Wireshark Lab: Ethernet and ARP v7.0

1. Capturing and analyzing Ethernet frames

清除浏览器缓存

使用wireshark抓包并请求网页

修改“捕获数据包列表”窗口，仅显示有关 IP 以下协议的信息。

抓包干扰较多，故分析作者的数据包回答下列问题
包含HTTP GET消息的以太网帧如下：

1

What is the 48-bit Ethernet address of your computer?

Ethernet address ：AmbitMic_a9:3d:68 (00:d0:59:a9:3d:68)

2

What is the 48-bit destination address in the Ethernet frame?

destination address: LinksysG_da:af:73 (00:06:25:da:af:73)。

Is this the Ethernet address of gaia.cs.umass.edu? (Hint: the answer is no).
不是 gaia.cs.umass.edu 的以太网地址

What device has this as its Ethernet address?
这个可能是连接该子网的路由器的地址。

[Note: this is an important question, and one that students sometimes get wrong. Re-read pages 468-469 in the text and make sure you understand the answer here.]

3

Give the hexadecimal value for the two-byte Frame type field. What upper layer protocol does this correspond to?
hexadecimal value ：0x0800
protocol :IPV4

4

How many bytes from the very start of the Ethernet frame does the ASCII “G” in “GET” appear in the Ethernet frame?

16 × 3+6=54 bytes

Next, answer the following questions, based on the contents of the Ethernet frame containing the first byte of the HTTP response message.

5

What is the value of the Ethernet source address?

source address:LinksysG_da:af:73 (00:06:25:da:af:73)

Is this the address of your computer, or of gaia.cs.umass.edu ?(Hint: the answer is no).
不是
What device has this as its Ethernet address?
是连接该子网的路由器的地址

6

What is the destination address in the Ethernet frame? Is this the Ethernet address of your computer?

destination address: AmbitMic_a9:3d:68 (00:d0:59:a9:3d:68)
是本机地址

7

Give the hexadecimal value for the two-byte Frame type field. What upper layer protocol does this correspond to?

hexadecimal value：0x0800
protocol：IPV4

8

How many bytes from the very start of the Ethernet frame does the ASCII “O” in “OK” (i.e., the HTTP response code) appear in the Ethernet frame?

4 × 16 + 4 = 68bytes

2. The Address Resolution Protocol

1. 进入目录C:\Windows\System32
   
2. 命令行输入 arp -a
   

9

Write down the contents of your computer’s ARP cache. What is the meaning of
each column value?

• 网卡：

  • 

• 路由 IP ：

  • 

• MAC 地址：

  • 

• 广播地址：

  • 

• 组播地址：

  • 

1. 清空arp缓存
   • 
2. 清空浏览器的缓存。
3. 开始抓包
4. 请求网页http://gaia.cs.umass.edu/wireshark-labs/HTTP-ethereal-lab-file3.html
5. 停止抓包
6. 由于不关心IP和更高层的协议，故点击 分析–>启用的协议，取消选中IP框再选择OK
   抓到的包的页面如下：

使用作者的数据包回答下列问题：

10

What are the hexadecimal values for the source and destination addresses in the
Ethernet frame containing the ARP request message?

destination : Broadcast (ff:ff:ff:ff:ff:ff)
source : AmbitMic_a9:3d:68 (00:d0:59:a9:3d:68)

11

Give the hexadecimal value for the two-byte Ethernet Frame type field. What
upper layer protocol does this correspond to?

hexadecimal value：0x0806

12

Download the ARP specification from ftp://ftp.rfc-editor.org/in-notes/std/std37.txt.
A readable, detailed discussion of ARP is also at http://www.erg.abdn.ac.uk/users/gorry/course/inet-pages/arp.html.

a) How many bytes from the very beginning of the Ethernet frame does the
ARP opcode field begin?

16 + 4 = 20bytes
b) What is the value of the opcode field within the ARP-payload part of the
Ethernet frame in which an ARP request is made?

为0x0001
c) Does the ARP message contain the IP address of the sender?

包含IP address of the sender
d) Where in the ARP request does the “question” appear – the Ethernet
address of the machine whose corresponding IP address is being queried?

Opcode值为1表示 request

13

Now find the ARP reply that was sent in response to the ARP request.

a) How many bytes from the very beginning of the Ethernet frame does the
ARP opcode field begin?

16+4=20bytes

b) What is the value of the opcode field within the ARP-payload part of the
Ethernet frame in which an ARP response is made?

为0x0002

c) Where in the ARP message does the “answer” to the earlier ARP request
appear – the IP address of the machine having the Ethernet address whose
corresponding IP address is being queried?

Opcode: reply (2) ，值为2 ，表示reply

14

What are the hexadecimal values for the source and destination addresses in the
Ethernet frame containing the ARP reply message?

destination : AmbitMic_a9:3d:68 (00:d0:59:a9:3d:68)
source : LinksysG_da:af:73 (00:06:25:da:af:73)

15

Open the ethernet-ethereal-trace-1 trace file in
http://gaia.cs.umass.edu/wireshark-labs/wireshark-traces.zip.
The first and second ARP packets in this trace correspond to an ARP request sent by the computer running Wireshark, and the ARP reply sent to the computer running Wireshark by the computer with the ARP-requested Ethernet address. But there is yet another computer on this network, as indicated by packet 6 – another ARP request.

Why is there no ARP reply (sent in response to the ARP request in packet 6) in the packet trace?
因为查询ARP报文通过广播帧发送的，对应子网的所有节点都能收到该报文，但是响应ARP报文仅通过一个标准帧发送，只有请求ARP的对应节点才能收到

Extra Credit

EX-1.

The arp command: arp -s InetAddr EtherAddr allows you to manually add an entry to the ARP cache that resolves the IP address InetAddr to the physical address EtherAddr. What would happen if, when you manually added an entry, you entered the correct IP address, but the wrong Ethernet address for that remote interface?
会导致本地主机无法与该IP地址对应的节点建立连接

EX-2.

What is the default amount of time that an entry remains in your ARP cache before being removed. You can determine this empirically (by monitoring the cache contents) or by looking this up in your operation system documentation. Indicate how/where you determined this value.

命令行输入netsh interface ipv4 show interfaces

Idx = 14 对应 WLAN
netsh interface ipv4 show interface 14查询接口WLAN的参数

基本可访问时间为 30000 毫秒，则ARP cache条目TTL为30000