (containing the HTTP POST): 619 bytes
- Length of each of the other five TCP segments: 1514 bytes (MSS)
9. What is the minimum amount of available buffer space advertised at the received
for the entire trace? Does the lack of receiver buffer space ever throttle the
sender?
Answer:
- The minimum amount of buffer space (receiver window) advertised at
gaia.cs.umass.edu for the entire trace is 5840 bytes, which shows in the first
acknowledgement from the server. This receiver window grows steadily until a
maximum receiver buffer size of 62780 bytes. The sender is never throttled due
to lacking of receiver buffer space by inspecting this trace.
26 | P a g e
10. Are there any retransmitted segments in the trace file? What did you check for (in
the trace) in order to answer this question?
Answer:
- There are no retransmitted segments in the trace file. We can verify this by
checking the sequence numbers of the TCP segments in the trace file. In the
Time-Sequence-Graph (Stevens) of this trace, all sequence numbers from the
source (192.168.1.102) to the destination (128.119.245.12) are increasing
monotonically with respect to time. If there is a retransmitted segment, the
sequence number of this retransmitted segment should be smaller than those of
its neighboring segments.
11. How much data does the receiver typically acknowledge in an ACK? Can you
identify cases where the receiver is ACKing every other received segment (see
Table 3.2 on page 257 in the text).
Answer:
- The acknowledged sequence numbers of the ACKs are listed as follows:
27 | P a g e
Acknowledged sequence number Acknowledged data
ACK 1 No.6 566 566
ACK 2 No.9 2026 1460
ACK 3 No.12 3486 1460
ACK 4 No.14 4946 1460
ACK 5 No.15 6406 1460
ACK 6 No.16 7866 1460
… … …
- The difference between the acknowledged sequence numbers of two consecutive

ACKs indicates the data received by the server between these two ACKs. By
inspecting the amount of acknowledged data by each ACK, there are cases where
the receiver is ACKing every other segment. For example, segment of No. 80
acknowledged data from two another segments: No.76 and No.77. Therefore, it’s
acknowledged data with 1460 + 892 = 2352 bytes.
12. What is the throughput (bytes transferred per unit time) for the TCP connection?Explain
how you calculated this value.
Amount of data transmitted
Answer: - Throughput =
time incurried
- The computation of TCP throughput largely depends on the selection of
averaging time period. As a common throughput computation, in this question,
we select the average time period as the whole connection time. Then, the
average throughput for this TCP connection is computed as the ratio between the
total amount data and the total transmission time. The total amount data
transmitted can be computed by the difference between the sequence number of
the first TCP segment (1 byte for No. 4 segment) and the acknowledged
sequence number of the last ACK (164091 bytes for No. 202 segment).
Therefore, the total data are: 164091 -1=164090 bytes.
- The whole transmission time is the difference of the time instant of the first TCP
segment ( 0.026477 second for No.4 segment) and the time instant of the last
ACK ( 5.455830 second for No. 202 segment). Therefore, the total transmission
time is: 5.455830 - 0.026477 = 5.4294 seconds.
28 | P a g e
- Hence, the throughput for the TCP connection is computed as: 164090/5.4294 =
30.222 kByte/sec.
13. Use the Time-Sequence-Graph(Stevens) plotting tool to view the sequence number
versus time plot of segments being sent from the client to the gaia.cs.umass.edu
server. Can you identify where TCP’s slowstart phase begins and ends, and where
congestion avoidance takes over? Comment on ways in which the measured data
differs from the idealized behavior of TCP that we’ve studied in the text.
Answer:
- TCP Slow Start begins at the start of the connection, when the HTTP POST
segment is sent out. The identification of the TCP slow start phase and
congestion avoidance phase depends on the value of the congestion window size
of this TCP sender. However, the value of the congestion window size cannot be
obtained directly from the Time-Sequence-Graph (Stevens) graph.
29 | P a g e
Lab 5: UDP
Fig. 1: UDP Header Fields
1. Select one UDP packet from your trace. From this packet, determine how many fields there
are in the UDP header. (You shouldn’t look in the textbook! Answer these questions
directly from what you observe in the packet trace.) Name these fields.
Answer:
- The UDP header contains 4 fields: source port, destination port, length, and
checksum.
2. By consulting the displayed information in Wireshark’s packet content field for this packet,
determine the length (in bytes) of each of the UDP header fields.
Answer:
- Each of the UDP header fields is 2 bytes long.
3. The value in the Length field is the length of what? (You can consult the text for this
answer). Verify your claim with your captured UDP packet.
Answer:
- The value in the length field is the sum of the 8 header bytes, plus the 42
30 | P a g e
encapsulated data bytes.
4. What is the maximum number of bytes that can be included in a UDP payload? (Hint: the
answer to this question can be determined by your answer to 2. above)
Answer:
- The maximum number of bytes that can be included in a UDP payload is
216 – 1 less the header bytes. This gives 65535 – 8 = 65527 bytes.
5. What is the largest possible source port number? (Hint: see the hint in 4.)
Answer:
- The largest possible source port number is 216 – 1 = 65535.
6. What is the protocol number for UDP? Give your answer in both hexadecimal and decimal
notation. To answer this question, you’ll need to look into the Protocol field of the IP
datagram containing this UDP segment (see Figure 4.13 in the text, and the discussion of IP
header fields).
Answer:
- The IP protocol number for UDP is 0x11 hex, which is 17 in decimal value.
7. Examine a pair of UDP packets in which your host sends the first UDP packet and the
second UDP packet is a reply to this first UDP packet. (Hint: for a second packet to be sent
in response to a first packet, the sender of the first packet should be the destination of the
second packet). Describe the relationship between the port numbers in the two packets.
Answer:
Fig. 2: UDP sent by my host
31 | P a g e
Fig. 3: UDP reply to my host
- The source port of the UDP packet sent by the host is the same as the destination
port of the reply packet, and conversely the destination port of the UDP packet
sent by the host is the same as the source port of the reply packet.
32 | P a g e
Lab 6: IP
1. Select the first ICMP Echo Request message sent by your computer, and expand
the Internet Protocol part of the packet in the packet details window. . What is the IP
address of your computer?
Answer:
- IP address of my computer is : 10.10.40.106
2. Within the IP packet header, what is the value in the upper layer protocol field?
Answer:
- Within the header, the value in the upper layer protocol field is ICMP (1) .
33 | P a g e
3. How many bytes are in the IP header? How many bytes are in the payload of theIP
datagram? Explain how you determined the number of payload bytes.
Answer:
- There are 20 bytes in the IP header, and 56 bytes total length, this gives 36 bytes
in the payload of the IP datagram.
4. Has this IP datagram been fragmented? Explain how you determined whether or not the
datagram has been fragmented.
Answer:
- The more fragments bit = 0, so the data is not fragmented.
34 | P a g e
5. Which fields in the IP datagram always change from one datagram to the next within this
series of ICMP messages sent by your computer?
Answer:
- Identification, time to live and Header checksum are always change.
Example:
- The ICMP message no.7 with its identification, time to live and Header check
sum:
- The ICMP message no.8 with its identification, time to live and Header check
sum:
35 | P a g e
6. Which fields stay constant? Which of the fields must stay constant? Which fields must
change? Why?
Answer:
• The fields that stay constant across the IP datagrams are:
- Version (since we are using IPv4 for all packets)
- Header length (since these are ICMP packets)
- Source IP (since we are sending from the same source)
- Destination IP (since we are sending to the same dest)
- Differentiated Services (since all packets are ICMP they use the same
Type of Service class)
- Upper Layer Protocol (since these are ICMP packets)
• The fields that must stay constant are:

- Version (since we are using IPv4 for all packets)
- Header length (since these are ICMP packets)
- Source IP (since we are sending from the same source)
- Destination IP (since we are sending to the same dest)
- Differentiated Services (since all packets are ICMP they use the same Type
of Service class)
- Upper Layer Protocol (since these are ICMP packets)
• The fields that must change are:

- Identification(IP packets must have different ids)
- Time to live (traceroute increments each subsequent packet)
- Header checksum (since header changes, so must checksum)
7. Describe the pattern you see in the values in the Identification field of the IP datagram
Answer:
- The pattern is that the IP header Identification fields increment with each ICMP
Echo (ping) request.
36 | P a g e
8. What is the value in the Identification field and the TTL field?
Answer:
- Identification: 29030.
– TTL: 255.
9. Do these values remain unchanged for all of the ICMP TTL-exceeded replies sent to your
computer by the nearest (first hop) router? Why?
Answer:
- The identification field changes for all the ICMP TTL-exceeded replies because
the identification field is a unique value. When two or more IP datagrams have
the same identification value, then it means that these IP datagrams are fragments
of a single large IP datagram. The TTL field remains unchanged because the TTL
for the first hop router is always the same.
37 | P a g e
10. Find the first ICMP Echo Request message that was sent by your computer after you
changed the Packet Size in pingplotter to be 2000. Has that message been fragmented
across more than one IP datagram?
Answer:
- Yes, that message has been fragmented cross more than one IP datagram, because
the more fragment bit = 1.
11. Print out the first fragment of the fragmented IP datagram. What information in the IP
header indicates that the datagram been fragmented? What information in the IP header
indicates whether this is the first fragment versus a latter fragment? How long is this IP
datagram?
Answer:
- The Flags bit for more fragments is set, indicating that the datagram has been
fragmented. Since the fragment offset is 0, we know that this is the first fragment.
This first datagram has a total length of 1500, including the header.
38 | P a g e
12. Print out the second fragment of the fragmented IP datagram. What information in the
IP header indicates that this is not the first datagram fragment? Are the more fragments?
How can you tell?
Answer:
- Since the fragment offset is 185, we know that this is the second fragment. This
first datagram has a total length of 1500, including the header. The Flags bit for
more fragments is not set, indicating that there are no more fragments.
39 | P a g e
13. What fields change in the IP header between the first and second fragment?
Answer:
- The IP header fields that changed between the fragments are: total length,
flags,fragment offset, and checksum.
Now find the first ICMP Echo Request message that was sent by your computer
afteryou changed the Packet Size in pingplotter to be 3500.
14. How many fragments were created from the original datagram?
Answer:
- After switching to 3500, there are 3 packets created from the original datagram.
15. What fields change in the IP header among the fragments?
Answer:
- The IP header fields that changed between all of the packets are: fragment offset,
and checksum. Between the first two packets and the last packet, we see a change
in total length, and also in the flags. The first two packets have a total length of
1500, with the more fragments bit set to 1, and the last packet has a total length of
540, with the more fragments bit set to 0.
- The first fragment:
40 | P a g e
- The sencond fragment:
- The third fragment:
41 | P a g e
Lab 7: NAT
1. What is the IP address of the client?
Answer:
192.168.1.100
2. The client actually communicates with several different Google servers in order to
implement “safe browsing.” (See extra credit section at the end of this lab). The main Google
server that will serve up the main Google web page has IP address 64.233.169.104. In order to
display only those frames containing HTTP messages that are sent to/from this Google, server,
enter the expression “http && ip.addr == 64.233.169.104” (without quotes) into the Filter: field
in Wireshark .
Answer:
3. Consider now the HTTP GET sent from the client to the Google server (whose IP address is
IP address 64.233.169.104) at time 7.109267. What are the source and destination IP addresses
and TCP source and destination ports on the IP datagram carrying this HTTP GET?
Answer:
- Source IP addresses: 192.168.1.100
- destination IP addresses: 64.233.169.104
- TCP source port: 4335
- TCP destination port: 80
4. At what time4 is the corresponding 200 OK HTTP message received from the Google
server? What are the source and destination IP addresses and TCP source and destination ports
on the IP datagram carrying this HTTP 200 OK message?
Answer:
- 7.158798
- Source: 64.233.169.104, 80
- Destination: 192.168.1.100, 4335
5. Recall that before a GET command can be sent to an HTTP server, TCP must first set up a
connection using the three-way SYN/ACK handshake. At what time is the client-to-server TCP
SYN segment sent that sets up the connection used by the GET sent at time 7.109267? What
are the source and destination IP addresses and source and destination ports for the TCP SYN
segment? What are the source and destination IP addresses and source and destination ports of
the ACK sent in response to the SYN. At what time is this ACK received at the client? (Note:
to find these segments you will need to clear the Filter expression you entered above in step 2.
If you enter the filter “tcp”, only TCP segments will be displayed by Wireshark).
42 | P a g e
Answer:
- 7.075657
- Source: 192.168.1.100, 4335 Destination: 64.233.169.104, 80
- Source: 64.233.169.104, 80 Destination: 192.168.1.100, 4335
- 7.108986
6. In the NAT_ISP_side trace file, find the HTTP GET message was sent from the client to the
Google server at time 7.109267 (where t=7.109267 is time at which this was sent as recorded in
the NAT_home_side trace file). At what time does this message appear in the NAT_ISP_side
trace file? What are the source and destination IP addresses and TCP source and destination
ports on the IP datagram carrying this HTTP GET (as recording in the NAT_ISP_side trace
file)? Which of these fields are the same, and which are different, than in your answer to
question 3 above?
Answer:
- 6.069168
- Source: 71.192.34.104, 4335
- Destination: 64.233.169.104, 80
- Only the source IP address has changed
7. Are any fields in the HTTP GET message changed? Which of the following fields in the IP
datagram carrying the HTTP GET are changed: Version, Header Length, Flags, Checksum. If
any of these fields have changed, give a reason (in one sentence) stating why this field needed
to change.
Answer:
- No
- No
- No
- No
- Yes
- Since the IP source address has changed, and the checksum includes the value of the
source IP address, the checksum has changed.
8. In the NAT_ISP_side trace file, at what time is the first 200 OK HTTP message received
from the Google server? What are the source and destination IP addresses and TCP source and
destination ports on the IP datagram carrying this HTTP 200 OK message? Which of these
fields are the same, and which are different than your answer to question 4 above?
Answer:
- 6.308118
- Source: 64.233.169.104, 80
43 | P a g e
- Destination: 71.192.34.104, 4335
9. In the NAT_ISP_side trace file, at what time were the client-to-server TCP SYN segment
and the server-to-client TCP ACK segment corresponding to the segments in question 5 above
captured? What are the source and destination IP addresses and source and destination ports for
these two segments? Which of these fields are the same, and which are different than your
answer to question 5 above? Figure 4.25 in the text shows the NAT translation table in the
NAT router.
Answer:
- 6.035475, and 6.067775, respectively
- For the SYN: + Source: 71.192.34.104, 4335
+ Destination: 64.233.169.104, 80.
- For the ACK: + Source:64.233.169.104, 80
+ Destination: 71.192.34.104, 4335
44 | P a g e
Lab 8: ICMP
1. What is the IP address of your host? What is the IP address of the destination host?
Answer:
- The IP address of my host is 192.168.1.101. The IP address of
the destination host is 143.89.14.34.
2. Why is it that an ICMP packet does not have source and destination port numbers?
Answer:
- The ICMP packet does not have source and destination port numbers because it was
designed to communicate network layer information between hosts and routers, not between
application layer processes. Each ICMP packet has a "Type" and a "Code".The Type/Code
combination identifies the specific message being received. Since the network software
itself interprets all ICMP messages, no port numbers are needed to direct the ICMP message
to an application layer process.
45 | P a g e
3. Examine one of the ping request packets sent by your host. What are the ICMP type and
code numbers? What other fields does this ICMP packet have? How many bytes are the
checksum, sequence number and identifier fields?
Answer:
- The ICMP type is 8, and the code number is 0. The ICMP packet also has checksum,
identifier, sequence number, and data fields. The checksum, sequence number and identifier
fields are two bytes each.
4. Examine the corresponding ping reply packet. What are the ICMP type and code numbers?
What other fields does this ICMP packet have? How many bytes are the checksum, sequence
number and identifier fields?
Answer:
- The ICMP type is 0, and the code number is 0. The ICMP packet also has checksum,
identifier, sequence number, and data fields. The checksum, sequence number and identifier
fields are two bytes each.
46 | P a g e
5. What is the IP address of your host? What is the IP address of the target destination host?
Answer:
- The IP address of my host is 192.168.1.101. The IP address of the destination host is
138.96.146.2
6. If ICMP sent UDP packets instead (as in Unix/Linux), would the IP protocol number still be
01 for the probe packets? If not, what would it be?
Answer:
- No. If ICMP sent UDP packets instead, the IP protocol number should be 0x11.
7. Examine the ICMP echo packet in your screenshot. Is this different from the ICMP ping
query packets in the first half of this lab? If yes, how so?
Answer:
- The ICMP echo packet has the same fields as the ping query packets.
47 | P a g e
8. Examine the ICMP error packet in your screenshot. It has more fields than the ICMP echo
packet. What is included in those fields?
Answer:
- The ICMP error packet is not the same as the ping query packets. It contains both the IP
header and the first 8 bytes of the original ICMP packet that the error is for.
48 | P a g e
9. Examine the last three ICMP packets received by the source host. How are these packets
different from the ICMP error packets? Why are they different?
Answer:
- The last three ICMP packets are message type 0 (echo reply) rather than 11 (TTL expired).
They are different because the datagrams have made it all the way to the destination host
before the TTL expired.
49 | P a g e
10. Within the tracert measurements, is there a link whose delay is significantly longer than
others? Refer to the screenshot in Figure 4, is there a link whose delay is significantly longer
than others? On the basis of the router names, can you guess the location of the two routers on
the end of this link?
Answer:
- There is a link between steps 11 and 12 that has a significantly longer delay. This
is a transatlantic link from New York to Aubervilliers,France. In figure 4 from
the lab, the link is from New York to Pastourelle, France.
50 | P a g e
Lab 9: Ethernet and ARP
1. What is the 48-bit Ethernet address of your computer?

Answer:
- The 48-bit Ethernet address of my computer is: c4:71:54:5a:98:fc
2. What is the 48-bit destination address in the Ethernet frame? Is this the Ethernet address
of gaia.cs.umass.edu? (Hint: the answer is no). What device has this as its Ethernet
address?
Answer:
- The 48-bit destination address in the Ethernet frame is 30:24:32:a8:04:26
- This is not the Ethernet address of gaia.cs.umass.edu. It is the address of the
IntelCor router, which is the link used to get off the subnet.
3. Give the hexadecimal value for the two-byte Frame type field. What do the bit(s) whose
value is 1 mean within the flag field?
Answer:
- The hex value for the Frame type field is 0x0800.
51 | P a g e
4. How many bytes from the very start of the Ethernet frame does the ASCII “G” in “GET”
appear in the Ethernet frame?
Answer:
- The ASCII “G” appears 54 bytes from the start of the ethernet frame.There are 14
bytes Ethernet frame, and then 20 bytes of IP header followed by 20 bytes of TCP
header before the HTTP data is encountered.
5. What is the hexadecimal value of the CRC field in this Ethernet frame?
Answer: The hex value for the CRC field is 0d 0a 0d 0a.
6. What is the value of the Ethernet source address? Is this the address of your computer, or
of gaia.cs.umass.edu (Hint: the answer is no). What device has this as its Ethernet
address?
Answer:
- The value of the Ethernet source address is: (((30:24:32:a8:04:26)))
- This is neither the Ethernet address of gaia.cs.umass.edu nor the address of my
computer. It is the address of the IntelCor router, which is the link used to get
onto my subnet.
7. What is the destination address in the Ethernet frame? Is this the Ethernet address of your
computer?
Answer: - The destination address:01:00:5e:7f:ff:fa. No
8. Give the hexadecimal value for the two-byte Frame type field. What do the bit(s) whose
value is 1 mean within the flag field?
Answer:
- The hexadecimal value of the two-byte Frame type field is: 0x0800.
- The bit that is valued to 1 says to not fragment the set.
9. How many bytes from the very start of the Ethernet frame does the ASCII “O” in “OK”
(i.e., the HTTP response code) appear in the Ethernet frame?
52 | P a g e
Answer:
- The ASCII “O” appears 54 bytes from the start of the ethernet frame. There are
14 bytes Ethernet frame, and then 20 bytes of IP header followed by 20 bytes of
TCP header before the HTTP data is encountered.
10. What is the hexadecimal value of the CRC field in this Ethernet frame?
Answer:
- In this case, the CRC field is supposed to be at the end of the HTTP data, but
there is no value for this field to be showed right after the final byte of HTTP
data.
11. Write down the contents of your computer’s ARP cache. What is the meaning of each
column value?
Answer:
- The Internet Address column contains the IP address, the Physical Address
column contains the MAC address, and the type indicates the protocol type.
12. What are the hexadecimal values for the source and destination addresses in the
Ethernet frame containing the ARP request message?
Answer:
- The hexadecimal values for the source is: 30:24:32:a8:04:26
- The hexadecimal values for the destination is: c4:71:54:5a:98:fc
53 | P a g e
13. Give the hexadecimal value for the two-byte Ethernet Frame type field. What do the
bit(s) whose value is 1 mean within the flag field?
Answer: - The hexadecimal value for the Ethernet Frame type field is 0x0806, for
ARP.
14. Download the ARP specification from ftp://ftp.rfc-editor.org/innotes/std/std37.txt. A
readable, detailed discussion of ARP is also at
http://www.erg.abdn.ac.uk/users/gorry/course/inet-pages/arp.html.
a) How many bytes from the very beginning of the Ethernet frame does the ARP
opcode field begin?
b) What is the value of the opcode field within the ARP-payload part of the Ethernet
frame in which an ARP request is made?
c) Does the ARP message contain the IP address of the sender?
d) Where in the ARP request does the “question” appear – the Ethernet address of the
machine whose corresponding IP address is being queried?
Answer:
a) The ARP opcode field begins 20 bytes from the very beginning of the Ethernetframe.
b) The hex value for opcode field within the ARP-payload of the request is 0x0001, for
request.
c) Yes, the ARP message containing the IP address 192.168.1.1 for the sender.
d) The field “Target MAC address” is set to 00:00:00:00:00:00 to question the machine
whose corresponding IP address (192.168.10.1) is being queried.
15. Now find the ARP reply that was sent in response to the ARP request.
a) How many bytes from the very beginning of the Ethernet frame does the ARP
opcode field begin?
b) What is the value of the opcode field within the ARP-payload part of the Ethernet
frame in which an ARP response is made?
c) Where in the ARP message does the “answer” to the earlier ARP request appear –
the IP address of the machine having the Ethernet address whose corresponding IP
54 | P a g e
address is being queried?
Answer:
a) The ARP opcode field begins 20 bytes from the very beginning of the Ethernet
frame.
b) The hex value for opcode field within the ARP-payload of the request
is0x0002, for reply.
c) The answer to the earlier ARP request appears in the “Sender MAC address”
field, which contains the Ethernet address f4:f2:6d:5b:0c:f8 for the sender with
IP address 192.168.10.1.
16. What are the hexadecimal values for the source and destination addresses in the
Ethernet frame containing the ARP reply message?
Answer:
- The hex value of the source address is f4:f2:6d:5b:0c:f8.
- The hex value of thedestination address is 30:24:32:a8:04:26.
17. Open the ethernet-ethereal-trace-1 trace file in
http://gaia.cs.umass.edu/wireshark-labs/wireshark-traces.zip. The first and second ARP
packets in this trace correspond to an ARP request sent by the computer running
Wireshark, and the ARP reply sent to the computer running Wireshark by the computer
with the ARP-requested Ethernet address. But there is yet another computer on this
network, as indicated by packet 6 – another ARP request. Why is there no ARP reply
(sent in response to the ARP request in packet 6) in the packet trace?
Answer:
- There is no reply in this trace, because we are not at the machine that sent there
request. The ARP request is broadcast, but the ARP reply is sent back directly to
the sender’s Ethernet address.
55 | P a g e
Lab 10: DHCP
1. Are DHCP messages sent over UDP or TCP?
Answer:
- DHCP messages are sent over UDP.
2. Draw a timing datagram illustrating the sequence of the first four-packet

Discover/Offer/Request/ACK DHCP exchange between the client and server. For each packet,
indicated the source and destination port numbers. Are the port numbers the same as in the
example given in this lab assignment?
Answer:
3. What is the link-layer (e.g., Ethernet) address of your host?

Answer:
56 | P a g e
4. What values in the DHCP discover message differentiate this message from the DHCP
request message? 5. What is the value of the Transaction-ID in each of the first four
(Discover/Offer/Request/ACK) DHCP messages? What are the values of the Transaction-ID
in the second set (Request/ACK) set of DHCP messages? What is the purpose of the
Transaction-ID field?
Answer:
57 | P a g e
5. What is the value of the Transaction-ID in each of the first four
(Discover/Offer/Request/ACK) DHCP messages? What are the values of the Transaction-ID
in the second set (Request/ACK) set of DHCP messages? What is the purpose of the
Transaction-ID field?
Answer:
58 | P a g e
6. A host uses DHCP to obtain an IP address, among other things. But a host’s IP address is
not confirmed until the end of the four-message exchange! If the IP address is not set until the
end of the four-message exchange, then what values are used in the IP datagrams in the four-
message exchange? For each of the four DHCP messages (Discover/Offer/Request/ACK
DHCP), indicate the source and destination IP addresses that are carried in the encapsulating
IP datagram.
Answer:
7. What is the IP address of your DHCP server?

Answer:
8. What IP address is the DHCP server offering to your host in the DHCP Offer message?
Indicate which DHCP message contains the offered DHCP address.
Answer:
59 | P a g e
9. In the example screenshot in this assignment, there is no relay agent between the host and
the DHCP server. What values in the trace indicate the absence of a relay agent? Is there a
relay agent in your experiment? If so what is the IP address of the agent?
Answer:
10. Explain the purpose of the router and subnet mask lines in the DHCP offer message.
Answer:
60 | P a g e
11. In the DHCP trace file noted in footnote 2, the DHCP server offers a specific IP address to
the client (see also question 8. above). In the client’s response to the first server OFFER
message, does the client accept this IP address? Where in the client’s RESPONSE is the
client’s requested address?
Answer:
61 | P a g e
12. Explain the purpose of the lease time. How long is the lease time in your experiment?
Answer:
13. What is the purpose of the DHCP release message? Does the DHCP server issue an
acknowledgment of receipt of the client’s DHCP request? What would happen if the client’s
DHCP release message is lost?
Answer: The client sends a DHCP release message to candel ít lease on the IP address
given to it by the DHCP sever. The DHCP sever does not send a message back to the client
acknowledging the DHCP release message. If the DHCP release message from the client í
lót, the DHCO sever would have to wait until the lease period í over for that IP address until
it could nếu it for another client
14. Clear the bootp filter from your Wireshark window. Were any ARP packets sent or
received during the DHCP packet-exchange period? If so, explain the purpose of those ARP
packets.
Answer:
62 | P a g e
63 | P a g e

BC - MTTMT-đã chuyển đổi

Uploaded by

Copyright:

Available Formats

BC - MTTMT-đã chuyển đổi

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

BC - MTTMT-đã chuyển đổi

Uploaded by

Copyright:

Available Formats

Lab 1: Getting started

- 36.620934 – 36.366112 = 0.254822000s.

3. What is the Internet address of the gaia.cs.umass.edu (also known as

- The Internet address of the gaia.cs.umass.edu is: 128.119.245.12

- HTTP RESPONSE message

- HTTP RESPONSE message:

3. What is the IP address of your computer? Of the gaia.cs.umass.edu server?

- The Internet address of the gaia.cs.umass.edu is: 128.119.245.12

6. How many bytes of content are being returned to your browser?

15. Provide a screenshot.

19. Provide a screenshot.

2. What is the IP address of gaia.cs.umass.edu? On what port number is it sending

Sent time ACK RTT(seconds)

EstimatedRTT after the receipt of the ACK of segment 1:

- The difference between the acknowledged sequence numbers of two consecutive

Fig. 1: UDP Header Fields

Fig. 2: UDP sent by my host

• The fields that must stay constant are:

• The fields that must change are:

- The first fragment:

- The third fragment:

1. What is the 48-bit Ethernet address of your computer?

2. Draw a timing datagram illustrating the sequence of the first four-packet

3. What is the link-layer (e.g., Ethernet) address of your host?

7. What is the IP address of your DHCP server?

You might also like