Lab 3: Networking

Group 30 : Amr Ahmed, Ali Reza Zeiaei

OS: Windows 10

1 Introduction
This lab is aimed to study the internet protocols ARP and DNS using Wireshark. Routing will
also be studied in the lab. Wireshark analyzes network traffic by sniffing packets. This report
outlines the observations and explanations from the lab.

2 Method and Experiments

The whole lab was performed with two computers running Windows 10 in the same LAN. In this
setup, the router that the computers are connected to is a WiFi 5 router.

The first part of the lab deals with ARP and in this part of the lab we use the command terminal
in Windows 10 to ping another computer on the same LAN. Afterwards we ping the IP address
8.8.8.8 which is one of Google’s public DNS servers which is outside the LAN. Wireshark was
used with filters which displayed the necessary parts of interest

The second part of this lab is about routing. First we answered some questions with an already
given route table in the lab manual. We then took a look at the computer’s (Host computer)
routing table using the command terminal with the command route PRINT. Then we checked
the internet path using wireshark with the command window. tracert cisco.com was fed to the
command terminal which is a traceroute command to the website cisco.com. With this command
we can get the website’s IP address and therefore analyze it using wireshark’s filter option.

The third part of this lab is about DNS. We started Wireshark with an appropriate display filter.
Then, using a resolving-only application, we looked up the target's numerical address given its
fully qualified IP name. The fully qualified IP name ends with a full stop, in this case we use
google.com. We captured screenshots of both the relevant parts of the Wireshark display
window and the resolving application's output for our lab report. After that, using the same
application, we performed a reverse lookup of the numerical IP address we received.
Additionally, in a new Wireshark sniffing session, we attempted to use the second target's
address, but this time using the non-fully qualified IP name www.
3 Results and Evidence

ARP tasks

Prep questions
ARP.1 What is the purpose of an ARP request?
The purpose of an ARP (Address Resolution Protocol) request is to find the Media Access
Control (MAC) address of a device on a local network (LAN) when its IP address is known.
ARP.2 An ARP request has four address fields. Which are those, and which
addresses do they contain?
Source MAC : This field contains the MAC address of the device sending the ARP request. It
acts as the return address on an “envelope”.

Source IP: This field holds the IP address of the device starting the ARP request. It helps the
responding device verify that the request is correct for the device with the corresponding MAC
address

Target MAC: In an ARP request, the key field is from the start filled with 0's, as the purpose of
the request is to discover the target's address. The responding device fills this field with its own
MAC address in the ARP reply.

Target IP : These fields specify the IP address of who the sender tries to reach. The ARP
request broadcasts this address on the networks, and only the devices with a matching IP
address will respond with its MAC address.

ARP.3 An ARP reply has four address fields. Which are those, and which
addresses do they contain?
The ARP reply fields are as if they are flipped compared to ARP request fields.

Source MAC: This field contains the Media Access Control (MAC) address of the device that
responded to the ARP request. It's the MAC address the sender was looking for.

Source IP: This field holds the Internet Protocol (IP) address of the device that responded to the
ARP request. This then confirms to the original sender that the reply came from the device with
the matching MAC address.

Target MAC: This field, unlike in the ARP request, contains the MAC address of the device that
originated the ARP request (the initial sender).

Target IP: This field specifies the IP address of the device that the ARP reply is intended for. It
essentially reflects the target IP address from the original ARP request.
ARP.4 What is the purpose of the ARP cache? What would be the result if a
host didn’t feature an ARP cache?
It speeds up communication where every time a device needs to send data to another device on
the same network (Local Area Network or LAN), it traditionally needs to perform an ARP request
to discover the recipient's MAC address. The ARP cache eliminates the need for constant ARP
requests by storing these mappings, significantly accelerating communication.

It also reduces network traffic by caching frequently used mappings, the ARP cache minimizes
the number of ARP requests broadcasted on the network. This reduces overall network traffic
and improves efficiency.

If we didn’t have ARP we would have slower performance and also increased network traffic

ARP task 1

Figure 1, Wireshark window for a full ping to the other computer in the network

Figure 2, Request frame for ARP

 Figure 3 , Reply frame for ARP

Figure 4, This filter was used for ARP task 1 (This is also known as the ARP filter)

Network communication involves the collaboration of both the data link layer (L2) and the
network layer L3 of the OSI model. Figure 2, which is the frame corresponding to the first row in
figure 1, depicts an ARP request message. Its L2 header contains the source MAC address.
The L3 header within the request includes the IP addresses of both the sender and the intended
recipient, ensuring the message reaches the correct device.

The corresponding reply message is also shown in the second row of Figure 1. Its L2 header
carries the MAC addresses of both the sender and receiver, while the L3 header again contains
the IP addresses of both parties, as illustrated in Figure 3.

ARP task 2
 Figure 5, Ping to 8.8.8.8 nets this result in wireshark. It tries pinging 4 times

Figure 6, This was the filter used for ARP task 2

When a ping is sent to 8.8.8.8 we don’t get an ARP protocol. Instead it’s ICMP. When on
different subnets, hosts don't need ARP. Routers handle delivery using best paths (cheapest
and nearest) and not MAC addresses. This is seen in figure 5.

Figure 7
In figure 7 we see what happens when we ping a computer in the same LAN. The top part of the
figure shows that we are sending ICMP packets 4 times just like when we pinged Google
(8.8.8.8). And the filter used looks similar but is used for the IP 192.168.0.163 which is seen at
the bottom of the figure. After the ICMP we get ARP from the computer we pinged which is then
replied to with another ARP which is seen at the middle of the figure. The reason we get this in
wireshark is due to the fact that ARP caches hold a valid entry for the target IP we’re trying to
ping. Our Computer can notice a cache hit in other words. The computer can directly proceed
with sending the ICMP Echo Request packet (ping) with the known MAC address and there is
therefore no ARP request. The process is streamlined and faster compared to a scenario where
the MAC address is unknown.

Routing tasks

Prep questions
RTR.1 Which address fields (IP, MAC) will be affected when an IP packet is
forwarded through a switch? Why, and how?
When an IP packet is forwarded through a switch it will affect only MAC-address based on the
data link layer L2 operation of the OSI model. When a switch forwards the IP packet, it looks for
the packet destination MAC-address to decide where the packet should be sent while the IP
address remains the same because the switch doesn't operate on IP-address.
RTR.2 Which address fields (IP, MAC) will be affected when an IP packet is
forwarded through a router? Why, and how?
Both. The router works at the network layer L3(L2 included). So the router updates the IP
address to send the packet to the next destination and MAC-address changes for the router's
data link layer forwarding and matching the network ports.

RTR.3 An IPv4 address consists actually of two addresses or identities, the

host id and the network id. How can a host find the IPv4 network id part of an
IP address? There are two methods.
Subnet mask method: this method uses bitwise AND operation of the IP address and the subnet
mask which gives us the network ID in the result.

Lookup in the routing table method: The routing table contains information about the network id
of entries with the corresponding interface or next hope and destination information. The
method uses the routing table to look after the network id by finding the entry that matches the
destination IP-address.

RTR.4 Describe the process by which a host finds out if an IP packet’s

destination belongs to the host’s subnet or not.
The host controls if the destination IP adress is on its network by checking the network IDs. The
host uses its subnet mask and IP adress to its ID. Then it uses the subnet mask to find the
network ID for the destination IP-address. If the IDs match together it shows that the destination
is in the same subnet as the host and they can communicate directly (if same LAN). If not, the
host sends the packet to the router that forwards it to other networks.

RTR.5 When an IP packet is transmitted to a host on another subnet, whose

MAC address will be set in the destination field of the frame header by the
transmitting host?
The MAC address of the router (default gateway) is configured as the destination MAC address
in the frame header by the transmitting host.

Routing task 1
 Figure 8, Routing table for Linux found in the lab manual

In order to find the IP address of the computer with help of the routing table we need to look at
when the destination is the default route with the destination address 0.0.0.0 and with the
subnet mask 0.0.0.0 then we take a look at the gateway which is 10.0.12.1. Now that we have
the gateway IP address we take a look at the routing table again and check for which
destination the gateway leads to which is going to be the computer’s IP address. We have two
candidates for the IP address which are 10.0.12.0 in the first row and 10.0.12.10 in the second
row and the way we look for the right one is by looking at the net masks for the rows. The first
row has the mask 255.255.255.0 which means that we have addresses from 10.0.12.0 to
10.0.12.255 which means it is compatible. The second row however has a net mask
255.255.255.255 which means that we only have the address 10.0.12.10 which is not
compatible. In other words the computer’s IP address is 10.0.12.0

If we’re sending a packet to the IP address 10.0.12.100 the rows that are of interest are the first
row because the first three bytes are Net ID and are aligned with IP address and the net mask
means that we have all 1’s until the 4th byte which means that the host ID 100 is eligible. Last
row would also work since it’s the default route. If we were to send a packet to the IP address
10.11.12.100, the only row that is eligible in this case is the default route since the first and
second byte make it so that it doesn’t align with any of the other Host IDs.

The reason routing tables are sorted after the longest prefix match is because of efficiency and
specificity. It’s efficient because it’s sorted by the best route and is best because longer prefixes
represent smaller and more specific networks within a larger network. This means that the first
entry in the table will have the longest prefix net mask and the last entry in the table will have
the shortest prefix net mask.

Routing task 2: Host’s routing table

 Figure 9, Routing table for host

Removing a subnet from the routing table causes communication failure among devices within
the subnet. This occurs because the system lacks routing information for packets destined to
hosts within the same subnet, leading to routing errors.

Routing task 3: Check internet path

We pinged cisco.com using the windows terminal which gives us the website’s IP address. The
IP for the ping is 72.163.4.185. We then use this newfound information to make filters in
wireshark shown in figure 10

Figure 10, the filter used detecting checking internet path

Now we use the tracert command in the command terminal which is shown in figure 11 and this
results in wireshark showing what is depicted in figure 12
Figure 11, Traceroute to cisco.com seen from the terminal
 Figure 12, Internet path seen from wireshark. The screenshot is stitched together.

From the screenshot in figure 12 we see the TTL increments when the router receives a probe
packet. The protocol for all of the messages is ICMP which is crucial for diagnosing
communication errors. The type of message that is received is an error that TTL has exceeded
its limit which is marked with black colors and the nodes that are sending these messages are
192.168.0.1, 100.81.184.1, 100.64.3.191, 82.209.155.94, 89.160.14.107 etc.

The way tracerouting works is by sending a series of specially crafted data packets with
progressively increasing Time to live (TTL) values towards the target destination. Traceroute
functions by sending data packets with gradually increasing Time-To-Live (TTL) values, similar
to pings. The TTL represents a decrementing counter as packets traverse routers. Initially,
packets have a TTL with the value 1 which ensures that they expire at the first router
encountered. Each router returns an error message when TTL hits zero, indicated with a "TTL
exceeded" at that hop. Traceroute iterates this process, incrementing TTL values until the
destination or a maximum hop limit is reached which is seen in figure 12. Analysis of received
error messages reveals the IP addresses of routers where TTL expires, effectively mapping the
packet's path.

DNS task
Prep questions
DNS.1 What is the purpose of a DNS request?
It changes human-readable website names into IP-addresses that the computer uses.
DNS task 1
DNS is like the phonebook of the internet where it acts as a translator for website addresses
(e.g google.com or wikipedia.org) into readable addresses (like "172.217.160.66" or
"208.80.154.222"). This is vital because it makes the internet user friendly and allows computers
to communicate using IP addresses.

Fully qualified IP address. In this case we use nslookup on google.com.

 Figure 13, nslookup on google.com

Figure 14, Using the filter “dns” in wireshark, this is what is seen when nslookup is used on
google.com i.e. what we did in figure 13. The frame we’re looking at is the first row

Reverse DNS

Figure 15, Reverse nslookup on google.com where we use the address we get from the
command window
 Figure 16, Reverse nslookup on wireshark. Fully qualified nslookup is also in this screenshot.
We are still using the “dns” filter. This is related to figure 15

Non fully qualified

Figure 17, Unqualified nslookup where tried to do it on www

Figure 18, Unqualified ip name on wireshark. Related to figure 17

What type of resolving method, iterative or recursive, is used?

Upon examination of the first two rows in figure 13, 15 and 17 we see that the response of the
query is immediately obtained which means that the iterative resolving method is the method
being used. This is due to recursive resolving only getting used when the current DNS server
does not contain the requested IP address; however it keeps asking other DNS servers until the
IP address is found.

ˆWhat transport protocol is used and why?

The transport protocol being used is UDP. The reason is due to the fact that UDP is fast and
connectionless which means that it simply sends datagrams without acknowledgments.

ˆWhat transport protocol port is used?

Transport protocol port is seen in the lower part of figure 14 which illustrates the frame. In our
case it’s 53. This port is the one being used for DNS communication.

ˆWhat could motivate the reverse lookup function?

It allows DNS to find the domain name associated with the IP address and verify the host. This
is useful for security, network troubleshooting or other processes where information is of use.
Reverse lookup was also done in this lab and the results are shown in figures 15 and 16

What is the difference in the lookup process between looking up a fully

qualified and a not fully qualified name?
The difference lies in the fact that the DNS has to add extra suffixes to the DNS address(for
example instead of www.google.com it’s www.google). This is necessary prior to initiating the
DNS query. In the case where it’s a full domain name like www.google.com. Suffixes are not
required to be added and can be included in the DNS server as is. This is seen in figures 17 and
18.