Wireshark Ethernet and ARP 实验—Wireshark Lab: Ethernet and ARP v7.0

Posted 之墨_

tags:

篇首语:本文由小常识网(cha138.com)小编为大家整理,主要介绍了Wireshark Ethernet and ARP 实验—Wireshark Lab: Ethernet and ARP v7.0相关的知识,希望对你有一定的参考价值。

Wireshark Lab: Ethernet and ARP v7.0

1. Capturing and analyzing Ethernet frames

清除浏览器缓存

使用wireshark抓包并请求网页

修改“捕获数据包列表”窗口,仅显示有关 IP 以下协议的信息。


抓包干扰较多,故分析作者的数据包回答下列问题
包含HTTP GET消息的以太网帧如下:

1

What is the 48-bit Ethernet address of your computer?

Ethernet address :AmbitMic_a9:3d:68 (00:d0:59:a9:3d:68)

2

What is the 48-bit destination address in the Ethernet frame?

destination address: LinksysG_da:af:73 (00:06:25:da:af:73)。

Is this the Ethernet address of gaia.cs.umass.edu? (Hint: the answer is no).
不是 gaia.cs.umass.edu 的以太网地址

What device has this as its Ethernet address?
这个可能是连接该子网的路由器的地址。

[Note: this is an important question, and one that students sometimes get wrong. Re-read pages 468-469 in the text and make sure you understand the answer here.]

3

Give the hexadecimal value for the two-byte Frame type field. What upper layer protocol does this correspond to?
hexadecimal value :0x0800
protocol :IPV4

4

How many bytes from the very start of the Ethernet frame does the ASCII “G” in “GET” appear in the Ethernet frame?


16 × 3+6=54 bytes

Next, answer the following questions, based on the contents of the Ethernet frame containing the first byte of the HTTP response message.

5

What is the value of the Ethernet source address?

source address:LinksysG_da:af:73 (00:06:25:da:af:73)

Is this the address of your computer, or of gaia.cs.umass.edu ?(Hint: the answer is no).
不是
What device has this as its Ethernet address?
是连接该子网的路由器的地址

6

What is the destination address in the Ethernet frame? Is this the Ethernet address of your computer?

destination address: AmbitMic_a9:3d:68 (00:d0:59:a9:3d:68)
是本机地址

7

Give the hexadecimal value for the two-byte Frame type field. What upper layer protocol does this correspond to?

hexadecimal value:0x0800
protocol:IPV4

8

How many bytes from the very start of the Ethernet frame does the ASCII “O” in “OK” (i.e., the HTTP response code) appear in the Ethernet frame?

4 × 16 + 4 = 68bytes

2. The Address Resolution Protocol

  1. 进入目录C:\\Windows\\System32
  2. 命令行输入 arp -a

9

Write down the contents of your computer’s ARP cache. What is the meaning of
each column value?

  • 网卡:

  • 路由 IP :

  • MAC 地址:

  • 广播地址:

  • 组播地址:

  1. 清空arp缓存
  2. 清空浏览器的缓存。
  3. 开始抓包
  4. 请求网页http://gaia.cs.umass.edu/wireshark-labs/HTTP-ethereal-lab-file3.html
  5. 停止抓包
  6. 由于不关心IP和更高层的协议,故点击 分析–>启用的协议,取消选中IP框再选择OK
    抓到的包的页面如下:

使用作者的数据包回答下列问题:

10

What are the hexadecimal values for the source and destination addresses in the
Ethernet frame containing the ARP request message?


destination : Broadcast (ff:ff:ff:ff:ff:ff)
source : AmbitMic_a9:3d:68 (00:d0:59:a9:3d:68)

11

Give the hexadecimal value for the two-byte Ethernet Frame type field. What
upper layer protocol does this correspond to?


hexadecimal value:0x0806

12


Download the ARP specification from ftp://ftp.rfc-editor.org/in-notes/std/std37.txt.
A readable, detailed discussion of ARP is also at http://www.erg.abdn.ac.uk/users/gorry/course/inet-pages/arp.html.

a) How many bytes from the very beginning of the Ethernet frame does the
ARP opcode field begin?


16 + 4 = 20bytes
b) What is the value of the opcode field within the ARP-payload part of the
Ethernet frame in which an ARP request is made?


0x0001
c) Does the ARP message contain the IP address of the sender?

包含IP address of the sender
d) Where in the ARP request does the “question” appear – the Ethernet
address of the machine whose corresponding IP address is being queried?

Opcode值为1表示 request

13

Now find the ARP reply that was sent in response to the ARP request.

a) How many bytes from the very beginning of the Ethernet frame does the
ARP opcode field begin?


16+4=20bytes

b) What is the value of the opcode field within the ARP-payload part of the
Ethernet frame in which an ARP response is made?


为0x0002

c) Where in the ARP message does the “answer” to the earlier ARP request
appear – the IP address of the machine having the Ethernet address whose
corresponding IP address is being queried?

Opcode: reply (2) ,值为2 ,表示reply

14

What are the hexadecimal values for the source and destination addresses in the
Ethernet frame containing the ARP reply message?


destination : AmbitMic_a9:3d:68 (00:d0:59:a9:3d:68)
source : LinksysG_da:af:73 (00:06:25:da:af:73)

15

Open the ethernet-ethereal-trace-1 trace file in
http://gaia.cs.umass.edu/wireshark-labs/wireshark-traces.zip.
The first and second ARP packets in this trace correspond to an ARP request sent by the computer running Wireshark, and the ARP reply sent to the computer running Wireshark by the computer with the ARP-requested Ethernet address. But there is yet another computer on this network, as indicated by packet 6 – another ARP request.

Why is there no ARP reply (sent in response to the ARP request in packet 6) in the packet trace?
因为查询ARP报文通过广播帧发送的,对应子网的所有节点都能收到该报文,但是响应ARP报文仅通过一个标准帧发送,只有请求ARP的对应节点才能收到

Extra Credit

EX-1.

The arp command: arp -s InetAddr EtherAddr allows you to manually add an entry to the ARP cache that resolves the IP address InetAddr to the physical address EtherAddr. What would happen if, when you manually added an entry, you entered the correct IP address, but the wrong Ethernet address for that remote interface?
会导致本地主机无法与该IP地址对应的节点建立连接

EX-2.

What is the default amount of time that an entry remains in your ARP cache before being removed. You can determine this empirically (by monitoring the cache contents) or by looking this up in your operation system documentation. Indicate how/where you determined this value.

命令行输入netsh interface ipv4 show interfaces


Idx = 14 对应 WLAN
netsh interface ipv4 show interface 14查询接口WLAN的参数

基本可访问时间为 30000 毫秒,则ARP cache条目TTL为30000

以上是关于Wireshark Ethernet and ARP 实验—Wireshark Lab: Ethernet and ARP v7.0的主要内容,如果未能解决你的问题,请参考以下文章

解决Qualcomm Atheros AR8161 Gigabit Ethernet网卡Linux下坏掉的问题

Wireshark的简单使用

wireshark抓包图解 TCP三次握手/四次挥手详解

Wireshark OSI二层抓包过滤规则和显示过滤规则实例

网卡TSO

Kafka ISR and AR HW LEO