Assignment Overview

• Use snoop to examine a packet trace
• Use traceroute, arp, netstat, whois, nslookup

Assignment Part 1 Details

A note about grading: a key to a good grade will be your ability to communicate that you understand most everything about the packet trace. This implies, as usual, a clear, concise write-up! The questions below are designed to help you find the most interesting aspects of the trace, but they are by no means exhaustive. There will be other interesting results that you should find.

Your write-up for this part of the assignment can take any form you like. The most straightforward is to simply answer each question though I would strongly recommend against this. The reason is that the questions are purposely haphazard. My suggestion is to first answer the questions, understand what is going on in the trace, and then create a description of the session filling in the details when appropriate. Here are the sample questions:

• How many total packets are in the trace file?
• What protocols (at each layer of the Internet stack) are seen at least once somewhere in the trace?
• What are the contents and function of each packet (you can summarize series of packets that work to accomplish some high level function but be sure to include a sufficient amount of detail)?
• What is the Ethernet address and host name of the sender and receiver?
• What is the IP address and host name of the sender and receiver? What port numbers do you also see? How were the particular numbers chosen?
• Is there any additional information about network agents other than the source and destination? If yes, describe what information is available.
• How well does the Internet protocol stack adhere to the principles of layering and abstraction? In other words, is there any information in a particular layer of the protocol stack which is affected by the type of protocol above or below it.
• What is the Ethernet packet type and what does it mean?
• What different IP packet types can be seen what does each mean?
• Which packets are fragments and which are not?
• Why would some packets have the ``Don't fragment" bit set?
• How many checksums are there in each packet? What is the reason for this number?
• What are the ranges of sequence numbers?
• What are the ranges of acknowledgment numbers?
• What is the window size? Does it ever change? How is it chosen?
• Why the difference in the TTL values? If there was suddenly a change in the reported TTL, what would that be an indicator of?
• This packet trace is full of surprises, especially for someone who has never looked at a packet trace in detail before. List a few observations that were surprising to you including details of the observation and why it was particularly noteworthy.

Assignment Part 2 Details

• arp
  • What is the arp table for your local machine. Include a printout.

  • What is the option to manually add entries to the arp table? Create a hypothetical new table entry. What would the command look like to add this entry? What happens when you try to add an entry to the arp table? Why do you suppose you get the result that you do?

  • Determine a mechanism, by whatever ``legal'' means possible to have additional host entries appear in the arp table. Use this mechanism to add at least one new host to the arp table and include a printout that is different from Part (A).

  • Arp cache entries obviously timeout after some amount of time. How could you figure out what the timeout value actually is? (Anyone care to figure out what the actual value is?)

• traceroute
  • Explain in detail how traceroute works.

  • Perform a traceroute from your machine to ftp.ietf.org. Include a copy of the output and explain what happened including a description of what each of the fields means.

  • What happens if you traceroute to a non-existent machine? Include a copy of the traceroute. How do you know the machine that you traced to was non-existent instead of just down or not responding? If you traceroute to another non-existent machine, how are the results similar/different?

• netstat
  • What is netstat and what is it used for?

  • How is netstat -p different from arp -a?

  • What parameters should you use to show all the TCP connections established? Include a printout of this list.

  • What does netstat -r show? What is noteworthy about the output?

  • Netstat is useful for a variety of reasons. Several have already been described. Describe something else you can do with netstat by listing a set of netstat parameters, the type of information netstat returns given these parameters, and how this information is useful.

• nslookup
  • What is the IP address for the machine lennon.cc.gatech.edu?

  • What local machine is this information coming from? Why is it coming from this machine?

  • Here is the problem: I want to find the IP address of where my email to friend@aol.com goes. What happens when I do an nslookup of aol.com?

  • What you really need to do is find the ``mail exchanger'' for aol.com. There is an option in nslookup that tells you what the mail exchanger is for aol.com. Figure out the exact syntax of the format of this command, and execute it. Now what is the IP address of where my email to friend@aol.com goes?

• whois
  • What class of IP address is my machine (jackson.cs.ucsb.edu)? What subnet does my address belong to? Who is the coordinator for this network?

  • Who is the coordinator for the network that morticia.cc.gatech.edu is on?

  • Who is the coordinator for the e-mail network at Microsoft, and what is his e-mail address? Include information about the steps you took and the results of the queries you made to figure out this information.

  • Ever send mail to president@whitehouse.gov? Tell me something about the White House e-mail network? Also, how is the network address for this particular network different from the other networks?