CSCI-UA.0480 Spring 2016 HW 1: Wireshark and Network Frames

Handed out Sunday, January 31, 2016
Due 5:00 PM, Thursday, February 4, 2016

Homework 1: Wireshark and Network Frames

Download and install the Wireshark packet analyzer on the computer of your choice. It will be significantly easier to use an OS with a GUI. Also, download the packet trace from the NYU Classes site under Assignments. The file is called "capture.pcap" and is under Homework 1. Use Wireshark to open the capture by going to "File" -> "Open". When trying to debug network issues, Wireshark is often an indispensable tool as it provides a "microscopic" view of the goings on. Specifically, Wireshark captures the raw bytes in each frame that is transferred, and displays an interpretation of those bytes.

This capture comes from the fox.geekny.com machine and shows all frames over the eth0 interface, except those frames identified to be using the VRRP, ARP, or SSH protocols.

Each problem below refers to a different frame.

Problem 1:

Use Wireshark to find the first HTTP request frame. You can do this by entering 'http' in the filter field.

  1. What is the number of this frame?
  2. What page is being asked for – what is its URL?
  3. What protocol is being used at the transport layer?
  4. Looking at the link layer, what is the destination? (This will be a six-oxtet MAC address in the form of 01:23:45:67:89:ab.)

Problem 2:

Find the response frame to the one in Problem 1.

  1. What is the number of this frame?
  2. What is the destination port?
  3. In the link layer, what is the source? (This will be another MAC address.)
  4. Does the source match what you found in the request frame? Why/why not?

Problem 3:

There is a DNS request in frame 757.

  1. From where did this frame originate?
  2. Where is it sent to?
  3. What is being asked for?

Problem 4:

Find the response frame to the aforementioned DNS request.

  1. What is the frame number for this response?
  2. What is the IP for the requested host? (If there are multiple, provide a few. Why might there be multiple?)
  3. What is the difference between an A record and an NS record?

Problem 5:

The following is one frame from the capture. The UDP Header begins at location 0x5e (the locations are identified by a column on the left).

0000000: d4c3 b2a1 0200 0400 0000 0000 0000 0000  ................
0000010: ffff 0000 0100 0000 12e3 ab56 b208 0700  ...........V....
0000020: 9a00 0000 9a00 0000 3333 0001 0002 bc30  ........33.....0
0000030: 5bbd a971 86dd 6000 0000 0064 1101 fe80  [..q..`....d....
0000040: 0000 0000 0000 58fd d335 9b26 59e0 ff02  ......X..5.&Y...
0000050: 0000 0000 0000 0000 0000 0001 0002 0222  ..............."
0000060: 0223 0064 f288 019b d26b 0008 0002 0c1c  .#.d.....k......
0000070: 0001 000e 0001 0001 1c03 f1c3 bc30 5bbd  .............0[.
0000080: a971 0003 000c 03bc 305b 0000 0000 0000  .q......0[......
0000090: 0000 0027 000e 000c 4239 4372 6561 746f  ...'....B9Creato
00000a0: 722d 5043 0010 000e 0000 0137 0008 4d53  r-PC.......7..MS
00000b0: 4654 2035 2e30 0006 0008 0018 0017 0011  FT 5.0..........
00000c0: 0027

Refer to the Stevens pocket guide available on the course web page under "Reference materials" and identify the following. Write your answers in base 10 unless otherwise specified.

  1. The UDP length
  2. The destination port
  3. The source port
  4. In hex, what is the payload of this UDP datagram?

Problem 6:

The following is another frame from the capture. The IP Header starts at location 0x36.

0000000: d4c3 b2a1 0200 0400 0000 0000 0000 0000  ................
0000010: ffff 0000 0100 0000 85e2 ab56 e05f 0400  ...........V._..
0000020: 6100 0000 6100 0000 782b cba3 7a7a 8875  a...a...x+..zz.u
0000030: 563c bb40 0800 4500 0053 b8d1 4000 3506  V<.@..E..S..@.5.
0000040: 7f65 adc0 52c4 807a 8c6f 01bb bbb1 47a2  .e..R..z.o....G.
0000050: 6247 244b 03df 8018 0085 0ae9 0000 0101  bG$K............
0000060: 080a 0a0a 4173 6c3b 9e11 1703 0300 1af5  ....Asl;........
0000070: 64e0 1963 6379 67d0 1ba4 e52d e738 b335  d..ccyg....-.8.5
0000080: 8190 b0c1 e14c 8409 c7

Unless otherwise specified, write your answers in base 10.

  1. Which transport layer protocol is being used? (UDP is 17 and TCP is 6. These numbers are in base 10.)
  2. What is the source IP address? (Use dotted-quad notation.)
  3. What is the destination IP address? (Use dotted-quad notation.)
  4. What is the source port number?
  5. What is the destination port number?
  6. What is the length of this header?
  7. What is the length of the payload of this TCP packet?

Handing in the homework

Use NYU Classes; there's an entry for this homework.

Last updated: 2016-04-15 16:24:03 -0400 [validate xhtml]