Professional Documents
Culture Documents
Lab 3 Network Lab Report - Amr Ahmed, Ali Reza Zeiaei - New Version
Lab 3 Network Lab Report - Amr Ahmed, Ali Reza Zeiaei - New Version
1 Introduction
This lab is aimed to study the internet protocols ARP and DNS using Wireshark. Routing will
also be studied in the lab. Wireshark analyzes network traffic by sniffing packets. This report
outlines the observations and explanations from the lab.
The first part of the lab deals with ARP and in this part of the lab we use the command terminal
in Windows 10 to ping another computer on the same LAN. Afterwards we ping the IP address
8.8.8.8 which is one of Google’s public DNS servers which is outside the LAN. Wireshark was
used with filters which displayed the necessary parts of interest
The second part of this lab is about routing. First we answered some questions with an already
given route table in the lab manual. We then took a look at the computer’s (Host computer)
routing table using the command terminal with the command route PRINT. Then we checked
the internet path using wireshark with the command window. tracert cisco.com was fed to the
command terminal which is a traceroute command to the website cisco.com. With this command
we can get the website’s IP address and therefore analyze it using wireshark’s filter option.
The third part of this lab is about DNS. We started Wireshark with an appropriate display filter.
Then, using a resolving-only application, we looked up the target's numerical address given its
fully qualified IP name. The fully qualified IP name ends with a full stop, in this case we use
google.com. We captured screenshots of both the relevant parts of the Wireshark display
window and the resolving application's output for our lab report. After that, using the same
application, we performed a reverse lookup of the numerical IP address we received.
Additionally, in a new Wireshark sniffing session, we attempted to use the second target's
address, but this time using the non-fully qualified IP name www.
3 Results and Evidence
ARP tasks
Prep questions
ARP.1 What is the purpose of an ARP request?
The purpose of an ARP (Address Resolution Protocol) request is to find the Media Access
Control (MAC) address of a device on a local network (LAN) when its IP address is known.
ARP.2 An ARP request has four address fields. Which are those, and which
addresses do they contain?
Source MAC : This field contains the MAC address of the device sending the ARP request. It
acts as the return address on an “envelope”.
Source IP: This field holds the IP address of the device starting the ARP request. It helps the
responding device verify that the request is correct for the device with the corresponding MAC
address
Target MAC: In an ARP request, the key field is from the start filled with 0's, as the purpose of
the request is to discover the target's address. The responding device fills this field with its own
MAC address in the ARP reply.
Target IP : These fields specify the IP address of who the sender tries to reach. The ARP
request broadcasts this address on the networks, and only the devices with a matching IP
address will respond with its MAC address.
ARP.3 An ARP reply has four address fields. Which are those, and which
addresses do they contain?
The ARP reply fields are as if they are flipped compared to ARP request fields.
Source MAC: This field contains the Media Access Control (MAC) address of the device that
responded to the ARP request. It's the MAC address the sender was looking for.
Source IP: This field holds the Internet Protocol (IP) address of the device that responded to the
ARP request. This then confirms to the original sender that the reply came from the device with
the matching MAC address.
Target MAC: This field, unlike in the ARP request, contains the MAC address of the device that
originated the ARP request (the initial sender).
Target IP: This field specifies the IP address of the device that the ARP reply is intended for. It
essentially reflects the target IP address from the original ARP request.
ARP.4 What is the purpose of the ARP cache? What would be the result if a
host didn’t feature an ARP cache?
It speeds up communication where every time a device needs to send data to another device on
the same network (Local Area Network or LAN), it traditionally needs to perform an ARP request
to discover the recipient's MAC address. The ARP cache eliminates the need for constant ARP
requests by storing these mappings, significantly accelerating communication.
It also reduces network traffic by caching frequently used mappings, the ARP cache minimizes
the number of ARP requests broadcasted on the network. This reduces overall network traffic
and improves efficiency.
If we didn’t have ARP we would have slower performance and also increased network traffic
ARP task 1
Figure 1, Wireshark window for a full ping to the other computer in the network
Figure 4, This filter was used for ARP task 1 (This is also known as the ARP filter)
Network communication involves the collaboration of both the data link layer (L2) and the
network layer L3 of the OSI model. Figure 2, which is the frame corresponding to the first row in
figure 1, depicts an ARP request message. Its L2 header contains the source MAC address.
The L3 header within the request includes the IP addresses of both the sender and the intended
recipient, ensuring the message reaches the correct device.
The corresponding reply message is also shown in the second row of Figure 1. Its L2 header
carries the MAC addresses of both the sender and receiver, while the L3 header again contains
the IP addresses of both parties, as illustrated in Figure 3.
ARP task 2
Figure 5, Ping to 8.8.8.8 nets this result in wireshark. It tries pinging 4 times
When a ping is sent to 8.8.8.8 we don’t get an ARP protocol. Instead it’s ICMP. When on
different subnets, hosts don't need ARP. Routers handle delivery using best paths (cheapest
and nearest) and not MAC addresses. This is seen in figure 5.
Figure 7
In figure 7 we see what happens when we ping a computer in the same LAN. The top part of the
figure shows that we are sending ICMP packets 4 times just like when we pinged Google
(8.8.8.8). And the filter used looks similar but is used for the IP 192.168.0.163 which is seen at
the bottom of the figure. After the ICMP we get ARP from the computer we pinged which is then
replied to with another ARP which is seen at the middle of the figure. The reason we get this in
wireshark is due to the fact that ARP caches hold a valid entry for the target IP we’re trying to
ping. Our Computer can notice a cache hit in other words. The computer can directly proceed
with sending the ICMP Echo Request packet (ping) with the known MAC address and there is
therefore no ARP request. The process is streamlined and faster compared to a scenario where
the MAC address is unknown.
Routing tasks
Prep questions
RTR.1 Which address fields (IP, MAC) will be affected when an IP packet is
forwarded through a switch? Why, and how?
When an IP packet is forwarded through a switch it will affect only MAC-address based on the
data link layer L2 operation of the OSI model. When a switch forwards the IP packet, it looks for
the packet destination MAC-address to decide where the packet should be sent while the IP
address remains the same because the switch doesn't operate on IP-address.
RTR.2 Which address fields (IP, MAC) will be affected when an IP packet is
forwarded through a router? Why, and how?
Both. The router works at the network layer L3(L2 included). So the router updates the IP
address to send the packet to the next destination and MAC-address changes for the router's
data link layer forwarding and matching the network ports.
Lookup in the routing table method: The routing table contains information about the network id
of entries with the corresponding interface or next hope and destination information. The
method uses the routing table to look after the network id by finding the entry that matches the
destination IP-address.
Routing task 1
Figure 8, Routing table for Linux found in the lab manual
In order to find the IP address of the computer with help of the routing table we need to look at
when the destination is the default route with the destination address 0.0.0.0 and with the
subnet mask 0.0.0.0 then we take a look at the gateway which is 10.0.12.1. Now that we have
the gateway IP address we take a look at the routing table again and check for which
destination the gateway leads to which is going to be the computer’s IP address. We have two
candidates for the IP address which are 10.0.12.0 in the first row and 10.0.12.10 in the second
row and the way we look for the right one is by looking at the net masks for the rows. The first
row has the mask 255.255.255.0 which means that we have addresses from 10.0.12.0 to
10.0.12.255 which means it is compatible. The second row however has a net mask
255.255.255.255 which means that we only have the address 10.0.12.10 which is not
compatible. In other words the computer’s IP address is 10.0.12.0
If we’re sending a packet to the IP address 10.0.12.100 the rows that are of interest are the first
row because the first three bytes are Net ID and are aligned with IP address and the net mask
means that we have all 1’s until the 4th byte which means that the host ID 100 is eligible. Last
row would also work since it’s the default route. If we were to send a packet to the IP address
10.11.12.100, the only row that is eligible in this case is the default route since the first and
second byte make it so that it doesn’t align with any of the other Host IDs.
The reason routing tables are sorted after the longest prefix match is because of efficiency and
specificity. It’s efficient because it’s sorted by the best route and is best because longer prefixes
represent smaller and more specific networks within a larger network. This means that the first
entry in the table will have the longest prefix net mask and the last entry in the table will have
the shortest prefix net mask.
Removing a subnet from the routing table causes communication failure among devices within
the subnet. This occurs because the system lacks routing information for packets destined to
hosts within the same subnet, leading to routing errors.
Now we use the tracert command in the command terminal which is shown in figure 11 and this
results in wireshark showing what is depicted in figure 12
Figure 11, Traceroute to cisco.com seen from the terminal
Figure 12, Internet path seen from wireshark. The screenshot is stitched together.
From the screenshot in figure 12 we see the TTL increments when the router receives a probe
packet. The protocol for all of the messages is ICMP which is crucial for diagnosing
communication errors. The type of message that is received is an error that TTL has exceeded
its limit which is marked with black colors and the nodes that are sending these messages are
192.168.0.1, 100.81.184.1, 100.64.3.191, 82.209.155.94, 89.160.14.107 etc.
The way tracerouting works is by sending a series of specially crafted data packets with
progressively increasing Time to live (TTL) values towards the target destination. Traceroute
functions by sending data packets with gradually increasing Time-To-Live (TTL) values, similar
to pings. The TTL represents a decrementing counter as packets traverse routers. Initially,
packets have a TTL with the value 1 which ensures that they expire at the first router
encountered. Each router returns an error message when TTL hits zero, indicated with a "TTL
exceeded" at that hop. Traceroute iterates this process, incrementing TTL values until the
destination or a maximum hop limit is reached which is seen in figure 12. Analysis of received
error messages reveals the IP addresses of routers where TTL expires, effectively mapping the
packet's path.
DNS task
Prep questions
DNS.1 What is the purpose of a DNS request?
It changes human-readable website names into IP-addresses that the computer uses.
DNS task 1
DNS is like the phonebook of the internet where it acts as a translator for website addresses
(e.g google.com or wikipedia.org) into readable addresses (like "172.217.160.66" or
"208.80.154.222"). This is vital because it makes the internet user friendly and allows computers
to communicate using IP addresses.
Figure 14, Using the filter “dns” in wireshark, this is what is seen when nslookup is used on
google.com i.e. what we did in figure 13. The frame we’re looking at is the first row
Reverse DNS
Figure 15, Reverse nslookup on google.com where we use the address we get from the
command window
Figure 16, Reverse nslookup on wireshark. Fully qualified nslookup is also in this screenshot.
We are still using the “dns” filter. This is related to figure 15