Ethernet_ARP
1. Capturing and analyzing Ethernet frames:
Answer the following questions, based on the contents of the Ethernet frame containing the HTTP GET message.
1. What is the 48-bit Ethernet address of your computer? Ans: 48-bit Ethernet address is 00:d0:59:a9:3d:68 2. What is the 48-bit destination address in the Ethernet frame? Is this the Ethernet address of gaia.cs.umass.edu? (Hint: the answer is no). What device has this as its Ethernet address? Ans: 48-bit Ethernet address is 00:06:25:da:af:73 .No it is not the Ethernet address of gaia.cs.umass.edu .It is the address of the Linksys router that my computer has to go through (i.e. subnet) in order to reach the destination. 3. Give the hexadecimal value for the two-byte Frame type field. What upper layer Protocol does this correspond to? Ans: Hexadecimal value for the two-byte Frame type field is 0x0800. Upper layer protocol corresponds to IP (Internet Protocol)
4. How many bytes from the very start of the Ethernet frame does the ASCII G in GET appear in the Ethernet frame? Ans: The ASCII G in GET appears 52 bytes from the start of the Ethernet frame. There are 14B Ethernet frame, and then 20 bytes of IP header followed by 20 bytes of TCP header before the HTTP data is encountered.
Next, answer the following questions, based on the contents of the Ethernet frame containing the first byte of the HTTP response message.
5. What is the value of the Ethernet source address? Is this the address of your computer, or of gaia.cs.umass.edu (Hint: the answer is no). What device has this as its Ethernet address? Ans: Value of the Ethernet source address is 00:06:25:da:af:73. No it is neither the address of my computer nor of gaia.cs.umass.edu. It is address of the Linksys router, which is the link used to get onto my subnet.
6. What is the destination address in the Ethernet frame? Is this the Ethernet address of your computer? Ans: Destination address in the Ethernet frame is 00:d0:59:a9:3d:68, which is the Ethernet address of my computer.
7. Give the hexadecimal value for the two-byte Frame type field. What upper layer protocol does this correspond to? Ans: The hexadecimal value for the two-byte Frame type field 0x0800. The upper layer protocol is IP (Internet Protocol).
8. How many bytes from the very start of the Ethernet frame does the ASCII O in OK (i.e., the HTTP response code) appear in the Ethernet frame? Ans: ASCII O in OK appears 4867 bytes from the start of Ethernet frame.
2. The Address Resolution Protocol:
The Windows arp command with no arguments will display the contents of the ARP cache on your computer. Run the arp command.
9. Write down the contents of your computers ARP cache. What is the meaning of each column value? Ans: The Internet Address column contains the IP address, Physical Address column contains the MAC address, and type indicates the protocol type.
10. What are the hexadecimal values for the source and destination addresses in the Ethernet frame containing the ARP request message? Ans: Hexadecimal values for the source is 00:d0:59:a9:3d:68 and that of the destination address is ff:ff:ff:ff:ff ,broadcast address.
11. Give the hexadecimal value for the two-byte Ethernet Frame type field. What upper layer protocol does this correspond to? Ans: The hexadecimal value for the two-byte Ethernet Frame type field is 0x0806. The upper layer protocol corresponds to ARP (Address Resolution Protocol).
12. Download the ARP specification from ftp://ftp.rfc-editor.org/in-notes/std/std37.txt. A readable, detailed discussion of ARP is also at http://www.erg.abdn.ac.uk/users/gorry/course/inet-pages/arp.html. a) How many bytes from the very beginning of the Ethernet frame does the ARP opcode field begin? Ans: ARP opcode field begins 20 bytes from the very beginning of the Ethernet Frame.
b) What is the value of the opcode field within the ARP-payload part of the Ethernet frame in which an ARP request is made? Ans: The hexadecimal value of the opcode field within the ARP payload of the request is Opcode: request (1) c) Does the ARP message contain the IP address of the sender? Ans: Yes the ARP contains the IP address of the sender 192.168.1.105
d) Where in the ARP request does the question appear the Ethernet address of the machine whose corresponding IP address is being queried? Ans: The field Target MAC address is set to 00:00:00:00:00:00 to question the machine whose corresponding IP address (192.168.1.1) is being queried.
13. Now find the ARP reply that was sent in response to the ARP request.
a) How many bytes from the very beginning of the Ethernet frame does the ARP opcode field begin? Ans: The ARP opcode fields begins 20 bytes from the very beginning of the Ethernet frame b) What is the value of the opcode field within the ARP-payload part of the Ethernet frame in which an ARP response is made? Ans: The value of opcode within the ARP payload of the Ethernet frame is Opcode: reply (2) c) Where in the ARP message does the answer to the earlier ARP request appear the IP address of the machine having the Ethernet address whose corresponding IP address is being queried? Ans: The answer to the earlier ARP request appears in the Sender MAC address field which contains the Ethernet address 00:06:25:da:af:73 for the sender with the IP address 192.168.1.1
14. What are the hexadecimal values for the source and destination addresses in the Ethernet frame containing the ARP reply message? Ans: The hexadecimal values for the source address 00:06:25:da:af:73 and for the destination is 00:d0:59:a9:3d:68
15. Open the ethernet-ethereal-trace-1 trace file in http://gaia.cs.umass.edu/wireshark-labs/wireshark-traces.zip. The first and second ARP packets in this trace correspond to an ARP request sent by the computer running Wireshark, and the ARP reply sent to the computer running Wireshark by the computer with the ARP-requested Ethernet address. But there is yet another computer on this network, as indicated by packet 6 another ARP request. Why is there no ARP reply (sent in response to the ARP request in packet 6) in the packet trace? Ans: No reply in this trace, since we are not at the machine that sent the request. The ARP request is the broadcast, but the ARP reply is sent back directly to the senders Ethernet address.
Extra Credit:
EX-1.The arp command: arp -s InetAddr EtherAddr allows you to manually add an entry to the ARP cache that resolves the IP address InetAddr to the physical address EtherAddr. What would happen if, when you manually added an entry, you entered the correct IP address, but the wrong Ethernet address for that remote interface?
Ans: It shows the message stating that The ARP entry addition failed: The requested operation requires elevation.
EX-2. What is the default amount of time that an entry remains in your ARP cache before being removed. You can determine this empirically (by monitoring the cache contents) or by looking this up in your operation system documentation. Indicate how/where you determined this value. Ans: The default amount of time that the entry remains in my system ARP cache is 0xb i.e. 11 seconds. This time can be obtained in the MS-DOS command prompt window by typing arp a, which will display the IP address and the cache time, and also along with it we find other internet address, physical address and type
TCP (Transmission Control Protocol)
1. A first look at the captured trace:
Answer the following questions, by opening the Wireshark captured packet file tcpethereal-trace-1 in http://gaia.cs.umass.edu/wireshark-labs/wireshark-traces.zip (that is download the trace and open that trace in Wireshark; see footnote 2). Whenever possible, when answering a question you should hand in a printout of the packet(s) within the trace that you used to answer the question asked. Annotate the printout3 to explain your answer. To print a packet, use File->Print, choose Selected packet only, choose Packet summary line, and select the minimum amount of packet detail that you need to answer the question.
1. What is the IP address and TCP port number used by the client computer (source) that is transferring the file to gaia.cs.umass.edu? To answer this question, its probably easiest to select an HTTP message and explore the details of the TCP packet used to carry this HTTP message, using the details of the selected packet header window (refer to Figure 2 in the Getting Started with Wireshark Lab if youre uncertain about the Wireshark windows. Ans: IP address of the source is 192.168.1.102 and the port number used by the client computer (source) is 1161
2. What is the IP address of gaia.cs.umass.edu? On what port number is it sending and receiving TCP segments for this connection? Ans: IP address of the gaia.cs.umass.edu 128.119.245.12 and the port number is 80 on which it sends and receives TCP segments.
If you have been able to create your own trace, answer the following question:
3. What is the IP address and TCP port number used by your client computer (source) to transfer the file to gaia.cs.umass.edu? Ans: The IP address is 192.168.73.14 and the TCP port number used is 80
2. TCP Basics:
Answer the following questions for the TCP segments: 4. What is the sequence number of the TCP SYN segment that is used to initiate the TCP connection between the client computer and gaia.cs.umass.edu? What is it in the segment that identifies the segment as a SYN segment?
Ans: Sequence number of the TCP SYN segment is used to initiate the TCP connection between the client computer and gaia.cs.umass.edu. The value is 0 in this trace. The SYN flag is set to 1 and it indicates that this segment is a SYN segment.
5. What is the sequence number of the SYNACK segment sent by gaia.cs.umass.edu to the client computer in reply to the SYN? What is the value of the Acknowledgement field in the SYNACK segment? How did gaia.cs.umass.edu determine that value? What is it in the segment that identifies the segment as a SYNACK segment?
Ans: Sequence number of the SYNACK segment value is 0 in this trace. The value of the ACK field in SYNACK segment is 1. The value of the ACK field in the SYNACK segment is determined by gaia.cs.umass.edu by adding 1 to the initial sequence number of SYN segment from the client computer i.e. the sequence number of the SYN segment initiated by the client computer is 0. The SYN flag and Acknowledgement flag in the segment are set to 1 and they indicate that this segment is a SYNACK segment.
6. What is the sequence number of the TCP segment containing the HTTP POST command? Note that in order to find the POST command, youll need to dig into the packet content field at the bottom of the Wireshark window, looking for a segment with a POST within its DATA field.
Ans: 4th segment (or packet) is the TCP segment containing the HTTP POST command. The sequence number of this segment has the value of 1.
7. Consider the TCP segment containing the HTTP POST as the first segment in the TCP connection. What are the sequence numbers of the first six segments in the TCP connection (including the segment containing the HTTP POST)? At what time was each segment sent? When was the ACK for each segment received? Given the difference between when each TCP segment was sent, and when its acknowledgement was received, what is the RTT value for each of the six segments? What is the EstimatedRTT value (see Section 3.5.3, page 239 in text) after the receipt of each ACK? Assume that the value of the EstimatedRTT is equal to the measured RTT for the first segment, and then is computed using the EstimatedRTT equation on page 239 for all subsequent segments. Note: Wireshark has a nice feature that allows you to plot the RTT for each of the TCP segments sent. Select a TCP segment in the listing of captured packets window that is being sent from the client to the gaia.cs.umass.edu server. Then select: Statistics->TCP Stream Graph->Round Trip Time Graph.
Ans: The HTTP POST segment is considered as the first segment. Segments 1 6 are No. 4, 5, 7, 8, 10, and 11 in this trace respectively. The ACKs of segments 1 6 are No. 6, 9, 12, 14, 15, and 16 in this trace. Segment 1 sequence number: 1 Segment 2 sequence number: 566 Segment 3 sequence number: 2026 Segment 4 sequence number: 3486 Segment 5 sequence number: 4946 Segment 6 sequence number: 6406
The sending time and the received time of ACKs are tabulated in the following table.
Sent time Segment 1 Segment 2 Segment 3 Segment 4 Segment 5 Segment 6 0.026477 0.041737 0.054026 0.054690 0.077405 0.078157
ACK received time 0.053937 0.077294 0.124085 0.169118 0.217299 0.267802
RTT (seconds) 0.02746 0.035557 0.070059 0.11443 0.13989 0.18964
EstimatedRTT = 0.875 * EstimatedRTT + 0.125 * SampleRTT EstimatedRTT after the receipt of the ACK of segment 1: EstimatedRTT = RTT for Segment 1 = 0.02746 second EstimatedRTT after the receipt of the ACK of segment 2: EstimatedRTT = 0.875 * 0.02746 + 0.125 * 0.035557 = 0.0285 EstimatedRTT after the receipt of the ACK of segment 3: EstimatedRTT = 0.875 * 0.0285 + 0.125 * 0.070059 = 0.0337 EstimatedRTT after the receipt of the ACK of segment 4: EstimatedRTT = 0.875 * 0.0337+ 0.125 * 0.11443 = 0.0438 EstimatedRTT after the receipt of the ACK of segment 5: EstimatedRTT = 0.875 * 0.0438 + 0.125 * 0.13989 = 0.0558 EstimatedRTT after the receipt of the ACK of segment 6: EstimatedRTT = 0.875 * 0.0558 + 0.125 * 0.18964 = 0.0725 second
8. Ans:
What is the length of each of the first six TCP segments? Length of the first TCP segment (containing the HTTP POST): 565 bytes Length of each of the other five TCP segments: 1460 bytes (MSS)
9. What is the minimum amount of available buffer space advertised at the received for the entire trace? Does the lack of receiver buffer space ever throttle the sender?
Ans: The minimum amount of available buffer space advertised at the receiver for the entire trace is 5840 bytes. The receiver window will grow steadily until a maximum receiver buffer size 62780 bytes. The sender is never throttled due to lacking of receiver buffer space by inspecting this trace.
10. Are there any retransmitted segments in the trace file? What did you check for (in the trace) in order to answer this question?
Ans: No, there are no retransmitted segments in the trace file. We can verify this by checking the sequence numbers of the TCP segments in the trace file. In the Time-Sequence-Graph (Stevens) of this trace, all sequence numbers from the source (192.168.1.102) to the destination (128.119.245.12) are increasing monotonically with respect to time. If there is a retransmitted segment, the sequence number of this retransmitted segment should be smaller than those of its neighboring segments.
11. How much data does the receiver typically acknowledge in an ACK? Can you identify cases where the receiver is ACKing every other received segment (see Table 3.2 on page 247 in the text). Ans: acknowledged sequence number 566 2026 3486 4946 6406 7866 9013 10473 11933 13393 14853 16313 acknowledged data 566 1460 1460 1460 1460 1460 1147 1460 1460 1460 1460 1460
ACK 1 ACK 2 ACK 3 ACK 4 ACK 5 ACK 6 ACK 7 ACK 8 ACK 9 ACK 10 ACK 11 ACK 12
The difference between the acknowledged sequence numbers of two consecutive ACKs indicates the data received by the server between these two ACKs. By inspecting the amount of acknowledged data by each ACK, there are cases where the receiver is ACKing every other segment. 12. What is the throughput (bytes transferred per unit time) for the TCP connection? Explain how you calculated this value. Ans: TCP throughput largely depends on the selection of averaging time period. The average throughput for this TCP connection is computed as the ratio between the total amount data and the total transmission time. The total amount data transmitted can be computed by the difference between the sequence number of
the first TCP segment (i.e. 1 byte for No. 4 segment) and the acknowledged sequence number of the last ACK (164091 bytes for No. 202 segment). Therefore, the total data are 164091 - 1 = 164090 bytes. The whole transmission time is the difference of the time instant of the first TCP segment (i.e., 0.026477 second for No.4 segment) and the time instant of the last ACK (i.e., 5.455830 second for No. 202 segment). Therefore, the total transmission time is 5.455830 - 0.026477 = 5.4294 seconds. Hence, the throughput for the TCP connection is computed as 164090/5.4294 = 30.222 Kbytes/sec.
3. TCP congestion control in action:
Answer the following questions for the TCP segments the packet trace tcp-etherealtrace-1 in http://gaia.cs.umass.edu/wireshark-labs/wireshark-traces.zip 13. Use the Time-Sequence-Graph (Stevens) plotting tool to view the sequence number versus time plot of segments being sent from the client to the gaia.cs.umass.edu server. Can you identify where TCPs slowstart phase begins and ends, and where congestion avoidance takes over? Comment on ways in which the measured data differs from the idealized behavior of TCP that weve studied in the text. Ans:
TCP Slow Start begins at the start of the connection, i.e., when the HTTP POST segment is sent out. The identification of the TCP slow start phase and congestion avoidance phase depends on the value of the congestion window size of this TCP sender. However, the value of the congestion window size cannot be obtained directly from the Time-Sequence-Graph (Stevens) graph. Nevertheless, we can estimate the lower bound of the TCP window size by the amount of outstanding data because the outstanding data is the amount of data without acknowledgement. We also know that TCP window is constrained by the receiver window size and the receiver buffer can act as the upper bound of the TCP window size. In this trace, the receiver buffer is not the bottleneck; therefore, this upper bound is not quite useful to infer the TCP window size. Hence, we focus on the lower bound of the TCP window size.
14. Answer each of two questions above for the trace that you have gathered when you transferred a file from your computer to gaia.cs.umass.edu Ans: The idealized behavior of the TCP in the text assumes that TCP senders are aggressive in sending. In the practice, TCP behavior also largely depends on the application. In this example, when the TCP sender can send out data, there are no data available for transmission. In the web application, some of web objects have very small sizes. Before the end of slow start phase, the transmission of these small web objects suffers from the unnecessary long delay because of the slow start phase of TCP. .