Tên:Trương Anh Bảo

MSSV:1811550

Wireshark Lab 4a
1. Select the first ICMP Echo Request message sent by your computer, and expand the Internet
Protocol part of the packet in the packet details window.
What is the IP address of your computer?
Answer: The IP address of my computer is 192.168.1.102

2. Within the IP packet header, what is the value in the upper layer protocol field?
Answer: The value of the upper layer protocol field is ICMP (1)
3. How many bytes are in the IP header? How many bytes are in the payload of the IP datagram?
Explain how you determined the number of payload bytes?
Answer: There are 20 bytes in the IP header which leaves 36 bytes for the payload of the IP
datagram because we were sending a packet of length 56 bytes.

4. Has this IP datagram been fragmented? Explain how you determined whether or not the
datagram has been fragmented?
Answer: The fragment offset is set to 0, therefore, the packet has not been fragmented.
5. Which fields in the IP datagram always change from one datagram to the next within this series
of ICMP messages sent by your computer?
Answer: The Time to live, header checksum and the Identification changes from each datagram
to the next.
6. Which fields stay constant? Which of the fields must stay constant? Which fields must change?
Why?
Answer: Fields that stay constant:
-Version(IPv4)
-Length of header
-Source IP(sending from same place)
-Destination IP(contacting same site)
-Upper layer protocol(always using ICMP)
Fields that must stay constant:
-Same as above
The fields that must change are:
-The header checksum (header changes)
-Identification(to verify packets)
-Time to live is also changed (this is how trace route works)
7. Describe the pattern you see in the values in the Identification field of the IP datagram.
Answer: The pattern in the identification field is that the field increases by one in each strand of
echo requests.
8. What is the value in the Identification field and the TTL field?
Answer: Identification: 42507
TTL: 244
9. Do these values remain unchanged for all of the ICMP TTL-exceeded replies sent to your
computer by the nearest (first hop) router? Why?
Answer: The Identification field changes from all of the replies because this field has to have
a unique value. If they(2 or more replies) have the same value then the replies must be
fragments of a bigger packet.
The TLL field does not change because the time to live to the first hop router is always the
same.
10. Find the first ICMP Echo Request message that was sent by your computer after you changed
the Packet Size in pingplotter to be 2000. Has that message been fragmented across more than
one IP datagram?
Answer: Yes, that message has been fragmented across more than one IP datagram.
11. Print out the first fragment of the fragmented IP datagram. What information in the IP header
indicates that the datagram been fragmented? What information in the IP header indicates
whether this is the first fragment versus a latter fragment? How long is this IP datagram?

Answer: The fact that the flag is set for more segments shows that the the datagram has
been fragmented (see above).The fragment offset is set to 0 indicating that this is the first
fragment rather than a latter fragment where that value is is set to (1480). The datagram
has a total length of 1500.
12. Print out the second fragment of the fragmented IP datagram. What information in the IP
header indicates that this is not the first datagram fragment? Are the more fragments? How can
you tell?

Answer: The second fragment is obvious because it now has a a fragment offset of 1480.
There are no more fragments because it no longer has a flag set for more fragments.

13. What fields change in the IP header between the first and second fragment?
 Answer: The fields that change are
-Length
-Flags Set
-Fragment offset
-header checksum.
14. How many fragments were created from the original datagram?
Answer: After switching to 3500 bytes, 3 fragements are created.
15. What fields change in the IP header among the fragments?
Answer: The fields that change are the fragment offset (0, 1480, 2960) and checksum. The first 2
packets also have lengths of 1500 and more fragments flags set, while the last fragment is
shorter (568) and does not have a flag set.

Wireshark Lab 4b
1. Are DHCP messages sent over UDP or TCP?
Answer: The DHCP messages are sent via UDP.
2. Draw a timing datagram illustrating the sequence of the first four-packet
Discover/Offer/Request/ACK DHCP exchange between the client and server. For each packet,
indicated the source and destination port numbers. Are the port numbers the same as in the
example given in this lab assignment?
Answer:

3. What is the link-layer (e.g., Ethernet) address of your host?

Answer: The ethernet address of my host is 00:06:25:da:af:73
4. What values in the DHCP discover message differentiate this message from the DHCP request
message?
Answer: DHCP Message Type
Request includes a server identifier field
5. What is the value of the Transaction-ID in each of the first four (Discover/Offer/Request/ACK)
DHCP messages? What are the values of the Transaction-ID in the second set (Request/ACK) set
of DHCP messages? What is the purpose of the Transaction-ID field?
Answer: 1st set of messages: 0x3e5e0ce3
2nd Set of messages: 0x3a5df7d9
Purpose: The transaction ID is different so that the host can differentiate between different
requests made by the user.
6. A host uses DHCP to obtain an IP address, among other things. But a host’s IP address is not
confirmed until the end of the four-message exchange! If the IP address is not set until the end
of the four-message exchange, then what values are used in the IP datagrams in the four-
message exchange? For each of the four DHCP messages (Discover/Offer/Request/ACK DHCP),
indicate the source and destination IP addresses that are carried in the encapsulating IP
datagram.
Answer: Discover: 0.0.0.0/255.255.255.255
Offer: 192.168.1.1/255.255.255.255
Request: 0.0.0.0/255.255.255.255
ACK:192.168.1.1/255.255.255.255
7. What is the IP address of your DHCP server?
Answer: 192.168.1.1