Wireshark6EthernetARP.docx

Wireshark6EthernetARP.docx

《Wireshark6EthernetARP.docx》由会员分享，可在线阅读，更多相关《Wireshark6EthernetARP.docx（15页珍藏版）》请在冰豆网上搜索。

Wireshark6EthernetARP

重庆大学软件学院

实验报告

实验名称

利用Wireshark分析Ethernet_ARP协议

课程名称

计算机网络与通信

姓名

成绩

学号

教师

胡海波

班级

日期

2013-05-18

《计算机网络与通信》实验报告

开课实验室：

年月日

姓名

年级、班级

成绩

实验（项目）名称

实验六：

利用Wireshark分析Ethernet_ARP协议

指导教师

胡海波

教师评语

教师签名：

胡海波

年月日

一、实验目的

1.学会怎么使用nslookup工具查询并分析Internet域名信息或诊断DNS服务器，并且能够使用ipconfig工具进行分析。

2.了解怎么使用WireShark简单分析DNS协议。

二、使用的软件、硬件

1.接入Internet的计算机

2.抓包工具WireShark

3.wingdows7自带的截图工具

三、实验过程原始记录（数据、图表、计算等）

1.Whatisthe48-bitEthernetaddressofyourcomputer?

The48-bitEthernetaddressofmycomputeris:

c8:

0a:

a9:

db:

9b:

f3

2.Whatisthe48-bitdestinationaddressintheEthernetframe?

IsthistheEthernet

addressofgaia.cs.umass.edu?

（Hint:

theanswerisno）.Whatdevicehasthisasits

Ethernetaddress?

[Note:

thisisanimportantquestion,andonethatstudents

sometimesgetwrong.Re-readpages468-469inthetextandmakesureyou

understandtheanswerhere.]

（1）The48-bitdestinationaddressintheEthernetframeis:

00:

23:

89:

8d:

50:

71

（2）ThisisnottheEthernetaddressofgaia.cs.umass.edu.

（3）ItistheaddressofmyLinksysrouter,whickisthelinkusedtogetoffthesubnet.

3.Givethehexadecimalvalueforthetwo-byteFrametypefield.Whatdothebit（s）

whosevalueis1meanwithintheflagfield?

（1）Thehexadecimalvalueforthetwo-byteFrametypefieldis:

ox0800

（2）Thevalueis1withintheflagfieldmeansthefragmenthasnotbeenfragmented.

4.HowmanybytesfromtheverystartoftheEthernetframedoestheASCII“G”in

“GET”appearintheEthernetframe?

（1）TheASCII“G”appears54bytesfromtheverystartoftheEthernetframe.

（2）Calculationprocessasfollows:

Thereare14bytesofEthernetframe,20bytesofIPheaderand20bytesofTCPheaderbeforeHTTPdataisencountered.

5.WhatisthehexadecimalvalueoftheCRCfieldinthisEthernetframe?

（1）ThereisnoCRCfield.

（2）BecausetheCRCcalculatedbeforetheWiresharkpacketsnifferstartup.

6.WhatisthevalueoftheEthernetsourceaddress?

Isthistheaddressofyour

computer,orofgaia.cs.umass.edu（Hint:

theanswerisno）.Whatdevicehasthis

asitsEthernetaddress?

（1）ThevalueoftheEthernetsourceaddressis:

00:

23:

89:

8d:

50:

71

（2）Thisisneithertheaddressofyourcomputer,northeaddressofgaia.cs.umass.edu.

（3）ItistheaddressofmyLinksysrouter,whichisthelinkusedtogetontomysubnet.

7.WhatisthedestinationaddressintheEthernetframe?

IsthistheEthernetaddress

ofyourcomputer?

（1）ThedestinationaddressintheEthernetframeis:

c8:

0a:

a9:

db:

9b:

f3

（2）Itistheaddressofmycomputer.

（The48-bitEthernetaddressofmycomputeris:

c8:

0a:

a9:

db:

9b:

f3）

8.Givethehexadecimalvalueforthetwo-byteFrametypefield.Whatdothebit（s）

whosevalueis1meanwithintheflagfield?

（1）Thehexadecimalvalueforthetwo-byteFrametypefieldis:

0x0800.

（2）Thevalueis1withintheflagfieldmeansthefragmenthasnotbeenfragmented.

9.HowmanybytesfromtheverystartoftheEthernetframedoestheASCII“O”in

“OK”（i.e.,theHTTPresponsecode）appearintheEthernetframe?

（1）TheASCII“O”appears54bytesfromtheverystartoftheEthernetframe.

（2）Calculationprocessasfollows:

Thereare14bytesofEthernetframe,20bytesofIPheaderand20bytesofTCPheaderbeforeHTTPdataisencountered.

10.WhatisthehexadecimalvalueoftheCRCfieldinthisEthernetframe?

（1）ThereisnoCRCfield.

（2）Thereason:

BecausetheCRCcalculatedbeforetheWiresharkpacketsnifferstartup.

11.Writedownthecontentsofyourcomputer’sARPcache.Whatisthemeaningof

eachcolumnvalue?

TheInternetAddresscolumncontainstheIPaddress,.

ThePhysicalAddresscolumncontainstheMACaddress,andthetypeindicatestheprotocoltype.

12.Whatarethehexadecimalvaluesforthesourceanddestinationaddressesinthe

EthernetframecontainingtheARPrequestmessage?

（1）ThehexadecimalvaluesforthesourceaddressesintheEthernetframecontainingtheARPrequestmessageis:

00:

23:

89:

8d:

50:

71

（2）ThedestinationaddressesintheEthernetframecontainingtheARPrequestmessageis:

ff:

ff:

ff:

ff:

ff:

ff

13.Givethehexadecimalvalueforthetwo-byteEthernetFrametypefield.Whatdo

thebit（s）whosevalueis1meanwithintheflagfield?

（1）Thehexadecimalvalueforthetwo-byteEthernetFrametypefieldis:

0x0806.

（2）.ThereisnoFlagfield.

14.DownloadtheARPspecificationfromftp:

//ftp.rfc-editor.org/innotes/std/std37.txt.Areadable,detaileddiscussionofARPisalsoathttp:

//www.erg.abdn.ac.uk/users/gorry/course/inet-pages/arp.html.

a）HowmanybytesfromtheverybeginningoftheEthernetframedoesthe

ARPopcodefieldbegin?

TheARPopcodefieldbegins20bytesfromtheverybeginningoftheEthernetframe.

b）WhatisthevalueoftheopcodefieldwithintheARP-payloadpartofthe

EthernetframeinwhichanARPrequestismade?

ThehexvalueforopcodefieldwithingtheARP-payloadoftherequestis1.

c）DoestheARPmessagecontaintheIPaddressofthesender?

Yes,theARPmessagecontaingtheIPaddress192.168.1.105forthesender.

d）WhereintheARPrequestdoesthe“question”appear–theEthernet

addressofthemachinewhosecorrespondingIPaddressisbeingqueried?

Thefield“TargetMACaddress”issetto00:

00:

00:

00:

00:

00toquestionthemachinewhosecorrespondingIPaddress（192.168.1.105）isbeingqueried.

15.NowfindtheARPreplythatwassentinresponsetotheARPrequest.

a）HowmanybytesfromtheverybeginningoftheEthernetframedoesthe

ARPopcodefieldbegin?

TheARPopcodefieldbegins20bytesfromtheverybeginningoftheEthernetframe.

b）WhatisthevalueoftheopcodefieldwithintheARP-payloadpartofthe

EthernetframeinwhichanARPresponseismade?

ThehexvalueforopcodefieldwithingtheARP-payloadpartoftheEthernetframeis2．

c）WhereintheARPmessagedoesthe“answer”totheearlierARPrequest

appear–theIPaddressofthemachinehavingtheEthernetaddresswhose

correspondingIPaddressisbeingqueried?

TheanswertotheearlierARPrequestappearsinthe”SenderMACaddress”field,whichcontainstheEthernetaddress00:

d0:

59:

a9:

3d:

68forthesenderwithIPaddress192.168.1.1

16.Whatarethehexadecimalvaluesforthesourceanddestinationaddressesinthe

EthernetframecontainingtheARPreplymessage?

Thehexvalueforthesourceaddressis00:

06:

25:

da:

af:

73andforthedestinationis00:

d0:

59:

a9:

3d:

68.

17.Opentheethernet-ethereal-trace-1tracefilein

http:

//gaia.cs.umass.edu/wireshark-labs/wireshark-traces.zip.Thefirstandsecond

ARPpacketsinthistracecorrespondtoanARPrequestsentbythecomputer

runningWireshark,andtheARPreplysenttothecomputerrunningWiresharkby

thecomputerwiththeARP-requestedEthernetaddress.Butthereisyetanother

computeronthisnetwork,asindiatedbypacket6–anotherARPrequest.Whyis

therenoARPreply（sentinresponsetotheARPrequestinpacket6）inthepacket

trace?

Thereisnoreplyinthistrace,becausewearenotatthemachinethatsenttherequest.TheARPrequestisbroadcast,buttheARPreplyissentbackdirectlytothesender’sEthernetaddress.

四、实验总结

1.CRC在WireShark中是不能被抓到的，原因是CRC在抓包之前已经被计算好。

2.ARPRequest消息的Type字段值为1；ARPReplyt消息的Type字段值为2。

3.MACaddress是唯一的。

4.清空ARP缓存时（ARP–d）会出现如下的情况：

5.ARP–a可以查看ARP缓存中的内容。