Wireshark6EthernetARP.docx

1、Wireshark6EthernetARP重 庆 大 学 软 件 学 院实 验 报 告实验名称利用Wireshark分析Ethernet_ARP协议课程名称计算机网络与通信姓名成绩学号教师胡海波班级日期2013-05-18计算机网络与通信实验报告开课实验室： 年 月 日姓 名年级、班级成 绩实验（项目）名称实验六：利用Wireshark分析Ethernet_ARP协议指导教师胡海波教师评语教师签名：胡海波年 月 日一、实验目的1.学会怎么使用nslookup工具查询并分析Internet域名信息或诊断DNS服务器，并且能够使用ipconfig工具进行分析。2.了解怎么使用WireShark简单

2、分析DNS协议。二、使用的软件、硬件1. 接入Internet的计算机2.抓包工具WireShark3.wingdows 7 自带的截图工具三、实验过程原始记录(数据、图表、计算等)1. What is the 48-bit Ethernet address of your computer?The 48-bit Ethernet address of my computer is:c8:0a:a9:db:9b:f32. What is the 48-bit destination address in the Ethernet frame? Is this the Ethernetaddre

3、ss of gaia.cs.umass.edu? (Hint: the answer is no). What device has this as itsEthernet address? Note: this is an important question, and one that studentssometimes get wrong. Re-read pages 468-469 in the text and make sure youunderstand the answer here.(1) The 48-bit destination address in the Ether

4、net frame is:00:23:89:8d:50:71(2) This is not the Ethernet address of gaia.cs.umass.edu.(3)It is the address of my Linksys router, whick is the link used to get off the subnet.3. Give the hexadecimal value for the two-byte Frame type field. What do the bit(s)whose value is 1 mean within the flag fie

5、ld?(1)The hexadecimal value for the two-byte Frame type field is:ox0800(2)The value is 1 within the flag field means the fragment has not been fragmented.4. How many bytes from the very start of the Ethernet frame does the ASCII “G” in“GET” appear in the Ethernet frame?(1)The ASCII “G” appears 54 by

6、tes from the very start of the Ethernet frame.(2)Calculation process as follows:There are 14 bytes of Ethernet frame,20 bytes of IP header and 20 bytes of TCP header before HTTP data is encountered.5. What is the hexadecimal value of the CRC field in this Ethernet frame?(1)There is no CRC field.(2)B

7、ecause the CRC calculated before the Wireshark packet sniffer start up.6. What is the value of the Ethernet source address? Is this the address of yourcomputer, or of gaia.cs.umass.edu (Hint: the answer is no). What device has thisas its Ethernet address?(1) The value of the Ethernet source address

8、is: 00:23:89:8d:50:71(2)This is neither the address of your computer,northe address of gaia.cs.umass.edu.(3)It is the address of my Linksys router,which is the link used to get onto my subnet.7. What is the destination address in the Ethernet frame? Is this the Ethernet addressof your computer?(1) T

9、he destination address in the Ethernet frame is:c8:0a:a9:db:9b:f3(2) It is the address of my computer.(The 48-bit Ethernet address of my computer is:c8:0a:a9:db:9b:f3)8. Give the hexadecimal value for the two-byte Frame type field. What do the bit(s)whose value is 1 mean within the flag field?(1) Th

10、e hexadecimal value for the two-byte Frame type field is: 0x0800.(2) The value is 1 within the flag field means the fragment has not been fragmented.9. How many bytes from the very start of the Ethernet frame does the ASCII “O” in“OK” (i.e., the HTTP response code) appear in the Ethernet frame?(1)Th

11、e ASCII “O” appears 54 bytes from the very start of the Ethernet frame.(2)Calculation process as follows:There are 14 bytes of Ethernet frame,20 bytes of IP header and 20 bytes of TCP header before HTTP data is encountered.10. What is the hexadecimal value of the CRC field in this Ethernet frame?(1)

12、There is no CRC field.(2)The reason: Because the CRC calculated before the Wireshark packet sniffer start up.11. Write down the contents of your computers ARP cache. What is the meaning ofeach column value?The Internet Address column contains the IP address,.The Physical Address column contains the

13、MAC address, and the type indicates the protocol type.12. What are the hexadecimal values for the source and destination addresses in theEthernet frame containing the ARP request message?(1)The hexadecimal values for the source addresses in the Ethernet frame containing the ARP request message is: 0

14、0:23:89:8d:50:71(2)The destination addresses in the Ethernet frame containing the ARP request message is: ff:ff:ff:ff:ff:ff13. Give the hexadecimal value for the two-byte Ethernet Frame type field. What dothe bit(s) whose value is 1 mean within the flag field?(1)The hexadecimal value for the two-byt

15、e Ethernet Frame type field is:0x0806.(2).There is no Flag field.14. Download the ARP specification from ftp:/ftp.rfc-editor.org/innotes/std/std37.txt. A readable, detailed discussion of ARP is also at http:/www.erg.abdn.ac.uk/users/gorry/course/inet-pages/arp.html.a) How many bytes from the very be

16、ginning of the Ethernet frame does theARP opcode field begin?The ARP opcode field begins 20 bytes from the very beginning of the Ethernet frame.b) What is the value of the opcode field within the ARP-payload part of theEthernet frame in which an ARP request is made?The hex value for opcode field wit

17、hing the ARP-payload of the request is 1.c) Does the ARP message contain the IP address of the sender?Yes, the ARP message containg the IP address 192.168.1.105 for the sender.d) Where in the ARP request does the “question” appear the Ethernetaddress of the machine whose corresponding IP address is

18、being queried?The field “Target MAC address” is set to 00:00:00:00:00:00 to question the machine whose corresponding IP address (192.168.1.105) is being queried.15. Now find the ARP reply that was sent in response to the ARP request.a) How many bytes from the very beginning of the Ethernet frame doe

19、s theARP opcode field begin?The ARP opcode field begins 20 bytes from the very beginning of the Ethernet frame.b) What is the value of the opcode field within the ARP-payload part of theEthernet frame in which an ARP response is made?The hex value for opcode field withing the ARP-payload part of the

20、 Ethernet frame is 2c) Where in the ARP message does the “answer” to the earlier ARP requestappear the IP address of the machine having the Ethernet address whosecorresponding IP address is being queried?The answer to the earlier ARP request appears in the”Sender MAC address” field, which contains t

21、he Ethernet address 00:d0:59:a9:3d:68 for the sender with IP address 192.168.1.116. What are the hexadecimal values for the source and destination addresses in theEthernet frame containing the ARP reply message?The hex value for the source address is 00:06:25:da:af:73 and for the destination is 00:d

22、0:59:a9:3d:68 .17. Open the ethernet-ethereal-trace-1 trace file inhttp:/gaia.cs.umass.edu/wireshark-labs/wireshark-traces.zip. The first and secondARP packets in this trace correspond to an ARP request sent by the computerrunning Wireshark, and the ARP reply sent to the computer running Wireshark b

23、ythe computer with the ARP-requested Ethernet address. But there is yet anothercomputer on this network, as indiated by packet 6 another ARP request. Why isthere no ARP reply (sent in response to the ARP request in packet 6) in the packettrace?There is no reply in this trace, because we are not at t

24、he machine that sent the request. The ARP request is broadcast, but the ARP reply is sent back directly to the senders Ethernet address.四、实验总结1.CRC在WireShark中是不能被抓到的，原因是CRC在抓包之前已经被计算好。2.ARP Request消息的Type字段值为1；ARP Replyt消息的Type字段值为2。3.MAC address是唯一的。4.清空ARP缓存时（ARP d ）会出现如下的情况：5.ARP a 可以查看ARP缓存中的内容。