Assignment

Given:

13:05:20.988706 0e:8d:60:2a:47:21 > 00:04:e2:fc:ee:1f, ethertype IPv4 (0x0800), length 186: (tos 0x10, ttl 64, id 30815, offset 0, flags [DF], proto TCP (6), length 172)
   199.17.59.191.ssh > 64.83.217.120.14743: Flags [P.], cksum 0x1d3b (incorrect -> 0x81b2), seq 2553156370:2553156502, ack 2136047233, win 18760, length 132
       0x0000: 4510 00ac 785f 4000 4006 a540 c711 3bbf E...x_@.@..@..;.
       0x0010: 4053 d978 0016 3997 982e 1312 7f51 7e81 @S.x..9......Q~.
       0x0020: 5018 4948 1d3b 0000 3699 123e 395d 549e P.IH.;..6..>9]T.
       0x0030: 2b05 dd16 bc53 c589 fc37 f84d 8399 d19b +....S...7.M....
       0x0040: 2c3f 2819 fb1c 4776 f8d4 15b8 190d a4f8 ,?(...Gv........
       0x0050: 1fe3 1345 1827 4744 caea 9718 f168 05ea ...E.'GD.....h..
       0x0060: be76 12ef 5f9d 5015 aefb 1361 e0e4 57d2 .v.._.P....a..W.
       0x0070: 384f 7ad4 90a0 f0cf 4e3d 0334 b234 f69b 8Oz.....N=.4.4..
       0x0080: 123a 14ad 23a4 c363 3243 3095 d5fe e8e0 .:..#..c2C0.....
       0x0090: f381 dcef e7b1 0c57 f22e ee42 8f8b 65ac .......W...B..e.
       0x00a0: 883e 0f47 a96f 054b 7078 bf79           .>.G.o.Kpx.y

1. What is the source and destination physical addresses?

2. What is the source IP adress? What version of IP is being used

3. What service is being used (hint what runs on port 22?) ____

4. How many routers could this packet pass through?

5. What is the length of the payload (assuming the layer 2 header is 14 bytes)

6. In looking at the interpretation of the payload (red above), why can't we read the contents? If so which ones?

8. Is any flag set related to fragmentation?

9. What class is the destination IP address?

10. Is there anything above that would indicate that the integrity of this packet may have been compromised?

Given:    

[dguster@mermes ~]$ sudo tcpdump port 53 -e -n -vvv -X -c5

tcpdump: listening on eth0, link-type EN10MB (Ethernet), capture size 65535 bytes

13:21:09.655454 0e:8d:60:2a:47:21 > c2:2f:1c:0e:e0:40, ethertype IPv4 (0x0800), length 86: (tos 0x0, ttl 48, id 33912, offset 0, flags [DF], proto UDP (17), length 72)
   199.17.59.191.56056 > 199.17.59.4.domain: [bad udp cksum 1afb!] 13733+ PTR? 120.217.83.64.in-addr.arpa. (44)
       0x0000: 4500 0048 8478 4000 3011 b146 c711 3bbf E..H.x@[email protected]..;.
       0x0010: c711 3b04 daf8 0035 0034 052c 35a5 0100 ..;....5.4.,5...
       0x0020: 0001 0000 0000 0000 0331 3230 0332 3137 .........120.217
       0x0030: 0238 3302 3634 0769 6e2d 6164 6472 0461 .83.64.in-addr.a
       0x0040: 7270 6100 000c 0001                     rpa.....

1.What is the destination physical addresses?

2. What is the destination IP adress? What version of IP is being used?

3. What service is being used (hint what runs on port 53?)

4. How many routers could this packet pass through?

5. What is the length of the payload (assuming the layer 2 header is 14 bytes) of the contents?

6. In looking at the interpretation of the payload (red above), why can we read some

7. Are any udP flags set? (careful this is a trick question!)

9. What class is the destination IP address?

10. Is there anything above that would indicate that the integrity of this packet may have been compromised?

If so what?

11. For you advanced types: What does the contents of the payload above indicate is taking place in regard to IP address resolution?

Given:

13:30:22.298873 bc:ae:c5:c2:57:2f > Broadcast, ethertype ARP (0x0806), length 60: Ethernet (len 6), IPv4 (len 4), Request who-has 10.5.2.52 tell 10.0.35.10, length 46
       0x0000: 0001 0800 0604 0001 bcae c5c2 572f 0a00 ............W/..
       0x0010: 230a 0000 0000 0000 0a05 0234 0000 0000 #..........4....
       0x0020: 0000 0000 0000 0000 0000 0000 0000       ..............

1. What kind of packet is this and what is its purpose?

2. What is special about the destination physical address?

3. What does 10.0.35.10 want to know about 10.5.2.52?

4. Why is there no IP header?

5. What is the length of the entire packet?

ANSWER ONLY TWO OF THE FOLLOWING:

We now know that the network address is an OSI layer 3 address. Currently the IPv4 addressing scheme is still the most widely used and the one used on forum where our packet sniffer resides. Our goal is to use our unix system to increase our understanding of how two types of address resolution take place. First, network to physical. We know this is necessary because you can not deliver a packet to a device without knowing the physical address. However, that address does not need to be resolved until the last hop.

In other words someone can send me a packet from Finland and the physical address doesn't need to be determined until it reaches my home LAN (each router along the way forwards it according to its network address). Second, English to numeric IP (or the reverse). Endusers do not like to remember the numeric IP, rather they perfer the English because it is easier to remember.

How many entries in the original arp table?

How many entries are there after node 7 is pinged?

PLEASE COMPLETE ALL OF THE FOLLOWING QUESTIONS:

Question 1. How can TCP/IP be broken in to a 4 layer model?

Question 2. What are some options in regard to providing physical connectivity? What media can they use? What are some common transmission speeds? What inroads has Ethernet made on WANs?

Question 3. Given the below, what are the source and destination physical address? The source and destination net.node.port address? What is the size of the packet?

Question 4. In the above. Which set of addresses are used in the network layer? Which set are used in the internet layer?

What is the difference between a protocol and a service?

Question 6. Classify the following as either a protocol or a service: ftp, telnet, ip, tcp, ggp, udp, rip, chargen. Pick one service and describe it purpose in detail. Given: 132.44.77.35.22 which service is being referenced?