Lab 05:

Inspecting IP Header & Examining IP fragmentation

1. Overview
In this lab, the students will investigate the IP protocol, focusing on the IP datagram. We’ll do so by
analyzing a trace of IP datagrams sent and received by the execution of the ping program. Students
will inspect the various fields of the IP datagram, and study IP fragmentation in detail.

2. Objectives
This lab aims to provide students with ability:

a) To get familiar with linux terminal and working in command line of the Linux OS (Alpine);
b) To use tcpdump for inspecting the Ethernet frame header of network packets;
c) To use tcpdump for inspecting the various fields of IP header;
d) To understand the fragmentation of IP datagram which is one function of IP protocol for large
data transmission in some circumstances.

3. Lab Environment preparation

a) Install VMWare workstation/VirtualBox on your Windows Computer.
b) A minimal Alpine linux virtual machine can be downloaded from here
c) Ping from one VM to make sure that you can get the reply messages from the other end.
An alternative way to do the lab is creating a containerized environment in docker (highly
recommended). Follow this link to set it up.
The docker setup will create a LAN connecting 2 hosts as in the following figure:

4. Tasks
For the logical knowledge acquisition as well as skills gaining, all following tasks needed to be done
with tcpdump, do not use other utility like Wireshark because the comfortability of the software will spoil
your effort.

4.1. Inspecting IP Header:

Read various fields of IP header of the first packet from saved file in the above task. Answer the
following questions:

1. Is this packet have optional data? 4. Is this packet fragmented?

2. Tos (type of service) (in hex)? 5. TTL (in hex)?
3. Identifier? 6. Protocol ID (TCP/UDP/Others)?
 7. Length (in decimal)? 9. Source IP (dotted-decimal, Hex)
8. Checksum (in hex)? 10. Destination IP (dotted-decimal, Hex)

4.2. Inspecting ICMP packets:

Read the first 2 packets from saved file in the above task. Answer the following questions:

1. What is the value of Type, Code fields?

2. What is the value of Identifier, Sequence number fields?
3. Are the data bytes similar for those packets?

4.3. Study IP datagrams for large data transmission

In this task, you will send icmp with large packet size (2000 - 4000) to inspect the fragmentation in
details:

1. In the terminal of host-172.16.10.5, run tcpdump to sniff icmp packets, specify -w option to save
captures packets to file;
2. In the terminal of host-172.16.10.6, ping host-172.16.10.5:
(prompt):~$ ping 172.16.10.5 -c4 -s 2500 then
-s specify size option, 2500 is the data size.
3. Read the captured file, examine the 1st Echo request packet and answer the following
questions:
a) Within the IP packet header, what is the value in the upper layer protocol field?
b) How many bytes are there in the IP header? How many bytes are there in the payload of
the IP datagram? Explain how you determined the number of payload bytes.
c) Has this IP datagram been fragmented across more than one? Explain how you
determined whether or not the datagram has been fragmented.
d) Watch out the the first fragmented IP datagram. What information in the IP header indicates
that the datagram been fragmented? What information in the IP header indicates whether
this is the first fragment versus a latter fragment? How long is this IP datagram?
e) Watch out the second fragment of the fragmented IP datagram. What information in the IP
header indicates that this is not the first datagram fragment? Are there more fragments?
How can you tell?
f) What fields change in the IP header between the first and second fragment?
4. Ping host-172.16.10.5 with size option specifies to 4000. Answer the following questions:
a) How many echo reply messages are there for each echo request in comparison to the case
when the size 2500 is specified? Explain the difference?
b) Check out the fragment fields in the series of a fragmented echo reply/request messages
to verify your answer in (a).