MAT 201B / CS 290I-- Media Networks and Services
Homework Assignment #2
TURNED IN BEFORE Class on Tuesday 10/31/00
You will be expected to understand what is going on in the
network. This is something of a difficult task because network
protocol designers have worked so hard to provide so much abstraction
to the higher layer protocols. Never fear though, there are tools
that we can use.
The two parts of this assignment are:
- Use snoop to examine a packet trace
- Use arp, traceroute, netstat, nslookup, whois
Assignment Part 1 Details
The goal of the assignment is to examine real protocols in
use and understand the communication that takes place in a network by
examining the bits that flow across a network segment.
For this part of the assignment you will have use your CS UNIX account.
The reason is that Windows does not have snoop capability, but most
UNIX operating systems do. The command is snoop; however,
it requires root privileges to run. This is a good thing because it
should be hard to snoop packets on the network! So, I've done the
snooping and created a dump file for you to use.
Take the hw2-snoop-file.bin.gz
(NOTE: Make sure you download this file, i.e. right click and select
``Save Link As''.)
and use it as the source file for snoop (HINT: do a
man snoop and look at how to use the -i option...
you can do this without having root). You will also want to use some
some of the other options that come with snoop. Pay attention to
options which give you the most information about packets.
Some of the questions below will be about material that we have not,
and will not be covering in class. You'll have to use one of the
class textbooks as a reference to answer them. I will also try to
provide some in-class time to answer questions.
A note about grading: a key to a good grade will be your ability
to communicate that you understand most everything about the
packet trace. This implies, as usual, a clear, concise write-up!
The questions below are designed to help you find the most interesting
aspects of the trace, but they are by no means exhaustive. There will
be other interesting results that you should find.
Your write-up for this part of the assignment can take any form
you like. The most straightforward is to simply answer each
question though I would strongly recommend against this. The reason
is that the questions are purposely haphazard. My suggestion is to
first answer the questions, understand what is going on in the trace,
and then create a description of the session filling in the details
when appropriate. As a minimum, you should re-order the questions
to flow more logically; reduce redudancy (yes, there are some redundant
questions); and add any questions that you think are important, but
that I have not specifically asked. Here are the sample questions:
- How many total packets are in the trace file?
- What protocols (at each layer of the Internet stack) are seen
at least once somewhere in the trace?
- What are the contents and function of each packet (you can summarize
series of packets that work to accomplish some high level function but
be sure to include a sufficient amount of detail)?
- What is the Ethernet address and host name of the sender and receiver?
- What is the IP address and host name of the sender and receiver?
What port numbers do you also see? How were the particular
- Is there any additional information about network agents other
than the source and destination? If yes, describe what information is
- How well does the Internet protocol stack adhere to the
principles of layering and abstraction? In other words, is there
any information in a particular layer of the protocol stack which
is affected by the type of protocol above or below it.
- What is the Ethernet packet type and what does it mean?
- What different IP packet types can be seen what does each mean?
- Which packets are fragments and which are not?
- Why would some packets have the ``Don't fragment" bit set?
- How many checksums are there in each packet?
What is the reason for this number?
- What are the ranges of sequence numbers?
- What are the ranges of acknowledgment numbers?
- What is the window size? Does it ever change? How is it chosen?
- Why the difference in the TTL values? If there was suddenly a change
in the reported TTL, what would that be an indicator of?
- This packet trace is full of surprises, especially for someone who
has never looked at a packet trace in detail before. List a few
observations that were surprising to you including details of the
observation and why it was particularly noteworthy.
Assignment Part 2 Details
Use the following tools to answer the following questions.
- What is the arp table for your local machine. Include
- What is the option to manually add entries to the arp table?
Create a hypothetical new table entry. What would the command look like
to add this entry? What happens when you try to add an entry to the
arp table? Why do you suppose you get the result that you do?
- Determine a mechanism, by whatever ``legal'' means possible
to have additional host entries appear in the arp table. Use this
mechanism to add at least one new host to the arp table and include
a printout that is different from Part (A).
- Arp cache entries obviously timeout after some amount of time.
How could you figure out what the timeout value actually is? (Anyone
care to figure out what the actual value is?)
- Explain in detail how traceroute works.
- Perform a traceroute from your machine to ftp.ietf.org.
Include a copy of the output and explain what happened including a
description of what each of the fields means.
- What happens if you traceroute to a non-existent machine?
Include a copy of the traceroute. How do you know the machine that you
traced to was non-existent instead of just down or not responding?
If you traceroute to another non-existent machine, how are the results
similar/different? (NOTE: Tracing to a non-existent machine is
a non-trivial task... truly determining that an IP address is not
in use is a HARD problem.)
- What is netstat and what is it used for?
- What parameters should you use to show all the TCP connections
established? Include a printout of this list.
- What does netstat -r show? What is noteworthy about
- What is the IP address for the machine lennon.cc.gatech.edu?
- What local machine is this information coming from? Why is
it coming from this machine?
- Here is the problem: I want to find the IP address of where
my email to email@example.com goes. What happens when I do an nslookup
- What you really need to do is find the ``mail exchanger''
for aol.com. There is an option in nslookup that tells you what the
mail exchanger is for aol.com. Figure out the exact syntax
of the format of this command, and execute it. Now what is the IP
address of where my email to firstname.lastname@example.org goes?
- What class of IP address is my machine (jackson.cs.ucsb.edu)?
What subnet does my address belong to? Who is the coordinator for this
- Who is the coordinator for the network that
morticia.cc.gatech.edu is on?
- Who is the coordinator for the e-mail network at Microsoft, and
what is his e-mail address? Include information about the steps you took
and the results of the queries you made to figure out this information.
- Ever send mail to email@example.com? Tell me
something about the White House e-mail network? Also, how is the network
address for this particular network different from the other networks?
- You may again work in groups of 2. Turn in one
hard copy of the assignment with both names (NOTE: This
second part is different from HW1 where I asked each group member to
turn in an assignment.)
- For this assignment you are turning in a hard copy only.
There will be no soft copy to turn in.
- Assignments will be graded using the following points distribution:
- Part 1: 50 points
- Part 2 (arp): 10 points
- Part 2 (traceroute): 10 points
- Part 2 (netstat): 10 points
- Part 2 (nslookup): 10 points
- Part 2 (whois): 10 points