计网实验IP and TCP Protocoal Analysis with WireShark.docx
《计网实验IP and TCP Protocoal Analysis with WireShark.docx》由会员分享,可在线阅读,更多相关《计网实验IP and TCP Protocoal Analysis with WireShark.docx(16页珍藏版)》请在冰豆网上搜索。
计网实验IPandTCPProtocoalAnalysiswithWireShark
IPandTCPProtocoalAnalysiswithWireShark
LearningObjectives
Atcompletionofthislab,youwillbeableto:
1.UnderstandtheIPprotocol,IPfragmentationandre-assembly
2.UnderstandTCP3-wayhandshakeforconnectionsetupandtermination,aswellasdataexchange
3.UnderstandICMPprotocolandhowthepingprogramworks
4.Understandhowtracert(traceroute)programworks
ReportandFeedbackonthislab
Thislabshouldbedoneindividually.
Ifyoudonotwanttocapturethelivepacketsinthislab,youcandownloadmydatafilesforanalysis(lab4.zip).
Answerallquestionswithsupportingscreenshots.Pleasealsofillinthefollowingfeedbackformandappendittothereport.Yourfeedbackisvaluabletoussothatwecanimprovethislab,andmakethelabbetter.
Foreachtask,pleaseratethefollowinginthescaleof1through5:
∙Thedegreeofdifficulty:
1=tooeasy;5=toodifficult
∙Thelearningexperience:
1=learnednothing;5=learnedalot
∙Yourinterest:
1=nointerest;5=highinterest
∙Timeusedforthetask:
inminutes
Task
Difficulty(1—5)
Learning(1—5)
Interest(1—5)
Time(min)
background
Task1
Task2
Task3
Yoursuggestion/comment:
Background
Youneedtoreadandanswerthequestionsinthisbackgroundpartbeforethelab.
ReadLecturesonIPandICMPprotocols.ReadLecturesonTCPprotocol.
Question1:
InIPheader,thereisafieldcalled“protocol(type)”.Whatisitusedfor?
用来规范数据传输方法,使不同电脑之间可以通信
Question2:
HowanICMPmessageistransported(encapsulation)?
ICMP信息封装在IP报文当中。
Question3:
WhichICMPmessagesareusedtoimplementthePingprogram?
Echorequestandechoresponse。
Ping使用type8requests和type0replies。
Question4:
Useafiguretoshowthe3-wayhandshaketoestablishaconnectionintheTCPprotocol.
第一次握手:
主机A发送位码为syn=1,随机产生seqnumber=1234567的数据包到服务器,主机B由SYN=1知道,A要求建立联机;第二次握手:
主机B收到请求后要确认联机信息,向A发送acknumber=(主机A的seq+1),syn=1,ack=1,随机产生seq=7654321的包第三次握手:
主机A收到后检查acknumber是否正确,即第一次发送的seqnumber+1,以及位码ack是否为1,若正确,主机A会再发送acknumber=(主机B的seq+1),ack=1,主机B收到后确认seq值与ack=1则连接建立成功。
完成三次握手,主机A与主机B开始传送数据
Traceroute(tracert)isanimportantandusefulutilitytoolfornetworktestinganddebugging.Readmoreonitandlearnhowtouseit:
∙MSWindowstracertcommand,
Task1StudyWindowstracertprogramandhowtofindaroute
InMSWindows,tracertcanbeusedtofindaroutefromthesourcehost,viarouters,todestinationhost.Thistaskisabouthowtracertworksandhowwecanuseitfor.Followthestepstostartuptheprogramsandcapturethepackets.
(1) Startupacommandwindow
ClickStartontheleftcornerofyourdesktop,andchooseRun.ThentypecmdtostartupaDOScommandwindow.Inthiswindow,youcanalsotypecommand"tracert/?
"tolearnmoreonthecommand,orreadmoreviathelinkabove.
(2)StartuptheWireSharkprogram
StartupWiresharkandbeginpacketcapture.
(3) Runthetracertprogram
Typethefollowingcommandtofindarouteto :
tracert
(4)StoptheWireSharkcapturing
Whentracert ends,stopthecapturing,andsavethedatatoafile(youcanopenthefiletoanalyzethepacketslater).
(5)Copytheoutputoftracerttothelabreportfile.
Byanalyzingtheoutput,wecanlearnaroutefromthesourcetothedestination,andhowabouttheresponsetimebetweenthesourceandintermediaterouters.
Question5:
Howmanyroutersareontheroutefromyourcomputerto?
WhataretheirIPaddresses?
1、192.168.156.254
2、210.32.39.250
3、60.191.32.65
4、218.75.123.233
5、61.130.127.249
6、220.191.142.49
7、115.239.209.18
8、115.239.210.27
Question6:
Basedontheoutputfromthetracert,drawthemapofthenetworksbasedontheoutput.ShowtheIPaddressesforthesourcecomputer,destinationcomputer,androuters.
Nowlookatthecaptureddata.
source:
192.168.156.57
Destination:
115.239.210.27
Routers:
1、192.168.156.254
2、210.32.39.250
3、60.191.32.65
4、218.75.123.233
5、61.130.127.249
6、220.191.142.49
7、115.239.209.18
8、115.239.210.27
(6)analyzethefirstICMPmessage
SincetracertusesICMPmessagestotracetheroutetothedestinationcomputer,youcanuse“icmpandip.addr==192.168.x.x”asthedisplayfilerinWireSharktoonlydisplayICMPmessages,where192.168.x.xshouldbeyourcomputerIPaddress.ThenselectthefirstICMPEchoRequestmessagesentbyyourcomputer,andexpandtheInternetProtocolandICMPheadersofthepacketinthepacketdetailswindow(asIdidbelow,tooviewbetter,youcanusezooming).
Question7:
WhatisthevalueintheprotocoltypefieldofIPpacket?
Whyitisthisvalue?
WhatisthetypevalueinICMPheader?
Whatdoesitmean?
HowmanybytesarethereintheIPheader?
HowmanybytesarethereinthepayloadoftheIPpacket?
Explainhowyoudeterminedthenumberofpayloadbytes.
IP数据包的协议种类是ICMP。
ThevalueintheprotocoltypefieldofIPpacketisICMP
(1)
ThetpyevalueinICMPheaderis1.意味着无法连接到主机Headerlength:
20bytes。
Payloadlength:
64bytes。
Question8:
HasthisIPpacketbeenfragmented?
Explainhowyoudeterminedwhetherornotthepackethasbeenfragmented.WhatistheIdentificationforthisIPpacket?
IP数据包的总长度是92字节,payload长度是64字节,所以没有被分成片段。
Identification:
0x66f1(26353)
Question9:
WhatistheTTLvalueforthisIPpacket?
Whythisvalueisset?
Timetoliveis3。
这个数字可以被认为是网络系统中数据包的数字,TTL电平随着传输的距离增大会降低,当通过3个路由器后,数据被丢弃。
(7)SelectthefirstICMPTimeexceededmessage,andexpandtheIPprotocolheader(asIdidbelow)
Question10:
WhatisthesourceIPaddressofthisIPpacket?
AndwhatisthedestinationIPaddressofthispacket?
Whatisthevalueintheprotocoltypefield(inIPheader)?
sourceIPaddress:
192.168.152.57
DestinationIPaddress:
115.239.210.27
Protocoltype:
ICMP
Question11:
WhatistheICMPmessagetypecarriedinthepacket?
Whatisthesenderofthismessage?
Type8。
115.239.210.27(XX服务器)
(8) Readsomeothercapturedpackets,andanswerthequestions:
Question12:
WhatarethevaluesintheIdentificationfieldandtheTTLfieldintheICMPEchorequestmessages?
WhyareTTLvaluessetlikethis?
TTL:
64。
原始的TTLvalue是由我们自己的操作系统决定的。
Task2IPfragmentation
ThistaskistolearnhowIPfragmentationandre-assemblywork.
(9) StarttheWireSharkpacketcapturing
(10)Inthecommandwindowrunthecommandpingtocheckif isalive,sendtheICMPmessageofsize128bytes(usinglengthoption-l128):
ping -l 128
youwillgettheoutputasfollows:
(11)stopthepacketcapturingandsavethedatatoafile(myfileping128.pcap)
Now readthecapturedpacketsanddotheanalysis:
(12)First,useFilter “icmp”todisplayonlyICMPmessages,asfollows:
Question13:
calculatetheroundtripdelaysfor4ICMPEchorequestandEchoreplymessages,findtheminimum,maximum,andaveragedelays.Comparethemwiththevaluesgivenintheoutputofthepingprogram.
相差7ms
相差5ms
相差16ms
相差7ms
比较之后,易得相同
Question14:
whatisthevalueintheIdentificationfieldofframe74?
Whyarethelength170byts?
1360/8=170
Nextweanalyzethefragmentation.
(13) StarttheWireSharkpacketcapturing
(14)Inthecommandwindowrunthecommandpingtocheckif 192.168.156.101isalive,sendtheICMPmessageofsize3000bytes(usinglengthoption-l3000):
ping 192.168.156.101-l 3000
youwillgettheoutputasfollows:
(15)InthecapturedfirstICMPEchorequestmessagepacket,expandsIPprotocolheader,youwillfindIPFragmentsasIshowedbelow.ThisICMPEchorequestmessagewascarriedin3IPpackets(fragments).Thesefragmentsarefoundinthepacketnumber71,72and73,inmyexample.
Question15:
whatisthevalueintheIdentificationfield?
Ontheline"IPFragments(3008bytes):
".Whythepayloaddataisof3008bytes?
Nowanalyzethesefragments.Removethedisplayfilter,andlocatethepacketnumbers.
Question16:
FillinthefollowingtablebasedonIPheadersinthesefragments:
Packetnumber
IPIdentification
Morefragmentbit
Fragmentoffsetinbytes
Fragmentoffsetin8-bytes
Headlength
Totallength
129791
0x1454
Notset
2960
370
20
68
129898
0x145f
Notset
2960
370
20
68
129998
0x1465
Notset
2960
370
20
68
Question17:
HowdoyouknowifanIPfragmentisthefirstfragment,andanIPfragmentisthelastfragment?
IfthevalueofFragmentoffsetis0andmorefragmentissetto1,itmeansthatthisIPfragmentisthefirstfragment.Ifmorefragmentissetto0,itmeansthatthisIPfragmentisthelastfragment.
Task3TCPoperations
Inthistask,youwillcapturepacketsfromHTTPapplication.Followthestepstocapturepackets.
(16) Terminateyourwebbrowserprogram.
(17) StarttheWireSharktocapturethepackets.
(18) Fillintheaddressandclickthelinktoviewsomepages.
(19) Endthepacketcapturing,andsavethedatatoafile(myfileishdu1.pcap).
(20) Use“httpandip.addr==192.168.159.52”asthefiltertoonlydisplaytheHTTPdataunit,
Question18:
WhatistheIPaddressforyourcomputer,andwhatistheIPaddressfor?
我的电脑IP:
192.168.1.106
杭电IP:
111.1.61.73
Next,youonlyneedtoreadandanalyzethedatacommunicationsbetweenyourcomputerand.
(19)3-wayhandshaketosetupaTCPconnection.
Use“tcpandip.addr==192.168.159.52”asthedisplayfilter(asshownbelow),andfindthe3TCPsegmentsthatperformtheconnectionsetup.
Question19:
Whatareport
升级会员 