Report2 451l

Mohammad Hamdan
EECE 451 LAB1 REPORT Mohamad Ghazi Raad

Wednesday, September 28, 2016
Prelab 2:
1. Write the syntax for an ifconfig command that sets the IP
address of the interface eth0 to 128.143.2.3/16 with
broadcast address 128.143.255.255.

ifconfig eth0 128.143.2.3 netmask 255.255.0.0 broadcast
128.143.255.255
2. Write the syntax of a tcpdump command that captures
packets containing IP datagrams with a source or
destination IP address equal to 10.0.1.12.

tcpdump host 10.0.1.12
packets containing ICMP messages with a source or
destination IP address equal to 10.0.1.12.

tcpdump icmp and host 10.0.1.12
packets containing IP datagrams between two hosts with IP
address 10.0.1.11 and 10.0.1.12, both on interface eth1 .

tcpdump i eth1 host 10.0.1.11 and host 10.0.1.12
5. Write a tcpdump filter expression that captures packets
containing TCP segments with a source or destination IP
address equal to 10.0.1.12.

tcpdump tcp and host 10.0.1.12
6. Write a tcpdump filter that, in addition to constraints in
Question 5, only captures packets using port number 23.

tcpdump tcp port 23 and host 10.0.1.12
7. Write the syntax for an ethereal command with capture filter
so that all IP datagrams with a source or destination IP
address equal to 10.0.1.12 are recorded.

Ethereal f host 10.0.1.12
8. Write the syntax for an ethereal display filter that shows IP
datagrams with a destination IP address equal to 10.0.1.50
and frame size greater than 400 bytes.

Ip.dest==10.0.1.50 && frame.pkt_len>400
9. Write the syntax for an ethereal display filter that shows
packets containing ICMP messages with a source or
destination IP address equal to 10.0.1.12 and frame numbers
between 15 and 30.

Ip.addr==10.0.1.12 && icmp && frame.number>15
&&frame.number<30
10. Write the syntax for an ethereal display filter that
shows packets containing TCP segments with a source or
destination IP address equal to 10.0.1.12 and using port
number 23.
Ip.addr=10.0.1.12 && tcp.port==23
11. Write an ethereal capture filter expression for question
10.
Ethereal -f host 10.0.1.12 and tcp port 23
PART 1: Using Filters in TCPDUMP
Exercice1- Writing filter expressions for tcpdump
To filter all packets with PC2 as source or destination we

execute the following command:
Tcpdump n l host 10.0.1.12 | tee > /labdata/ex1
Then we ping PC2 by executing the command:

Ping c 5 10.0.1.12
The output of the tcpdump command executed was saved in a
file using the tail command.
12:22:55.227776 10.0.1.11 > 10.0.1.12: icmp: echo request (DF)

12:22:55.228240 10.0.1.12 > 10.0.1.11: icmp: echo reply
12:22:56.227223 10.0.1.12 > 10.0.1.11: icmp: echo reply
12:22:57.226209 10.0.1.12 > 10.0.1.11: icmp: echo reply
12:22:58.225194 10.0.1.12 > 10.0.1.11: icmp: echo reply
12:22:59.234671 10.0.1.12 > 10.0.1.11: icmp: echo reply
12:23:00.225916 arp who-has 10.0.1.11 tell 10.0.1.12
12:23:00.225938 arp reply 10.0.1.11 is-at 0:4:23:5f:fd:14
Set the filter so that only ICMP messages are captured. The
command is:
Tcpdump n l host 10.0.1.12 and \icmp| tee > /labdata/ex1p3

12:23:18.575748 10.0.1.12 > 10.0.1.11: icmp: echo reply
12:23:19.575107 10.0.1.12 > 10.0.1.11: icmp: echo reply
12:23:20.574841 10.0.1.12 > 10.0.1.11: icmp: echo reply
12:23:21.574826 10.0.1.12 > 10.0.1.11: icmp: echo reply
12:23:22.574810 10.0.1.12 > 10.0.1.11: icmp: echo reply
PART 2: Using Filters in Ethereal
Exercise 2(A)- Setting capture filters in ethereal
Run ethereal on PC1, then setting a capture filter so that all
packets that contain the IP address of PC2 are recorded. The filter
expression used in the filter box is: Host 10.0.1.12
Ping command to PC2 from another terminal window as following:

Ping c 5 10.0.1.12
Stop the capture on ethereal and save the result using the print
function in the file menu. The output is as following:
No. Time Source Destination Protocol Info

1 0.000000 10.0.1.11 10.0.1.12 ICMP
Echo (ping) request
2 0.000460 10.0.1.12 10.0.1.11 ICMP
Echo (ping) reply
3 0.998985 10.0.1.11 10.0.1.12 ICMP
Echo (ping) request
4 0.999444 10.0.1.12 10.0.1.11 ICMP
Echo (ping) reply
5 2.007826 10.0.1.11 10.0.1.12 ICMP
Echo (ping) request
6 2.008297 10.0.1.12 10.0.1.11 ICMP
Echo (ping) reply
7 3.007843 10.0.1.11 10.0.1.12 ICMP
Echo (ping) request
8 3.008281 10.0.1.12 10.0.1.11 ICMP
Echo (ping) reply
9 4.007838 10.0.1.11 10.0.1.12 ICMP
Echo (ping) request
10 4.008266 10.0.1.12 10.0.1.11 ICMP
Echo (ping) reply
11 4.993639 00:04:23:60:05:5e 00:04:23:5f:fd:14 ARP Who
has 10.0.1.11? Tell 10.0.1.12
12 4.993667 00:04:23:5f:fd:14 00:04:23:60:05:5e ARP
10.0.1.11 is at 00:04:23:5f:fd:14
Exercise 2(B)- Working with display filters
Repeat the same procedure as before, Set the display filter so
that all IP datagrams with destination IP address 10.0.1.12 are shown
using the following display filter: Ip.dst==10.0.1.12.

The output is as following:

1 0.000000 10.0.1.11 10.0.1.12 ICMP
Echo (ping) request
3 1.008992 10.0.1.11 10.0.1.12 ICMP
Echo (ping) request
5 2.009038 10.0.1.11 10.0.1.12 ICMP
Echo (ping) request
7 3.009029 10.0.1.11 10.0.1.12 ICMP
Echo (ping) request
9 4.009039 10.0.1.11 10.0.1.12 ICMP
Echo (ping) request
Repeat the same procedure as above, but use the display filter
Ip.src==10.0.1.12 which lists only IP datagrams with a source IP
address equal to 10.0.1.12. The output is as following:

2 0.000437 10.0.1.12 10.0.1.11 ICMP
Echo (ping) reply
4 1.010033 10.0.1.12 10.0.1.11 ICMP
Echo (ping) reply
6 2.010022 10.0.1.12 10.0.1.11 ICMP
Echo (ping) reply
8 3.019995 10.0.1.12 10.0.1.11 ICMP
Echo (ping) reply
10 4.020607 10.0.1.12 10.0.1.11 ICMP
Echo (ping) reply
Exercise 2(C)- More complex capture and display filters
Start ethereal on PC1 and begin capturing all packets. From a
new terminal we ping PC2 and at the same time we start a telnet
session from PC1 to PC2 using the following command: telnet
10.0.1.12. when the session is established we log in to PC2 as
root then exit. Finally, we stop the capture of ethereal and apply
several display filters to the captured packets:
a) Display packets that contain ICMP messages with the IP address
of PC2 either as a source or destination address, using the
following display filter:
Ip.addr==10.0.1.12 && icmp
The output in this case is as following:

1 0.000000 10.0.1.11 10.0.1.12 ICMP
Echo (ping) request
2 0.000381 10.0.1.12 10.0.1.11 ICMP
Echo (ping) reply
3 1.001773 10.0.1.11 10.0.1.12 ICMP
Echo (ping) request
4 1.002111 10.0.1.12 10.0.1.11 ICMP
Echo (ping) reply
5 2.002886 10.0.1.11 10.0.1.12 ICMP
Echo (ping) request
6 2.003221 10.0.1.12 10.0.1.11 ICMP
Echo (ping) reply
23 3.011770 10.0.1.11 10.0.1.12 ICMP
Echo (ping) request
24 3.012199 10.0.1.12 10.0.1.11 ICMP
Echo (ping) reply
25 4.021774 10.0.1.11 10.0.1.12 ICMP
Echo (ping) request
26 4.022176 10.0.1.12 10.0.1.11 ICMP
Echo (ping) reply
b) Display packets that contain TCP traffic with the IP address of
PC2 either as a source or destination address, using the following
display filter:
Ip.addr==10.0.1.12 && tcp
The output in this case is as following:

7 2.659638 10.0.1.11 10.0.1.12 TCP
33201 > 23 [SYN] Seq=388160986 Ack=0 Win=5840 Len=0
8 2.659969 10.0.1.12 10.0.1.11 TCP 23
> 33201 [SYN, ACK] Seq=3993415152 Ack=388160987 Win=5792 Len=0
9 2.660001 10.0.1.11 10.0.1.12 TCP
33201 > 23 [ACK] Seq=388160987 Ack=3993415153 Win=5840 Len=0
10 2.662333 10.0.1.11 10.0.1.12 TELNET
Telnet Data ...
11 2.662590 10.0.1.12 10.0.1.11 TELNET
Telnet Data ...
12 2.662610 10.0.1.11 10.0.1.12 TCP
13 2.662839 10.0.1.12 10.0.1.11 TCP 23
> 33201 [ACK] Seq=3993415165 Ack=388161020 Win=5792 Len=0
14 2.662964 10.0.1.12 10.0.1.11 TELNET
Telnet Data ...
15 2.662970 10.0.1.11 10.0.1.12 TCP
16 2.665749 10.0.1.11 10.0.1.12 TELNET
Telnet Data ...
17 2.668960 10.0.1.12 10.0.1.11 TELNET
Telnet Data ...
18 2.668998 10.0.1.11 10.0.1.12 TELNET
Telnet Data ...
19 2.669459 10.0.1.12 10.0.1.11 TELNET
Telnet Data ...
20 2.669504 10.0.1.11 10.0.1.12 TELNET
Telnet Data ...
21 2.669837 10.0.1.12 10.0.1.11 TELNET
Telnet Data ...
22 2.701758 10.0.1.11 10.0.1.12 TCP
27 7.987742 10.0.1.11 10.0.1.12 TELNET
Telnet Data ...
28 7.988142 10.0.1.12 10.0.1.11 TELNET
Telnet Data ...
29 7.988187 10.0.1.11 10.0.1.12 TCP
30 8.152598 10.0.1.11 10.0.1.12 TELNET
Telnet Data ...
31 8.152889 10.0.1.12 10.0.1.11 TELNET
Telnet Data ...
32 8.152910 10.0.1.11 10.0.1.12 TCP
33 8.247516 10.0.1.11 10.0.1.12 TELNET
Telnet Data ...
34 8.247816 10.0.1.12 10.0.1.11 TELNET
Telnet Data ...
35 8.247837 10.0.1.11 10.0.1.12 TCP
36 8.428097 10.0.1.11 10.0.1.12 TELNET
Telnet Data ...
37 8.428428 10.0.1.12 10.0.1.11 TELNET
Telnet Data ...
38 8.428471 10.0.1.11 10.0.1.12 TCP
39 8.577712 10.0.1.11 10.0.1.12 TELNET
Telnet Data ...
40 8.578064 10.0.1.12 10.0.1.11 TELNET
Telnet Data ...
41 8.578105 10.0.1.11 10.0.1.12 TCP
42 8.579811 10.0.1.12 10.0.1.11 TELNET
Telnet Data ...
43 8.579837 10.0.1.11 10.0.1.12 TCP
44 8.962825 10.0.1.11 10.0.1.12 TELNET
Telnet Data ...
45 8.994248 10.0.1.12 10.0.1.11 TCP 23
46 9.038190 10.0.1.11 10.0.1.12 TELNET
Telnet Data ...
47 9.038586 10.0.1.12 10.0.1.11 TCP 23
48 9.195323 10.0.1.11 10.0.1.12 TELNET
Telnet Data ...
49 9.195716 10.0.1.12 10.0.1.11 TCP 23
50 10.440734 10.0.1.11 10.0.1.12 TELNET
Telnet Data ...
51 10.441013 10.0.1.12 10.0.1.11 TCP 23
52 10.942159 10.0.1.11 10.0.1.12 TELNET
Telnet Data ...
53 10.942504 10.0.1.12 10.0.1.11 TCP 23
54 10.982162 10.0.1.11 10.0.1.12 TELNET
Telnet Data ...
55 10.982475 10.0.1.12 10.0.1.11 TCP 23
56 11.022917 10.0.1.11 10.0.1.12 TELNET
Telnet Data ...
57 11.023195 10.0.1.12 10.0.1.11 TCP 23
58 11.055905 10.0.1.11 10.0.1.12 TELNET
Telnet Data ...
59 11.056293 10.0.1.12 10.0.1.11 TCP 23
60 11.092149 10.0.1.11 10.0.1.12 TELNET
Telnet Data ...
61 11.092515 10.0.1.12 10.0.1.11 TCP 23
62 11.132075 10.0.1.11 10.0.1.12 TELNET
Telnet Data ...
63 11.132359 10.0.1.12 10.0.1.11 TCP 23
64 11.518530 10.0.1.11 10.0.1.12 TELNET
Telnet Data ...
65 11.518813 10.0.1.12 10.0.1.11 TCP 23
66 11.706061 10.0.1.11 10.0.1.12 TELNET
Telnet Data ...
67 11.706420 10.0.1.12 10.0.1.11 TCP 23
68 11.821095 10.0.1.11 10.0.1.12 TELNET
Telnet Data ...
69 11.821457 10.0.1.12 10.0.1.11 TCP 23
70 11.948539 10.0.1.11 10.0.1.12 TELNET
Telnet Data ...
71 11.948860 10.0.1.12 10.0.1.11 TCP 23
72 12.431228 10.0.1.11 10.0.1.12 TELNET
Telnet Data ...
73 12.431615 10.0.1.12 10.0.1.11 TCP 23
74 12.699095 10.0.1.11 10.0.1.12 TELNET
Telnet Data ...
75 12.699409 10.0.1.12 10.0.1.11 TCP 23
76 12.866329 10.0.1.11 10.0.1.12 TELNET
Telnet Data ...
77 12.866658 10.0.1.12 10.0.1.11 TCP 23
78 12.874654 10.0.1.12 10.0.1.11 TELNET
Telnet Data ...
79 12.874666 10.0.1.11 10.0.1.12 TCP
80 12.934608 10.0.1.12 10.0.1.11 TELNET
Telnet Data ...
81 12.934639 10.0.1.11 10.0.1.12 TCP
82 12.937727 10.0.1.12 10.0.1.11 TELNET
Telnet Data ...
83 12.937734 10.0.1.11 10.0.1.12 TCP
84 14.814229 10.0.1.11 10.0.1.12 TELNET
Telnet Data ...
85 14.815042 10.0.1.12 10.0.1.11 TELNET
Telnet Data ...
86 14.815065 10.0.1.11 10.0.1.12 TCP
87 14.979284 10.0.1.11 10.0.1.12 TELNET
Telnet Data ...
88 14.979790 10.0.1.12 10.0.1.11 TELNET
Telnet Data ...
89 14.979813 10.0.1.11 10.0.1.12 TCP
90 15.056809 10.0.1.11 10.0.1.12 TELNET
Telnet Data ...
91 15.057233 10.0.1.12 10.0.1.11 TELNET
Telnet Data ...
92 15.057282 10.0.1.11 10.0.1.12 TCP
93 15.196868 10.0.1.11 10.0.1.12 TELNET
Telnet Data ...
94 15.197373 10.0.1.12 10.0.1.11 TELNET
Telnet Data ...
95 15.197404 10.0.1.11 10.0.1.12 TCP
96 15.354397 10.0.1.11 10.0.1.12 TELNET
Telnet Data ...
97 15.354878 10.0.1.12 10.0.1.11 TELNET
Telnet Data ...
98 15.354909 10.0.1.11 10.0.1.12 TCP
99 15.355251 10.0.1.12 10.0.1.11 TELNET
Telnet Data ...
100 15.355266 10.0.1.11 10.0.1.12 TCP
101 15.356750 10.0.1.12 10.0.1.11 TELNET
Telnet Data ...
102 15.356763 10.0.1.11 10.0.1.12 TCP
103 15.360630 10.0.1.12 10.0.1.11 TCP 23
> 33201 [FIN, ACK] Seq=3993415407 Ack=388161128 Win=5792 Len=0
104 15.361864 10.0.1.11 10.0.1.12 TCP
33201 > 23 [FIN, ACK] Seq=388161128 Ack=3993415408 Win=5840 Len=0
105 15.362124 10.0.1.12 10.0.1.11 TCP 23
c) Limit the displayed packets to the ones using port 23. The
display filter used in this case is:
Ip.addr==10.0.1.12 && tcp.port==23
The output is as following:
No. Time Source Destination Protocol

Info
7 2.659638 10.0.1.11 10.0.1.12 TCP
33201 > 23 [SYN] Seq=388160986 Ack=0 Win=5840 Len=0
8 2.659969 10.0.1.12 10.0.1.11 TCP 23
> 33201 [SYN, ACK] Seq=3993415152 Ack=388160987 Win=5792 Len=0
9 2.660001 10.0.1.11 10.0.1.12 TCP
10 2.662333 10.0.1.11 10.0.1.12 TELNET
Telnet Data ...
11 2.662590 10.0.1.12 10.0.1.11 TELNET
Telnet Data ...
12 2.662610 10.0.1.11 10.0.1.12 TCP
13 2.662839 10.0.1.12 10.0.1.11 TCP 23
14 2.662964 10.0.1.12 10.0.1.11 TELNET
Telnet Data ...
15 2.662970 10.0.1.11 10.0.1.12 TCP
16 2.665749 10.0.1.11 10.0.1.12 TELNET
Telnet Data ...
17 2.668960 10.0.1.12 10.0.1.11 TELNET
Telnet Data ...
18 2.668998 10.0.1.11 10.0.1.12 TELNET
Telnet Data ...
19 2.669459 10.0.1.12 10.0.1.11 TELNET
Telnet Data ...
20 2.669504 10.0.1.11 10.0.1.12 TELNET
Telnet Data ...
21 2.669837 10.0.1.12 10.0.1.11 TELNET
Telnet Data ...
22 2.701758 10.0.1.11 10.0.1.12 TCP
27 7.987742 10.0.1.11 10.0.1.12 TELNET
Telnet Data ...
28 7.988142 10.0.1.12 10.0.1.11 TELNET
Telnet Data ...
29 7.988187 10.0.1.11 10.0.1.12 TCP
30 8.152598 10.0.1.11 10.0.1.12 TELNET
Telnet Data ...
31 8.152889 10.0.1.12 10.0.1.11 TELNET
Telnet Data ...
32 8.152910 10.0.1.11 10.0.1.12 TCP
33 8.247516 10.0.1.11 10.0.1.12 TELNET
Telnet Data ...
34 8.247816 10.0.1.12 10.0.1.11 TELNET
Telnet Data ...
35 8.247837 10.0.1.11 10.0.1.12 TCP
36 8.428097 10.0.1.11 10.0.1.12 TELNET
Telnet Data ...
37 8.428428 10.0.1.12 10.0.1.11 TELNET
Telnet Data ...
38 8.428471 10.0.1.11 10.0.1.12 TCP
39 8.577712 10.0.1.11 10.0.1.12 TELNET
Telnet Data ...
40 8.578064 10.0.1.12 10.0.1.11 TELNET
Telnet Data ...
41 8.578105 10.0.1.11 10.0.1.12 TCP
42 8.579811 10.0.1.12 10.0.1.11 TELNET
Telnet Data ...
43 8.579837 10.0.1.11 10.0.1.12 TCP
44 8.962825 10.0.1.11 10.0.1.12 TELNET
Telnet Data ...
45 8.994248 10.0.1.12 10.0.1.11 TCP 23
46 9.038190 10.0.1.11 10.0.1.12 TELNET
Telnet Data ...
47 9.038586 10.0.1.12 10.0.1.11 TCP 23
48 9.195323 10.0.1.11 10.0.1.12 TELNET
Telnet Data ...
49 9.195716 10.0.1.12 10.0.1.11 TCP 23
50 10.440734 10.0.1.11 10.0.1.12 TELNET
Telnet Data ...
51 10.441013 10.0.1.12 10.0.1.11 TCP 23
52 10.942159 10.0.1.11 10.0.1.12 TELNET
Telnet Data ...
53 10.942504 10.0.1.12 10.0.1.11 TCP 23
54 10.982162 10.0.1.11 10.0.1.12 TELNET
Telnet Data ...
55 10.982475 10.0.1.12 10.0.1.11 TCP 23
56 11.022917 10.0.1.11 10.0.1.12 TELNET
Telnet Data ...
57 11.023195 10.0.1.12 10.0.1.11 TCP 23
58 11.055905 10.0.1.11 10.0.1.12 TELNET
Telnet Data ...
59 11.056293 10.0.1.12 10.0.1.11 TCP 23
60 11.092149 10.0.1.11 10.0.1.12 TELNET
Telnet Data ...
61 11.092515 10.0.1.12 10.0.1.11 TCP 23
62 11.132075 10.0.1.11 10.0.1.12 TELNET
Telnet Data ...
63 11.132359 10.0.1.12 10.0.1.11 TCP 23
64 11.518530 10.0.1.11 10.0.1.12 TELNET
Telnet Data ...
65 11.518813 10.0.1.12 10.0.1.11 TCP 23
66 11.706061 10.0.1.11 10.0.1.12 TELNET
Telnet Data ...
67 11.706420 10.0.1.12 10.0.1.11 TCP 23
68 11.821095 10.0.1.11 10.0.1.12 TELNET
Telnet Data ...
69 11.821457 10.0.1.12 10.0.1.11 TCP 23
70 11.948539 10.0.1.11 10.0.1.12 TELNET
Telnet Data ...
71 11.948860 10.0.1.12 10.0.1.11 TCP 23
72 12.431228 10.0.1.11 10.0.1.12 TELNET
Telnet Data ...
73 12.431615 10.0.1.12 10.0.1.11 TCP 23
74 12.699095 10.0.1.11 10.0.1.12 TELNET
Telnet Data ...
75 12.699409 10.0.1.12 10.0.1.11 TCP 23
76 12.866329 10.0.1.11 10.0.1.12 TELNET
Telnet Data ...
77 12.866658 10.0.1.12 10.0.1.11 TCP 23
78 12.874654 10.0.1.12 10.0.1.11 TELNET
Telnet Data ...
79 12.874666 10.0.1.11 10.0.1.12 TCP
80 12.934608 10.0.1.12 10.0.1.11 TELNET
Telnet Data ...
81 12.934639 10.0.1.11 10.0.1.12 TCP
82 12.937727 10.0.1.12 10.0.1.11 TELNET
Telnet Data ...
83 12.937734 10.0.1.11 10.0.1.12 TCP
84 14.814229 10.0.1.11 10.0.1.12 TELNET
Telnet Data ...
85 14.815042 10.0.1.12 10.0.1.11 TELNET
Telnet Data ...
86 14.815065 10.0.1.11 10.0.1.12 TCP
87 14.979284 10.0.1.11 10.0.1.12 TELNET
Telnet Data ...
88 14.979790 10.0.1.12 10.0.1.11 TELNET
Telnet Data ...
89 14.979813 10.0.1.11 10.0.1.12 TCP
90 15.056809 10.0.1.11 10.0.1.12 TELNET
Telnet Data ...
91 15.057233 10.0.1.12 10.0.1.11 TELNET
Telnet Data ...
92 15.057282 10.0.1.11 10.0.1.12 TCP
93 15.196868 10.0.1.11 10.0.1.12 TELNET
Telnet Data ...
94 15.197373 10.0.1.12 10.0.1.11 TELNET
Telnet Data ...
95 15.197404 10.0.1.11 10.0.1.12 TCP
96 15.354397 10.0.1.11 10.0.1.12 TELNET
Telnet Data ...
97 15.354878 10.0.1.12 10.0.1.11 TELNET
Telnet Data ...
98 15.354909 10.0.1.11 10.0.1.12 TCP
99 15.355251 10.0.1.12 10.0.1.11 TELNET
Telnet Data ...
100 15.355266 10.0.1.11 10.0.1.12 TCP
101 15.356750 10.0.1.12 10.0.1.11 TELNET
Telnet Data ...
102 15.356763 10.0.1.11 10.0.1.12 TCP
103 15.360630 10.0.1.12 10.0.1.11 TCP 23
> 33201 [FIN, ACK] Seq=3993415407 Ack=388161128 Win=5792 Len=0
104 15.361864 10.0.1.11 10.0.1.12 TCP
33201 > 23 [FIN, ACK] Seq=388161128 Ack=3993415408 Win=5840 Len=0
105 15.362124 10.0.1.12 10.0.1.11 TCP 23
PART 3: ARP- Address Resolution Protocol
Exercise 3A- A simple experiment with ARP

View the ARP cache on PC1 using the command arp a, then deleting
all the entries using the command arp d. Note that when we displayed
the content of the ARP cache we did not observe any entry since the ARP
entries are deleted after a certain lifetime period.
Run ethereal on PC1 with a capture filter set to the IP address of PC2,
and issue as ping command from PC1 to PC2 using the command: ping
c 2 10.0.1.12.
Capture the ARP packets in ethereal, we observe the destination MAC
address of the ARP Request packets as well as the Type field in the
Ethernet headers of ARP packets and ICMP messages.
Please note that in the lab we issued 5 ping requests because we used
the command: ping c 5 10.0.1.12.
Now we view the ARP cache again with the command arp a.
The results of ethereal are saved and are as following:

1 0.000000 Intel_5f:fd:14 Broadcast ARP Who has 10.0.1.12?
Tell 10.0.1.11
Frame 1 (42 bytes on wire, 42 bytes captured)

Arrival Time: Mar 2, 2007 16:58:41.453367000
Time delta from previous packet: 0.000000000 seconds
Time since reference or first frame: 0.000000000 seconds
Frame Number: 1
Packet Length: 42 bytes
Capture Length: 42 bytes
Protocols in frame: eth:arp
Coloring Rule Name: ARP
Coloring Rule String: arp
Ethernet II, Src: Intel_5f:fd:14 (00:04:23:5f:fd:14), Dst: Broadcast
(ff:ff:ff:ff:ff:ff)
Destination: Broadcast (ff:ff:ff:ff:ff:ff)
Address: Broadcast (ff:ff:ff:ff:ff:ff)
.... ...1 .... .... .... .... = Multicast: This is a MULTICAST frame
.... ..1. .... .... .... .... = Locally Administrated Address: This is
NOT a factory default address
Source: Intel_5f:fd:14 (00:04:23:5f:fd:14)
Address: Intel_5f:fd:14 (00:04:23:5f:fd:14)
.... ...0 .... .... .... .... = Multicast: This is a UNICAST frame
.... ..0. .... .... .... .... = Locally Administrated Address: This is a
FACTORY DEFAULT address
Type: ARP (0x0806)
Address Resolution Protocol (request)
Hardware type: Ethernet (0x0001)
Protocol type: IP (0x0800)
Hardware size: 6
Protocol size: 4
Opcode: request (0x0001)
Sender MAC address: Intel_5f:fd:14 (00:04:23:5f:fd:14)
Sender IP address: 10.0.1.11 (10.0.1.11)
Target MAC address: 00:00:00_00:00:00 (00:00:00:00:00:00)
Target IP address: 10.0.1.12 (10.0.1.12)

2 0.000321 Intel_60:05:5e Intel_5f:fd:14 ARP
10.0.1.12 is at 00:04:23:60:05:5e

Arrival Time: Mar 2, 2007 16:58:41.453688000
Frame Number: 2
Ethernet II, Src: Intel_60:05:5e (00:04:23:60:05:5e), Dst: Intel_5f:fd:14
(00:04:23:5f:fd:14)
Destination: Intel_5f:fd:14 (00:04:23:5f:fd:14)
Source: Intel_60:05:5e (00:04:23:60:05:5e)
Address: Intel_60:05:5e (00:04:23:60:05:5e)
Type: ARP (0x0806)
Trailer: 000000000000000000000000000000000000
Address Resolution Protocol (reply)
Hardware size: 6
Protocol size: 4
Opcode: reply (0x0002)
Sender MAC address: Intel_60:05:5e (00:04:23:60:05:5e)
Target MAC address: Intel_5f:fd:14 (00:04:23:5f:fd:14)

3 0.000341 10.0.1.11 10.0.1.12 ICMP Echo
(ping) request

Arrival Time: Mar 2, 2007 16:58:41.453708000
Frame Number: 3
Protocols in frame: eth:ip:icmp:data
Coloring Rule Name: ICMP
Coloring Rule String: icmp
Ethernet II, Src: Intel_5f:fd:14 (00:04:23:5f:fd:14), Dst: Intel_60:05:5e
(00:04:23:60:05:5e)
Destination: Intel_60:05:5e (00:04:23:60:05:5e)
Address: Intel_60:05:5e (00:04:23:60:05:5e)
Type: IP (0x0800)
Internet Protocol, Src: 10.0.1.11 (10.0.1.11), Dst: 10.0.1.12 (10.0.1.12)
Version: 4
Header length: 20 bytes
Differentiated Services Field: 0x00 (DSCP 0x00: Default; ECN: 0x00)
0000 00.. = Differentiated Services Codepoint: Default (0x00)
.... ..0. = ECN-Capable Transport (ECT): 0
.... ...0 = ECN-CE: 0
Total Length: 84
Identification: 0x0000 (0)
Flags: 0x04 (Don't Fragment)
0... = Reserved bit: Not set
.1.. = Don't fragment: Set
..0. = More fragments: Not set
Fragment offset: 0
Time to live: 64
Protocol: ICMP (0x01)
Header checksum: 0x2493 [correct]
Good: True
Bad : False
Source: 10.0.1.11 (10.0.1.11)
Destination: 10.0.1.12 (10.0.1.12)
Internet Control Message Protocol
Type: 8 (Echo (ping) request)
Code: 0
Checksum: 0x7c86 [correct]
Identifier: 0x2e09
Sequence number: 0x0001
Data (56 bytes)
0000 a1 3b e8 45 d2 ea 06 00 08 09 0a 0b 0c 0d 0e 0f .;.E............
0010 10 11 12 13 14 15 16 17 18 19 1a 1b 1c 1d 1e 1f ................
0020 20 21 22 23 24 25 26 27 28 29 2a 2b 2c 2d 2e 2f !"#$%&'()*+,-./
0030 30 31 32 33 34 35 36 37 01234567

4 0.000819 10.0.1.12 10.0.1.11 ICMP Echo
(ping) reply

Arrival Time: Mar 2, 2007 16:58:41.454186000
Frame Number: 4
(00:04:23:5f:fd:14)
Source: Intel_60:05:5e (00:04:23:60:05:5e)
Address: Intel_60:05:5e (00:04:23:60:05:5e)
Type: IP (0x0800)
Version: 4
.... ...0 = ECN-CE: 0
Total Length: 84
Identification: 0x6f72 (28530)
Flags: 0x00
.0.. = Don't fragment: Not set
Fragment offset: 0
Time to live: 64
Header checksum: 0xf520 [correct]
Good: True
Bad : False
Source: 10.0.1.12 (10.0.1.12)
Destination: 10.0.1.11 (10.0.1.11)
Type: 0 (Echo (ping) reply)
Code: 0
Checksum: 0x8486 [correct]
Identifier: 0x2e09
Data (56 bytes)
0000 a1 3b e8 45 d2 ea 06 00 08 09 0a 0b 0c 0d 0e 0f .;.E............
0010 10 11 12 13 14 15 16 17 18 19 1a 1b 1c 1d 1e 1f ................
0020 20 21 22 23 24 25 26 27 28 29 2a 2b 2c 2d 2e 2f !"#$%&'()*+,-./
0030 30 31 32 33 34 35 36 37 01234567

5 1.010954 10.0.1.11 10.0.1.12 ICMP Echo
(ping) request

Arrival Time: Mar 2, 2007 16:58:42.464321000
Frame Number: 5
(00:04:23:60:05:5e)
Address: Intel_60:05:5e (00:04:23:60:05:5e)
Type: IP (0x0800)
Version: 4
.... ...0 = ECN-CE: 0
Total Length: 84
Fragment offset: 0
Time to live: 64
Good: True
Bad : False
Source: 10.0.1.11 (10.0.1.11)
Destination: 10.0.1.12 (10.0.1.12)
Code: 0
Checksum: 0x995a [correct]
Identifier: 0x2e09
Data (56 bytes)
0000 a2 3b e8 45 b4 15 07 00 08 09 0a 0b 0c 0d 0e 0f .;.E............
0010 10 11 12 13 14 15 16 17 18 19 1a 1b 1c 1d 1e 1f ................
0020 20 21 22 23 24 25 26 27 28 29 2a 2b 2c 2d 2e 2f !"#$%&'()*+,-./
0030 30 31 32 33 34 35 36 37 01234567

6 1.011421 10.0.1.12 10.0.1.11 ICMP Echo
(ping) reply

Arrival Time: Mar 2, 2007 16:58:42.464788000
Frame Number: 6
(00:04:23:5f:fd:14)
Source: Intel_60:05:5e (00:04:23:60:05:5e)
Address: Intel_60:05:5e (00:04:23:60:05:5e)
Type: IP (0x0800)
Version: 4
.... ...0 = ECN-CE: 0
Total Length: 84
Flags: 0x00
Fragment offset: 0
Time to live: 64
Header checksum: 0xf51f [correct]
Good: True
Bad : False
Source: 10.0.1.12 (10.0.1.12)
Destination: 10.0.1.11 (10.0.1.11)
Code: 0
Checksum: 0xa15a [correct]
Identifier: 0x2e09
Data (56 bytes)
0000 a2 3b e8 45 b4 15 07 00 08 09 0a 0b 0c 0d 0e 0f .;.E............
0010 10 11 12 13 14 15 16 17 18 19 1a 1b 1c 1d 1e 1f ................
0020 20 21 22 23 24 25 26 27 28 29 2a 2b 2c 2d 2e 2f !"#$%&'()*+,-./
0030 30 31 32 33 34 35 36 37 01234567

7 2.020991 10.0.1.11 10.0.1.12 ICMP Echo
(ping) request

Arrival Time: Mar 2, 2007 16:58:43.474358000
Frame Number: 7
(00:04:23:60:05:5e)
Address: Intel_60:05:5e (00:04:23:60:05:5e)
Type: IP (0x0800)
Version: 4
.... ...0 = ECN-CE: 0
Total Length: 84
Fragment offset: 0
Time to live: 64
Good: True
Bad : False
Source: 10.0.1.11 (10.0.1.11)
Destination: 10.0.1.12 (10.0.1.12)
Code: 0
Checksum: 0x6232 [correct]
Identifier: 0x2e09
Data (56 bytes)
0000 a3 3b e8 45 ea 3c 07 00 08 09 0a 0b 0c 0d 0e 0f .;.E.<..........
0010 10 11 12 13 14 15 16 17 18 19 1a 1b 1c 1d 1e 1f ................
0020 20 21 22 23 24 25 26 27 28 29 2a 2b 2c 2d 2e 2f !"#$%&'()*+,-./
0030 30 31 32 33 34 35 36 37 01234567

8 2.021399 10.0.1.12 10.0.1.11 ICMP Echo
(ping) reply

Arrival Time: Mar 2, 2007 16:58:43.474766000
Frame Number: 8
(00:04:23:5f:fd:14)
Source: Intel_60:05:5e (00:04:23:60:05:5e)
Address: Intel_60:05:5e (00:04:23:60:05:5e)
Type: IP (0x0800)
Version: 4
.... ...0 = ECN-CE: 0
Total Length: 84
Flags: 0x00
Fragment offset: 0
Time to live: 64
Header checksum: 0xf51e [correct]
Good: True
Bad : False
Source: 10.0.1.12 (10.0.1.12)
Destination: 10.0.1.11 (10.0.1.11)
Code: 0
Checksum: 0x6a32 [correct]
Identifier: 0x2e09
Data (56 bytes)
0000 a3 3b e8 45 ea 3c 07 00 08 09 0a 0b 0c 0d 0e 0f .;.E.<..........
0010 10 11 12 13 14 15 16 17 18 19 1a 1b 1c 1d 1e 1f ................
0020 20 21 22 23 24 25 26 27 28 29 2a 2b 2c 2d 2e 2f !"#$%&'()*+,-./
0030 30 31 32 33 34 35 36 37 01234567

9 3.021781 10.0.1.11 10.0.1.12 ICMP Echo
(ping) request

Arrival Time: Mar 2, 2007 16:58:44.475148000
Frame Number: 9
(00:04:23:60:05:5e)
Address: Intel_60:05:5e (00:04:23:60:05:5e)
Type: IP (0x0800)
Version: 4
.... ...0 = ECN-CE: 0
Total Length: 84
Fragment offset: 0
Time to live: 64
Good: True
Bad : False
Source: 10.0.1.11 (10.0.1.11)
Destination: 10.0.1.12 (10.0.1.12)
Code: 0
Checksum: 0x4b2e [correct]
Identifier: 0x2e09
Data (56 bytes)
0000 a4 3b e8 45 00 40 07 00 08 09 0a 0b 0c 0d 0e 0f .;.E.@..........
0010 10 11 12 13 14 15 16 17 18 19 1a 1b 1c 1d 1e 1f ................
0020 20 21 22 23 24 25 26 27 28 29 2a 2b 2c 2d 2e 2f !"#$%&'()*+,-./
0030 30 31 32 33 34 35 36 37 01234567

10 3.022258 10.0.1.12 10.0.1.11 ICMP Echo
(ping) reply

Arrival Time: Mar 2, 2007 16:58:44.475625000
Frame Number: 10
(00:04:23:5f:fd:14)
Source: Intel_60:05:5e (00:04:23:60:05:5e)
Address: Intel_60:05:5e (00:04:23:60:05:5e)
Type: IP (0x0800)
Version: 4
.... ...0 = ECN-CE: 0
Total Length: 84
Flags: 0x00
Fragment offset: 0
Time to live: 64
Header checksum: 0xf51d [correct]
Good: True
Bad : False
Source: 10.0.1.12 (10.0.1.12)
Destination: 10.0.1.11 (10.0.1.11)
Code: 0
Checksum: 0x532e [correct]
Identifier: 0x2e09
Data (56 bytes)
0000 a4 3b e8 45 00 40 07 00 08 09 0a 0b 0c 0d 0e 0f .;.E.@..........
0010 10 11 12 13 14 15 16 17 18 19 1a 1b 1c 1d 1e 1f ................
0020 20 21 22 23 24 25 26 27 28 29 2a 2b 2c 2d 2e 2f !"#$%&'()*+,-./
0030 30 31 32 33 34 35 36 37 01234567
11 4.021105 10.0.1.11 10.0.1.12 ICMP Echo
(ping) request

Arrival Time: Mar 2, 2007 16:58:45.474472000
Frame Number: 11
(00:04:23:60:05:5e)
Address: Intel_60:05:5e (00:04:23:60:05:5e)
Type: IP (0x0800)
Version: 4
.... ...0 = ECN-CE: 0
Total Length: 84
Fragment offset: 0
Time to live: 64
Good: True
Bad : False
Source: 10.0.1.11 (10.0.1.11)
Destination: 10.0.1.12 (10.0.1.12)
Code: 0
Checksum: 0xee2f [correct]
Identifier: 0x2e09
Data (56 bytes)
0000 a5 3b e8 45 5c 3d 07 00 08 09 0a 0b 0c 0d 0e 0f .;.E\=..........
0010 10 11 12 13 14 15 16 17 18 19 1a 1b 1c 1d 1e 1f ................
0020 20 21 22 23 24 25 26 27 28 29 2a 2b 2c 2d 2e 2f !"#$%&'()*+,-./
0030 30 31 32 33 34 35 36 37 01234567
12 4.021494 10.0.1.12 10.0.1.11 ICMP Echo
(ping) reply

Arrival Time: Mar 2, 2007 16:58:45.474861000
Frame Number: 12
(00:04:23:5f:fd:14)
Source: Intel_60:05:5e (00:04:23:60:05:5e)
Address: Intel_60:05:5e (00:04:23:60:05:5e)
Type: IP (0x0800)
Version: 4
.... ...0 = ECN-CE: 0
Total Length: 84
Flags: 0x00
Fragment offset: 0
Time to live: 64
Header checksum: 0xf51c [correct]
Good: True
Bad : False
Source: 10.0.1.12 (10.0.1.12)
Destination: 10.0.1.11 (10.0.1.11)
Code: 0
Checksum: 0xf62f [correct]
Identifier: 0x2e09
Data (56 bytes)
0000 a5 3b e8 45 5c 3d 07 00 08 09 0a 0b 0c 0d 0e 0f .;.E\=..........
0010 10 11 12 13 14 15 16 17 18 19 1a 1b 1c 1d 1e 1f ................
0020 20 21 22 23 24 25 26 27 28 29 2a 2b 2c 2d 2e 2f !"#$%&'()*+,-./
0030 30 31 32 33 34 35 36 37 01234567

13 5.000247 Intel_60:05:5e Intel_5f:fd:14 ARP Who has
10.0.1.11? Tell 10.0.1.12

Arrival Time: Mar 2, 2007 16:58:46.453614000
Frame Number: 13
(00:04:23:5f:fd:14)
Source: Intel_60:05:5e (00:04:23:60:05:5e)
Address: Intel_60:05:5e (00:04:23:60:05:5e)
Type: ARP (0x0806)
Trailer: 000000000000000000000000000000000000
Address Resolution Protocol (request)
Hardware size: 6
Protocol size: 4
Opcode: request (0x0001)
Sender MAC address: Intel_60:05:5e (00:04:23:60:05:5e)
Target MAC address: 00:00:00_00:00:00 (00:00:00:00:00:00)

14 5.000276 Intel_5f:fd:14 Intel_60:05:5e ARP
10.0.1.11 is at 00:04:23:5f:fd:14

Arrival Time: Mar 2, 2007 16:58:46.453643000
Frame Number: 14
(00:04:23:60:05:5e)
Address: Intel_60:05:5e (00:04:23:60:05:5e)
Type: ARP (0x0806)
Address Resolution Protocol (reply)
Hardware size: 6
Protocol size: 4
Opcode: reply (0x0002)
Sender MAC address: Intel_5f:fd:14 (00:04:23:5f:fd:14)
Target MAC address: Intel_60:05:5e (00:04:23:60:05:5e)
What is the destination MAC address of an ARP Request
packet?
Because the ARP Request packet is broadcasted the destination MAC
address is ff:ff:ff:ff:ff:ff
What are the different values of the Type field in the Ethernet
headers that you observed?

Packets are either of type ARP or of type IP with an ICMP protocol.
The corresponding values in the Ethernet headers are 0x0806 and
0x0800 respectively.
Use the captured data to discuss the process in which ARP
acquires the MAC address for IP address 10.0.1.12.

To acquire the MAC address of a known IP address, ARP first sends a
broadcast message containing the IP address of the unknown host as well
as the IP of the source. Since the message is broadcasted, the host
having the requested IP knows it has to reply to the source with its MAC
address.
Note that the reply containing the required MAC address is of type
ARP as shown in the red square.
Exercise 3B- Matching IP addresses and MAC addresses
In this part, we collect the MAC addresses of all interfaces connected
to the network either by running the command ifconfig a or by reading
the contents of the ARP cache of each PC.
The IP and MAC addresses of all the machines on the eth0 interface
are listed in the table below:
Table 2.2- IP and MAC addresses
Linux IP address of MAC address of

PC Ethernet Ethernet
Interface eth0 Interface eth0
PC1 10.0.1.11 /24 00:04:23:5F:FD:
14
PC2 10.0.1.12 /24 00:04:23:60:05:5
E
PC3 10.0.1.13 /24 00:04:23:60:05:B
4
PC4 10.0.1.14 /24 00:04:23:5F:4B:3
2
Exercise 3C- ARP requests for a nonexisting address.

In this part we want to observe what happens when an ARP request is
issued for an IP address that does not exist. Run ethereal on PC1 with a
capture filter set to capture packets that contain the IP address of PC1
using the following command:
ethereal f host 10.0.1.11
Then we try to establish a telnet session from PC1 to a nonexisting

address 10.0.1.10 using the command: telnet 10.0.1.10.
The output obtained on ethereal is the following:

1 0.000000 Intel_5f:fd:14 Broadcast ARP Who has 10.0.1.10?
Tell 10.0.1.11
2 0.997325 Intel_5f:fd:14 Broadcast ARP Who has 10.0.1.10? Tell

10.0.1.11
3 1.997325 Intel_5f:fd:14 Broadcast ARP Who has 10.0.1.10? Tell

10.0.1.11
Using the saved output, describe the time interval between
each ARP Request issued by PC1. Describe the method used by
ARP to determine the time between retransmissions of an
unsuccessful ARP Request. Include relevant data to support your
answer.
Repeat the experiment to notice that the pattern is as following: the

ARP request is sent and about one second later if no machine replies with
its MAC address the request times out and a second request is issued.
This time also if no reply is received before the timeout, the sender issues
a third ARP request. Therefore, the source tries 3 times to send ARP
requests. If the three requests time out the request is dropped and we
can conclude that the unknown machines IP address does not exist on
the network.
Note that the data relevant to this question was shown above.
Why are ARP Request packets not transmitted (i.e., not

encapsulated) like IP packets? Explain your answer.
Since the ARP request packets are issued only to know the MAC of a
certain machine and therefore do not contain other data they are not
encapsulated like IP packets. In addition, because the ARP Request
packets are broadcasted with the IP address included in the message, it
does not need to be handled by the layers approach and therefore it does
not need to be encapsulated.
PART 4: The Netstat command
The purpose of this part is to explore how to use the netstat command
to extract different types of information about the network configuration
of a host.
Exercise 4
On PC1 we first try the different variations of the netstat command
and save their output to a file. The first command is netstat in which
displays information on the network interfaces. The output is:
Kernel Interface table

Iface MTU Met RX-OK RX-ERR RX-DRP RX-OVR TX-OK TX-ERR TX-DRP TX-OVR Flg
eth0 1500 0 178 0 0 0 208 0 0 0 BMRU
lo 16436 0 37683 0 0 0 37683 0 0 0 LRU
The second command is netstat rn which displays the content of the

IP routing table as shown on the output below:
Kernel IP routing table

Destination Gateway Genmask Flags MSS Window irtt Iface
10.0.1.0 0.0.0.0 255.255.255.0 U 0 0 0 eth0
127.0.0.0 0.0.0.0 255.0.0.0 U 0 0 0 lo
The third command is netstat s which displays information on TCP

and UDP ports that are currently in use. The output in this case is:
Active Internet connections (servers and established)
Proto Ip:
41578 total packets received
0 forwarded
0 incoming packets discarded
39749 incoming packets delivered
41611 requests sent out
Icmp:
Recv-Q Send-Q Local Address Foreign Address State
tcp 0 0 *:exec *:* LISTEN
tcp 0 0 *:32768 *:* LISTEN
tcp 0 0 PC1:32769 *:* LISTEN
tcp 0 0 *:login *:* LISTEN
tcp 0 0 *:shell *:* LISTEN
tcp 0 0 *:time *:* LISTEN
tcp 0 0 *:echo *:* LISTEN
tcp 0 0 *:rsync *:* LISTEN
tcp 0 0 *:daytime *:* LISTEN
tcp 0 0 PC1:783 *:* LISTEN
tcp 0 0 *:finger *:* LISTEN
tcp 0 0 *:sunrpc *:* LISTEN
tcp 0 0 *:x11 *:* LISTEN
tcp 0 0 *:chargen *:* LISTEN
tcp 0 0 *:ftp *:* LISTEN
tcp 0 0 *:ssh *:* LISTEN
tcp 0 0 PC1:ipp *:* LISTEN
tcp 0 0 *:telnet *:* LISTEN
tcp 0 0 PC1:33554 PC1:ipp TIME_WAIT
udp 0 0 *:32768 *:*
udp 0 0 *:talk *:*
udp 0 0 *:ntalk *:*
udp 0 0 *:echo *:*
udp 0 0 *:daytime *:*
udp 0 0 *:chargen *:*
udp 0 0 *:time *:*
udp 0 0 *:tftp *:*
udp 0 0 *:sunrpc *:*
udp 0 0 *:884 *:*
udp 0 0 *:631 *:*
Active UNIX domain sockets (servers and established)
Proto RefCnt Flags Type State I-Node Path
unix 2 [ ACC ] STREAM LISTENING 2785 /tmp/orbit-root/linc-
7f1-0-106f00e11b9ac
7f6-0-106f00e14004b
7fa-0-48b7c698816c1
8e2-0-342c67d28e6d9
unix 2 [ ACC ] STREAM LISTENING 2570 /tmp/.ICE-unix/1936
unix 9 [ ] DGRAM 1588 /dev/log
unix 2 [ ACC ] STREAM LISTENING 2032 /tmp/.iroha_unix/IROHA
800-0-7fb020624c049
unix 2 [ ACC ] STREAM LISTENING 2339 /tmp/.X11-unix/X0
unix 2 [ ACC ] STREAM LISTENING 2205 /tmp/.font-unix/fs7100
unix 2 [ ACC ] STREAM LISTENING 2329 /tmp/.gdm_socket
unix 2 [ ACC ] STREAM LISTENING 2625 /tmp/.fam_socket
7db-0-288b1883d2e0d
790-0-58411fb06d22
unix 2 [ ACC ] STREAM LISTENING 2429 /tmp/ssh-
XXovRysw/agent.1936
7eb-0-346761c5249bc
7dd-0-185d71bc71cb6
7df-0-e4fbafd97635
7f3-0-2333c74c81bb7
7ef-0-2333c74c96a0f
unix 2 [ ACC ] STREAM LISTENING 2151 /tmp/jd_sockV4
unix 3 [ ] STREAM CONNECTED 8571
unix 3 [ ] STREAM CONNECTED 8567 /tmp/orbit-root/linc-
8e2-0-342c67d28e6d9
7dd-0-185d71bc71cb6
8e2-0-342c67d28e6d9
7db-0-288b1883d2e0d
unix 3 [ ] STREAM CONNECTED 8554 /tmp/.ICE-unix/1936
unix 3 [ ] STREAM CONNECTED 8543 /tmp/.X11-unix/X0
7ef-0-2333c74c96a0f
800-0-7fb020624c049
800-0-7fb020624c049
7dd-0-185d71bc71cb6
800-0-7fb020624c049
7db-0-288b1883d2e0d
7fa-0-48b7c698816c1
7db-0-288b1883d2e0d
unix 3 [ ] STREAM CONNECTED 2896 /tmp/.famNK7s58
7f1-0-106f00e11b9ac
7dd-0-185d71bc71cb6
7f6-0-106f00e14004b
7db-0-288b1883d2e0d
unix 3 [ ] STREAM CONNECTED 2798 /tmp/.famXO4Dq4
7f1-0-106f00e11b9ac
7db-0-288b1883d2e0d
7ef-0-2333c74c96a0f
7dd-0-185d71bc71cb6
7ef-0-2333c74c96a0f
7db-0-288b1883d2e0d
7f3-0-2333c74c81bb7
7db-0-288b1883d2e0d
7eb-0-346761c5249bc
7db-0-288b1883d2e0d
7df-0-e4fbafd97635
7df-0-e4fbafd97635
7dd-0-185d71bc71cb6
unix 3 [ ] STREAM CONNECTED 2631 /tmp/.famxgLcG5
7df-0-e4fbafd97635
7db-0-288b1883d2e0d
790-0-58411fb06d22
7dd-0-185d71bc71cb6
790-0-58411fb06d22
7db-0-288b1883d2e0d
unix 2 [ ] DGRAM 2462
unix 3 [ ] STREAM CONNECTED 2349 /tmp/.font-unix/fs7100
Finally, the fourth command is netstat s which displays the statistics
of various networking protocols. The corresponding output is:
Ip:
38738 total packets received
0 forwarded
0 incoming packets discarded
37038 incoming packets delivered
38771 requests sent out
Icmp:
1795 ICMP messages received
2 input ICMP message failed.
ICMP input histogram:
destination unreachable: 1725
echo replies: 70
1725 ICMP messages sent
0 ICMP messages failed
ICMP output histogram:
destination unreachable: 1725
Tcp:
791 active connections openings
787 passive connection openings
2 failed connection attempts
0 connection resets received
0 connections established
35212 segments received
35245 segments send out
2 segments retransmited
0 bad segments received.
0 resets sent
Udp:
10 packets received
1721 packets to unknown port received.
0 packet receive errors
1731 packets sent
TcpExt:
ArpFilter: 0
775 TCP sockets finished time wait in fast timer
3 delayed acks sent
3542 packets directly queued to recvmsg prequeue.
122622 packets directly received from backlog
86454 packets directly received from prequeue
6824 packets header predicted
4376 packets header predicted and directly queued to user
TCPPureAcks: 3009
TCPHPAcks: 13799
TCPRenoRecovery: 0
TCPSackRecovery: 0
TCPSACKReneging: 0
TCPFACKReorder: 0
TCPSACKReorder: 0
TCPRenoReorder: 0
TCPTSReorder: 0
TCPFullUndo: 0
TCPPartialUndo: 0
TCPDSACKUndo: 0
TCPLossUndo: 0
TCPLoss: 0
TCPLostRetransmit: 0
TCPRenoFailures: 0
TCPSackFailures: 0
TCPLossFailures: 0
TCPFastRetrans: 0
TCPForwardRetrans: 0
TCPSlowStartRetrans: 0
TCPTimeouts: 2
TCPRenoRecoveryFail: 0
TCPSackRecoveryFail: 0
TCPSchedulerFailed: 0
TCPRcvCollapsed: 0
TCPDSACKOldSent: 0
TCPDSACKOfoSent: 0
TCPDSACKRecv: 0
TCPDSACKOfoRecv: 0
TCPAbortOnSyn: 0
TCPAbortOnData: 0
TCPAbortOnClose: 0
TCPAbortOnMemory: 0
TCPAbortOnTimeout: 0
TCPAbortOnLinger: 0
TCPAbortFailed: 0
TCPMemoryPressures: 0
What are the network interfaces of PC1 and what are the MTU
(maximum transmission unit) values of the interfaces?
By observing the output of the command netsat -in, we can see that the
network interfaces of PC1 are eth0 and lo, and their MTU values are
1500 and 16436 respectively.
How many IP datagrams, ICMP messages, UDP datagrams, and

TCP segments has PC1 transmitted and received since it was last
rebooted?
Using the output of the netstat s command we collected the following
data:
Proto IP ICMP UDP TCP
col datagram msgs datagrams segments
Statistic s
s
Receiv 38738 1795 10 + 1721 35212
ed (ports
unknown)
Trans 38771 1725 1731 35245
mitted
Total 77509 3520 3462 70457
Explain the role of interface lo, the loopback interface. In the

output of netstat in, why are the values of RX-OK (packets
received) and TX-OK (packets transmitted) different for interface
eth0 but identical for interface lo?
The loopback interface is used for testing purposes, i.e.: you can send
to your own machine without being connected to a network. The reason
the transmitted and received packets are equal in lo interface is because
when you send to your own machine you are definitely receiving what
you sent. Therefore, the transmitted and received packets are equal. As
for eth0 since the sender and receiver are not the same it is not
necessary that the packets you transmit and receive are equal. For
example, I can send 10 packets to machine A, and receive 3 replies only.
PART 5: Configuring IP interfaces in LINUX

In this part we want to modify the IP address of a network interface
using the ifconfig command.
Exercise 5-Changing the IP address of an interface
We begin by running ifconfig -a on PC4, the output is as following:

eth0 Link encap:Ethernet HWaddr 00:04:23:5F:4B:32
inet addr:10.0.1.14 Bcast:10.255.255.255 Mask:255.255.255.0
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:9 errors:0 dropped:0 overruns:0 frame:0
TX packets:4 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:100
RX bytes:576 (576.0 b) TX bytes:256 (256.0 b)
Interrupt:19 Base address:0xdcc0 Memory:fcfa0000-fcfc0000

BROADCAST MULTICAST MTU:1500 Metric:1
Interrupt:20 Base address:0xdc80 Memory:fcf80000-fcfa0000
lo Link encap:Local Loopback

inet addr:127.0.0.1 Mask:255.0.0.0
UP LOOPBACK RUNNING MTU:16436 Metric:1
RX bytes:2826094 (2.6 Mb) TX bytes:2826094 (2.6 Mb)
Now using the command: Ifconfig -i eth0 10.0.1.11 netmask

255.255.255.0 we change the IP address of interface eth0 of PC4 to
10.0.1.11/24.
We run the command ifconfig a again and this time we obtain the
following output:

inet addr:10.0.1.11 Bcast:10.255.255.255 Mask:255.255.255.0
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
Interrupt:19 Base address:0xdcc0 Memory:fcfa0000-fcfc0000

BROADCAST MULTICAST MTU:1500 Metric:1
Interrupt:20 Base address:0xdc80 Memory:fcf80000-fcfa0000
lo Link encap:Local Loopback

inet addr:127.0.0.1 Mask:255.0.0.0
UP LOOPBACK RUNNING MTU:16436 Metric:1
RX bytes:2863832 (2.7 Mb) TX bytes:2863832 (2.7 Mb)
The command ifconfig a displays the configuration of all the network

interfaces on a given PC as well as their status. For each interface the
following information is given: type of the network (eg: Etherenet), IP
address, broadcast address, netmask, MTU, as well as certain
information about previously exchanged packets.
PART 6: Duplicate IP addresses

In this part we observe what happens when two hosts have identical
IP addresses.
Exercise 6
We begin by setting the IP address of PC4 to be the same as that of
PC1, i.e. 10.0.1.11.
Then we made sure that the ARP cache was empty on all PCs by
displaying its content using the command arp a. Note that the cache
was already empty because the entries are automatically deleted after
their lifetime has expired.
On PC3 we run ethereal and set a filter to capture packets to and from
the duplicate address 10.0.1.11 using the command: Ethereal f host
10.0.1.11.
Then on a new terminal we start a telnet session to the duplicate
address 10.0.1.11 using the command telnet 10.0.1.11. We log in as
root user and issue the command arp a in order to determine the
hostname, the content of the arp cache was the following:
? (10.0.1.11) at 00:04:23:5F:FD:14 [ether] on eth0
Therefore, we can see that we have logged in to PC1 since the MAC
address in the arp cache matched with the MAC of PC1.
Moreover, we observed the results obtained on ethereal, they are as
following:
No. Time Source Destination Protocol

Info
1 0.000000 Intel_60:05:b4 Broadcast ARP
Who has 10.0.1.11? Tell 10.0.1.13
2 0.000370 Intel_5f:fd:14 Intel_60:05:b4 ARP
10.0.1.11 is at 00:04:23:5f:fd:14
3 0.000383 10.0.1.13 10.0.1.11 TCP
33629 > telnet [SYN] Seq=0 Len=0 MSS=1460 TSV=434506 TSER=0 WS=0
4 0.000372 Intel_5f:4b:32 Intel_60:05:b4 ARP
10.0.1.11 is at 00:04:23:5f:4b:32
5 0.000743 10.0.1.11 10.0.1.13 TCP
telnet > 33629 [SYN, ACK] Seq=0 Ack=1 Win=5792 Len=0 MSS=1460 TSV=468798
TSER=434506 WS=0
6 0.000768 10.0.1.13 10.0.1.11 TCP
33629 > telnet [ACK] Seq=1 Ack=1 Win=5840 Len=0 TSV=434506 TSER=468798
7 0.023534 10.0.1.13 10.0.1.11 TELNET
Telnet Data ...
8 0.023977 10.0.1.11 10.0.1.13 TCP
telnet > 33629 [ACK] Seq=1 Ack=34 Win=5792 Len=0 TSV=468801 TSER=434508
9 0.048210 10.0.1.11 10.0.1.13 TELNET
Telnet Data ...
10 0.048248 10.0.1.13 10.0.1.11 TCP
11 0.048582 10.0.1.11 10.0.1.13 TELNET
Telnet Data ...
12 0.048587 10.0.1.13 10.0.1.11 TCP
13 0.051423 10.0.1.13 10.0.1.11 TELNET
Telnet Data ...
14 0.052205 10.0.1.11 10.0.1.13 TELNET
Telnet Data ...
15 0.052236 10.0.1.13 10.0.1.11 TELNET
Telnet Data ...
16 0.069567 10.0.1.11 10.0.1.13 TELNET
Telnet Data ...
17 0.069611 10.0.1.13 10.0.1.11 TELNET
Telnet Data ...
18 0.095799 10.0.1.11 10.0.1.13 TELNET
Telnet Data ...
19 0.125924 10.0.1.13 10.0.1.11 TCP
20 6.780010 10.0.1.13 10.0.1.11 TELNET
Telnet Data ...
21 6.780404 10.0.1.11 10.0.1.13 TELNET
Telnet Data ...
22 6.780443 10.0.1.13 10.0.1.11 TCP
23 6.882445 10.0.1.13 10.0.1.11 TELNET
Telnet Data ...
24 6.882950 10.0.1.11 10.0.1.13 TELNET
Telnet Data ...
25 6.882976 10.0.1.13 10.0.1.11 TCP
26 7.019968 10.0.1.13 10.0.1.11 TELNET
Telnet Data ...
27 7.020473 10.0.1.11 10.0.1.13 TELNET
Telnet Data ...
28 7.020498 10.0.1.13 10.0.1.11 TCP
29 7.132505 10.0.1.13 10.0.1.11 TELNET
Telnet Data ...
30 7.133013 10.0.1.11 10.0.1.13 TELNET
Telnet Data ...
31 7.133048 10.0.1.13 10.0.1.11 TCP
32 8.690397 10.0.1.13 10.0.1.11 TELNET
Telnet Data ...
33 8.690718 10.0.1.11 10.0.1.13 TELNET
Telnet Data ...
34 8.690744 10.0.1.13 10.0.1.11 TCP
35 8.692591 10.0.1.11 10.0.1.13 TELNET
Telnet Data ...
36 8.692599 10.0.1.13 10.0.1.11 TCP
37 9.127987 10.0.1.13 10.0.1.11 TELNET
Telnet Data ...
38 9.162992 10.0.1.11 10.0.1.13 TCP
39 9.228020 10.0.1.13 10.0.1.11 TELNET
Telnet Data ...
40 9.228315 10.0.1.11 10.0.1.13 TCP
41 9.365569 10.0.1.13 10.0.1.11 TELNET
Telnet Data ...
42 9.365961 10.0.1.11 10.0.1.13 TCP
43 10.130691 10.0.1.13 10.0.1.11 TELNET
Telnet Data ...
44 10.131011 10.0.1.11 10.0.1.13 TCP
45 10.595873 10.0.1.13 10.0.1.11 TELNET
Telnet Data ...
46 10.596289 10.0.1.11 10.0.1.13 TCP
47 10.878471 10.0.1.13 10.0.1.11 TELNET
Telnet Data ...
48 10.878825 10.0.1.11 10.0.1.13 TCP
49 11.731162 10.0.1.13 10.0.1.11 TELNET
Telnet Data ...
50 11.731561 10.0.1.11 10.0.1.13 TCP
51 11.734685 10.0.1.11 10.0.1.13 TELNET
Telnet Data ...
52 11.734719 10.0.1.13 10.0.1.11 TCP
53 11.803382 10.0.1.11 10.0.1.13 TELNET
Telnet Data ...
54 11.803425 10.0.1.13 10.0.1.11 TCP
55 11.806627 10.0.1.11 10.0.1.13 TELNET
Telnet Data ...
56 11.806642 10.0.1.13 10.0.1.11 TCP
57 37.048371 10.0.1.13 10.0.1.11 TELNET
Telnet Data ...
58 37.048921 10.0.1.11 10.0.1.13 TELNET
Telnet Data ...
59 37.048948 10.0.1.13 10.0.1.11 TCP
60 37.380840 10.0.1.13 10.0.1.11 TELNET
Telnet Data ...
61 37.381422 10.0.1.11 10.0.1.13 TELNET
Telnet Data ...
62 37.381449 10.0.1.13 10.0.1.11 TCP
63 37.831085 10.0.1.13 10.0.1.11 TELNET
Telnet Data ...
64 37.831588 10.0.1.11 10.0.1.13 TELNET
Telnet Data ...
65 37.831638 10.0.1.13 10.0.1.11 TCP
66 38.098620 10.0.1.13 10.0.1.11 TELNET
Telnet Data ...
67 38.099133 10.0.1.11 10.0.1.13 TELNET
Telnet Data ...
68 38.099160 10.0.1.13 10.0.1.11 TCP
69 38.438598 10.0.1.13 10.0.1.11 TELNET
Telnet Data ...
70 38.439128 10.0.1.11 10.0.1.13 TELNET
Telnet Data ...
71 38.439155 10.0.1.13 10.0.1.11 TCP
72 38.856408 10.0.1.13 10.0.1.11 TELNET
Telnet Data ...
73 38.856949 10.0.1.11 10.0.1.13 TELNET
Telnet Data ...
74 38.857028 10.0.1.13 10.0.1.11 TCP
75 38.866340 10.0.1.13 10.0.1.11 TELNET
Telnet Data ...
76 38.866809 10.0.1.11 10.0.1.13 TELNET
Telnet Data ...
77 38.905926 10.0.1.13 10.0.1.11 TCP
78 39.768968 10.0.1.13 10.0.1.11 TELNET
Telnet Data ...
79 39.769509 10.0.1.11 10.0.1.13 TELNET
Telnet Data ...
80 39.769561 10.0.1.13 10.0.1.11 TCP
81 40.349001 10.0.1.13 10.0.1.11 TELNET
Telnet Data ...
82 40.349444 10.0.1.11 10.0.1.13 TELNET
Telnet Data ...
83 40.349470 10.0.1.13 10.0.1.11 TCP
84 40.352316 10.0.1.11 10.0.1.13 TELNET
Telnet Data ...
85 40.352325 10.0.1.13 10.0.1.11 TCP
86 40.352693 10.0.1.11 10.0.1.13 TELNET
Telnet Data ...
87 40.352719 10.0.1.13 10.0.1.11 TCP
88 40.353072 10.0.1.11 10.0.1.13 TELNET
Telnet Data ...
89 40.353084 10.0.1.13 10.0.1.11 TCP
Finally, we reset the IP address of PC4 to its original value which is
10.0.1.14.
Explain why telnet session was established to one of the hosts
with the duplicate address and not the other? Explain why the
telnet session was established at all and did not result in an error
message.
PC3 issued and ARP request Who has 10.0.1.11 tell 10.0.1.13. Since
both PC1 and PC4 have 10.0.1.11 as their IP both replied. In our case,
PC1 replied earlier than PC4, so directly a telnet session was established
by PC3 to PC1. The second reply was not taken into consideration. PC3
knew there is an IP conflict only after it established the connection with
PC1.
PART 7: Changing Netmasks
In this part, we test the effects of changing the netmask of a network
configuration. Therefore we begin by setting up the interfaces of the
hosts noting that now PC2 and PC4 have been assigned different network
prefixes.
Exercise 7
The interfaces of the hosts are configured to the IP addresses and
netmasks shown in the table below using the ifconfig command.
Table 2.4-IP addresses for Part 7
Linux IP address of Network

PC Ethernet Mask
Interface eth0
PC1 10.0.1.100 /24 255.255.255
.0
PC2 10.0.1.101 /28 255.255.255
.240
PC3 10.0.1.120 /24 255.255.255
.0
PC4 10.0.1.121 /28 255.255.255
.240
Now we run ethereal on PC1 and capture the packets for the following
ping commands:
a) From PC1 to PC3 using the command ping c 1 10.0.1.120 the
output obtained from ethereal is as following:

--- 10.0.1.120 ping statistics ---
1 packets transmitted, 1 received, 0% packet loss, time 0ms
rtt min/avg/max/mdev = 0.356/0.356/0.356/0.000 ms
PING 10.0.1.101 (10.0.1.101) 56(84) bytes of data.
64 bytes from 10.0.1.101: icmp_seq=1 ttl=64 time=0.404 ms
b) From PC1 to PC2 using the command ping c 1 10.0.1.101 the
output obtained from ethereal is as following:

rtt min/avg/max/mdev = 0.404/0.404/0.404/0.000 ms
PING 10.0.1.121 (10.0.1.121) 56(84) bytes of data.
c) From PC1 to PC4 using the command ping c 1 10.0.1.121 the output
obtained from ethereal is as following:

d) From PC4 to PC1 using the command ping c 1 10.0.1.100.
e) From PC2 to PC4 using the command ping c 1 10.0.1.121.
f) From PC2 to PC3 using the command ping c 1 10.0.1.120.
Finally, we reset the interfaces of the hosts to their original values.
Use your output data and ping results to explain what happened
in each of the ping commands. Which ping operations were
successful and which were unsuccessful? Why?

The results of the ping commands described above are summarized in
the following table.
Linux Network Netmask Dest Netmas Reach

PC = Source IP IP k AND able
AND Destinatio
Netmask n IP
PC1 10.0.1.0 255.255.2 10.0. 10.0.1.0 Yes
55.0 1.120
PC1 10.0.1.0 255.255.2 10.0. 10.0.1.0 Yes
55.0 1.101
PC1 10.0.1.0 255.255.2 10.0. 10.0.1.0 Yes
55.0 1.121
PC4 10.0.1.11 255.255.2 10.0. 10.0.1.9 No
2 55.240 1.100 6
PC2 10.0.1.96 255.255.2 10.0. 10.0.1.1 No
55.240 1.121 12
PC2 10.0.1.96 255.255.2 10.0. 10.0.1.1 No
55.240 1.120 12
As shown in the above table only the first 3 ping requests were
successful because they were on the same network. However, the third
request no reply was returned as shown in ethereal below. The last three
ping requests resulted in an unreachable network because the
destination and source are on different networks.

PART 8: Static mapping of IP addresses and host
names
Exercise 8- Associating names with IP addresses

In this part, we manipulate the static mapping of the host names and
IP addresses using the /etc/hosts file.
So we begin by inspecting the contents of file /etc/hosts on PC1 with
gedit using the command. Then on PC1 we issue a ping command on PC2
using ping 10.0.1.12. We repeat this step but this time we try to use the
command ping PC2 but as we expect the symbolic name is unreachable
at this point. On PC1 we edit the content of the hosts file and add entries
for PC2 PC3 and PC4 and associating the hosts with their corresponding
IP. Now we use the ping PC2 command and notice that it executes. The
same is true for pinging the other hosts using their hostnames.
Finally we reset the hosts file to its original state and save the file.
Explain a static mapping of names and IP addresses is
impractical when the number of hosts is large?
It is impractical to have multiple copies of the same data. Since one
change in the IP of a certain machine or server requires changing every
host file in every machine that has this entry. Besides that, it is time
consuming and difficult to track unused IPs.

What will be the result of the host name resolution when
multiple IP addresses are associated with the same host name in
the /etc/hosts file?
When using multiple IP addresses with the same host name the first IP
encountered in the hosts files will be used for the name resolution.
PART 9: Experiments with FTP and TELNET
Exercise 9A- Snoop passwords from an FTP session

On PC1 we run ethereal with capture filters set to capture traffic
between PC1 and PC2 using the command: Ethereal f host 10.0.1.11
and 10.0.1.12.
Then we initiate an ftp session on PC1 to PC2 using the command ftp
10.0.1.12 and log in as root. In ethereal, we inspect the payload of
packets with FTP payload that are sent from PC1 to PC2.
The following was obtained using follow tcp stream in the tools menu
of the ethereal window:

1 0.000000 10.0.1.11 10.0.1.12 TCP 34052 >
ftp [SYN] Seq=0 Len=0 MSS=1460 TSV=642383 TSER=0 WS=0

(00:04:23:60:05:5e)
Transmission Control Protocol, Src Port: 34052 (34052), Dst Port: ftp (21), Seq:
0, Len: 0

2 0.000421 10.0.1.12 10.0.1.11 TCP ftp >
34052 [SYN, ACK] Seq=0 Ack=1 Win=5792 Len=0 MSS=1460 TSV=621460 TSER=642383 WS=0

(00:04:23:5f:fd:14)
Transmission Control Protocol, Src Port: ftp (21), Dst Port: 34052 (34052), Seq:
0, Ack: 1, Len: 0

3 0.000474 10.0.1.11 10.0.1.12 TCP 34052 >
ftp [ACK] Seq=1 Ack=1 Win=5840 Len=0 TSV=642383 TSER=621460
(00:04:23:60:05:5e)
1, Ack: 1, Len: 0

4 0.056501 10.0.1.12 10.0.1.11 FTP
Response: 220 (vsFTPd 1.1.3)

(00:04:23:5f:fd:14)
1, Ack: 1, Len: 20
File Transfer Protocol (FTP)

5 0.056613 10.0.1.11 10.0.1.12 TCP 34052 >

(00:04:23:60:05:5e)
1, Ack: 21, Len: 0

6 0.056811 10.0.1.11 10.0.1.12 FTP
Request: AUTH GSSAPI

(00:04:23:60:05:5e)
1, Ack: 21, Len: 13

7 0.057123 10.0.1.12 10.0.1.11 TCP ftp >
34052 [ACK] Seq=21 Ack=14 Win=5792 Len=0 TSV=621466 TSER=642389

(00:04:23:5f:fd:14)
21, Ack: 14, Len: 0

8 0.057248 10.0.1.12 10.0.1.11 FTP
Response: 530 Please login with USER and PASS.

(00:04:23:5f:fd:14)
21, Ack: 14, Len: 38

9 0.057299 10.0.1.11 10.0.1.12 FTP
Request: AUTH KERBEROS_V4

(00:04:23:60:05:5e)
14, Ack: 59, Len: 18

10 0.057747 10.0.1.12 10.0.1.11 FTP
Response: 530 Please login with USER and PASS.

(00:04:23:5f:fd:14)
59, Ack: 32, Len: 38

11 0.095312 10.0.1.11 10.0.1.12 TCP 34052 >

(00:04:23:60:05:5e)
32, Ack: 97, Len: 0

12 4.358278 10.0.1.11 10.0.1.12 FTP
Request: USER root

(00:04:23:60:05:5e)
32, Ack: 97, Len: 11

13 4.358708 10.0.1.12 10.0.1.11 FTP
Response: 331 Please specify the password.

(00:04:23:5f:fd:14)
97, Ack: 43, Len: 34
14 4.358744 10.0.1.11 10.0.1.12 TCP 34052 >

(00:04:23:60:05:5e)
43, Ack: 131, Len: 0

15 7.371672 10.0.1.11 10.0.1.12 FTP
Request: PASS root03

(00:04:23:60:05:5e)
43, Ack: 131, Len: 13

16 7.402881 10.0.1.12 10.0.1.11 TCP ftp >

(00:04:23:5f:fd:14)
131, Ack: 56, Len: 0

17 7.410998 10.0.1.12 10.0.1.11 FTP
Response: 230 Login successful. Have fun.

(00:04:23:5f:fd:14)
131, Ack: 56, Len: 33

18 7.411029 10.0.1.11 10.0.1.12 TCP 34052 >

(00:04:23:60:05:5e)
56, Ack: 164, Len: 0

19 7.411097 10.0.1.11 10.0.1.12 FTP
Request: SYST
(00:04:23:60:05:5e)
56, Ack: 164, Len: 6

20 7.411497 10.0.1.12 10.0.1.11 TCP ftp >

(00:04:23:5f:fd:14)
164, Ack: 62, Len: 0

21 7.411498 10.0.1.12 10.0.1.11 FTP
Response: 215 UNIX Type: L8

(00:04:23:5f:fd:14)
164, Ack: 62, Len: 19

22 7.445306 10.0.1.11 10.0.1.12 TCP 34052 >

(00:04:23:60:05:5e)
62, Ack: 183, Len: 0
Exercise 9B:
Run ethereal on PC1 using the command: Ethereal f host 10.0.1.11
and 10.0.1.12. Then we run a telnet session with PC2 using the
command telnet 10.0.1.12. We save the output of ethereal, it is as
following:
1 0.000000 10.0.1.11 10.0.1.12 TCP 34143 >
telnet [SYN] Seq=0 Len=0 MSS=1460 TSV=686917 TSER=0 WS=0
2 0.000357 10.0.1.12 10.0.1.11 TCP telnet
> 34143 [SYN, ACK] Seq=0 Ack=1 Win=5792 Len=0 MSS=1460 TSV=665994 TSER=686917 WS=0
3 0.000386 10.0.1.11 10.0.1.12 TCP 34143 >
telnet [ACK] Seq=1 Ack=1 Win=5840 Len=0 TSV=686917 TSER=665994
4 0.002912 10.0.1.11 10.0.1.12 TELNET Telnet
Data ...
5 0.002981 10.0.1.12 10.0.1.11 TELNET Telnet
Data ...
6 0.003005 10.0.1.11 10.0.1.12 TCP 34143 >
7 0.003851 10.0.1.12 10.0.1.11 TCP telnet
> 34143 [ACK] Seq=13 Ack=34 Win=5792 Len=0 TSV=665995 TSER=686918
8 0.003976 10.0.1.12 10.0.1.11 TELNET Telnet
Data ...
9 0.003981 10.0.1.11 10.0.1.12 TCP 34143 >
10 0.006747 10.0.1.11 10.0.1.12 TELNET Telnet
Data ...
11 0.009972 10.0.1.12 10.0.1.11 TELNET Telnet
Data ...
12 0.010009 10.0.1.11 10.0.1.12 TELNET Telnet
Data ...
13 0.010471 10.0.1.12 10.0.1.11 TELNET Telnet
Data ...
14 0.010515 10.0.1.11 10.0.1.12 TELNET Telnet
Data ...
15 0.010973 10.0.1.12 10.0.1.11 TELNET Telnet
Data ...
16 0.050806 10.0.1.11 10.0.1.12 TCP 34143 >
17 1.147570 10.0.1.11 10.0.1.12 TELNET Telnet
Data ...
18 1.147979 10.0.1.12 10.0.1.11 TELNET Telnet
Data ...
19 1.148000 10.0.1.11 10.0.1.12 TCP 34143 >
20 1.487669 10.0.1.11 10.0.1.12 TELNET Telnet
Data ...
21 1.488092 10.0.1.12 10.0.1.11 TELNET Telnet
Data ...
22 1.488113 10.0.1.11 10.0.1.12 TCP 34143 >
23 1.647708 10.0.1.11 10.0.1.12 TELNET Telnet
Data ...
24 1.648096 10.0.1.12 10.0.1.11 TELNET Telnet
Data ...
25 1.648121 10.0.1.11 10.0.1.12 TCP 34143 >
26 1.863008 10.0.1.11 10.0.1.12 TELNET Telnet
Data ...
27 1.863432 10.0.1.12 10.0.1.11 TELNET Telnet
Data ...
28 1.863453 10.0.1.11 10.0.1.12 TCP 34143 >
29 2.338000 10.0.1.11 10.0.1.12 TELNET Telnet
Data ...
30 2.338442 10.0.1.12 10.0.1.11 TELNET Telnet
Data ...
31 2.338464 10.0.1.11 10.0.1.12 TCP 34143 >
32 2.341314 10.0.1.12 10.0.1.11 TELNET Telnet
Data ...
33 2.341323 10.0.1.11 10.0.1.12 TCP 34143 >
34 3.330966 10.0.1.11 10.0.1.12 TELNET Telnet
Data ...
35 3.362036 10.0.1.12 10.0.1.11 TCP telnet
36 3.716086 10.0.1.11 10.0.1.12 TELNET Telnet
Data ...
37 3.716514 10.0.1.12 10.0.1.11 TCP telnet
38 3.886085 10.0.1.11 10.0.1.12 TELNET Telnet
Data ...
39 3.886508 10.0.1.12 10.0.1.11 TCP telnet
40 4.153559 10.0.1.11 10.0.1.12 TELNET Telnet
Data ...
41 4.153928 10.0.1.12 10.0.1.11 TCP telnet
42 4.711285 10.0.1.11 10.0.1.12 TELNET Telnet
Data ...
43 4.711627 10.0.1.12 10.0.1.11 TCP telnet
44 4.948867 10.0.1.11 10.0.1.12 TELNET Telnet
Data ...
45 4.949196 10.0.1.12 10.0.1.11 TCP telnet
46 5.231225 10.0.1.11 10.0.1.12 TELNET Telnet
Data ...
47 5.231604 10.0.1.12 10.0.1.11 TCP telnet
48 5.231605 10.0.1.12 10.0.1.11 TELNET Telnet
Data ...
49 5.231626 10.0.1.11 10.0.1.12 TCP 34143 >
50 5.233851 10.0.1.12 10.0.1.11 TELNET Telnet
Data ...
51 5.233857 10.0.1.11 10.0.1.12 TCP 34143 >
52 5.299180 10.0.1.12 10.0.1.11 TELNET Telnet
Data ...
53 5.299211 10.0.1.11 10.0.1.12 TCP 34143 >
54 5.302800 10.0.1.12 10.0.1.11 TELNET Telnet
Data ...
55 5.302809 10.0.1.11 10.0.1.12 TCP 34143 >
Does telnet have the same security flaws as ftp? Support your
answer using the saved output.
Yes in both cases we were able to get the user name and the password
since they transferred as text and they are not encrypted. The only
difference is that with telnet the username and password are chunked
and sent character by character whereas in ft they are sent as they are.
Exercise 9C- Observing traffic from a Telnet Session
Using the same Telnet session established in the previous exercise, we
type a few characters and observe the packets captured by ethereal. We
notice that for each key typed, three packets are transmitted as shown in
the figure below.
The three marked frames show how each character is sent as 3
packets. In fact, PC1 first sends to PC2 the character. PC2 sends back to
PC1 the received character. PC1 then acknowledges that PC2 has
received the correct character.

Report2 451l

Загружено:

Сведения о документе

Авторское право

Доступные форматы

Поделиться этим документом

Поделиться или встроить документ

Параметры публикации

Этот документ был вам полезен?

Это неприемлемый материал?

Авторское право:

Доступные форматы

Report2 451l

Загружено:

Авторское право:

Доступные форматы

Mohammad Hamdan

EECE 451 LAB1 REPORT Mohamad Ghazi Raad

address of the interface eth0 to 128.143.2.3/16 with

broadcast address 128.143.255.255.

2. Write the syntax of a tcpdump command that captures

packets containing IP datagrams with a source or

destination IP address equal to 10.0.1.12.

3. Write the syntax of a tcpdump command that captures

packets containing ICMP messages with a source or

destination IP address equal to 10.0.1.12.

4. Write the syntax of a tcpdump command that captures

packets containing IP datagrams between two hosts with IP

address 10.0.1.11 and 10.0.1.12, both on interface eth1 .

5. Write a tcpdump filter expression that captures packets

containing TCP segments with a source or destination IP

address equal to 10.0.1.12.

Question 5, only captures packets using port number 23.

7. Write the syntax for an ethereal command with capture filter

so that all IP datagrams with a source or destination IP

address equal to 10.0.1.12 are recorded.

8. Write the syntax for an ethereal display filter that shows IP

datagrams with a destination IP address equal to 10.0.1.50

and frame size greater than 400 bytes.

9. Write the syntax for an ethereal display filter that shows

packets containing ICMP messages with a source or

destination IP address equal to 10.0.1.12 and frame numbers

between 15 and 30.

10. Write the syntax for an ethereal display filter that

shows packets containing TCP segments with a source or

destination IP address equal to 10.0.1.12 and using port

11. Write an ethereal capture filter expression for question

To filter all packets with PC2 as source or destination we

Then we ping PC2 by executing the command:

The output of the tcpdump command executed was saved in a

file using the tail command.

12:22:55.227776 10.0.1.11 > 10.0.1.12: icmp: echo request (DF)

12:23:18.575330 10.0.1.11 > 10.0.1.12: icmp: echo request (DF)

Exercise 2(A)- Setting capture filters in ethereal

Run ethereal on PC1, then setting a capture filter so that all

expression used in the filter box is: Host 10.0.1.12

Ping command to PC2 from another terminal window as following:

function in the file menu. The output is as following:

No. Time Source Destination Protocol Info

Exercise 2(B)- Working with display filters

Repeat the same procedure as before, Set the display filter so

that all IP datagrams with destination IP address 10.0.1.12 are shown

using the following display filter: Ip.dst==10.0.1.12.

No. Time Source Destination Protocol Info

Ip.src==10.0.1.12 which lists only IP datagrams with a source IP

address equal to 10.0.1.12. The output is as following:

No. Time Source Destination Protocol Info

Exercise 2(C)- More complex capture and display filters

Start ethereal on PC1 and begin capturing all packets. From a

session from PC1 to PC2 using the following command: telnet

10.0.1.12. when the session is established we log in to PC2 as

several display filters to the captured packets:

a) Display packets that contain ICMP messages with the IP address

of PC2 either as a source or destination address, using the

following display filter:

Ip.addr==10.0.1.12 && icmp

The output in this case is as following:

No. Time Source Destination Protocol Info

b) Display packets that contain TCP traffic with the IP address of

PC2 either as a source or destination address, using the following