Wireshark Lab 2 : ICMP CNT 5004 (Spring 2015) Prof. Nasir Ghani Reference: Computer Networks: A Top-Down Approach (Kurose & Ross) This lab will explore several aspects of the ICMP protocol including • ICMP messages generating by the Ping program • ICMP messages generated by the Traceroute program • The format and contents of an ICMP message This lab is presented within the context of the Microsoft Windows operating system. Review the introduction to Wireshark slides in Module 5 if you are using it for the first time. Related slide on ICMP (including ping and traceroute) should also be reviewed. 1. ICMP and Ping The first part focuses on capturing packets generated by the Ping program. Recall that the Ping program is a simple tool that allows anyone (for example, a network administrator) to verify if a host is live or not. The program in the source host sends a packet to the target IP address; if the target is live, the Ping program in the target host responds by sending a packet back to the source host. Both of these Ping packets are ICMP packets. Hence complete the following steps: • Open the Windows Command Prompt application (found in the Accessories folder) • Start the Wireshark packet sniffer, and begin Wireshark packet capture • The Ping command is located in c:/windows/system32, so enter “ping –n 10 hostname” or “c:/windows/system32/ping –n 10 hostname” in the command line (no quotations), where hostname is a host on another continent. For example, you can enter www.ust.hk for the web server at the Hong Kong University of Science and 1 Technology. In this case, the argument “-n 10” indicates that 10 ping messages to be sent. Enter return to run the Ping program. • When the Ping program terminates, stop packet capture in Wireshark. At the end of the experiment, the Command Prompt Window should look like the sample shown in Figure 1. In this particular case, the source Ping program is in Massachusetts and the destination Ping program is in Hong Kong. From this window one can see that the source Ping program sent 10 query packets and received 10 responses. Note also that for each response, the source calculates the round-trip time (RTT), which for the 10 packets is on average 375 msec. Figure  1:  Command  Prompt  window  after  entering  Ping  command     Next,  Figure  2  shows  a  screenshot  of  the  Wireshark  output,  after  “icmp”  has  been  entered  into   the   filter   display   window.     Note   that   the  packet   listing   shows   20   packets,   i.e.,   including   the   10   Ping  queries  sent  by  the  source  and  the  10  Ping  responses  received  by  the  source.  Also  note   that   the   source   IP   address   is   private   (behind   a   NAT)   with   IP   address   192.168/12.   Meanwhile,   the  destination’s  IP  address  is  that  of  the  web  server  at  HKUST.  Now  a  zoom  in  of  the  contents   of   first   packet   (sent   by   the   client)   is   also   shown   in   Figure   2.   It   is   seen   that   the   IP   datagram   within   this   packet   has   protocol   number   01,   which   is   the   protocol   number   for   ICMP.   This   means  that  the  payload  of  the  IP  datagram  is  an  ICMP  packet.   2     Figure  2:  Wireshark  output  for  Ping  program  with  Internet  Protocol  expanded     Meanwhile,   Figure   3   focuses   on   the   same   ICMP   packet   but   presents   and   expanded   view   of   the   related   protocol   information   in   the   packet   contents   window.   Observe   that   this   ICMP   packet   is   of  Type  8  and  Code  0,  i.e.,  and  ICMP  “echo  request”  packet.    Also  note  that  this  ICMP  packet   contains  a  checksum,  an  identifier,  and  a  packet  sequence  number.     3   Figure  3:  Wireshark  capture  of  ping  packet  with  ICMP  packet  expanded     What to Hand In For this part of the lab, you should hand in a screen shot similar to Figure 1 and answer the following questions. Whenever possible, please include an output listing of the packet(s) within the trace that were used to answer the question asked (and annotate appropriately to explain your answer). To print a packet, use File->Print, choose Selected packet only, choose Packet summary line, and then select the minimum amount of packet detail that you need to answer the question. The output can be send to a PDF writer.         4 Answer the following questions 1) What is the IP address of your host? What is the IP address of the destination host? 2) Why is it that an ICMP packet does not have source and destination port numbers? 3) Examine one of the ping request packets sent by your host. What are the ICMP type and code numbers? What other fields does this ICMP packet have? How many bytes are the checksum, sequence number and identifier fields? 4) Examine the corresponding ping reply packet. What are the ICMP type and code numbers? What other fields does this ICMP packet have? How many bytes are the checksum, sequence number and identifier fields? 2. ICMP and Ping The next part focuses on using the Traceroute program to resolve the path a packet takes from source to destination. Carefully note that Traceroute is implemented in different ways in the Unix/Linux, MacOS, and Windows operating systems. Namely, in Unix/Linux, the source sends a series of UDP packets to the target destination using an unlikely destination port number. Meanwhile in Windows the source sends a series of ICMP packets to the target destination. For both operating systems, the program sends the first packet with a time-to-live field TTL=1, the second packet with TTL=2, and so on. All path routers decrement these TTL values, and when an arriving packet has a TTL=1, the router sends an ICMP error packet back to the source. Now the following steps will use the Windows tracert program. Note that a shareware version of a much-improved Windows Traceroute program, pingplotter, is also available at www.pingplotter.com. This latter program is used here as it provides additional needed functionality. Complete the following steps: • Open the Windows Command Prompt application (found in the Accessories folder) • Start the Wireshark packet sniffer, and begin Wireshark packet capture • The tracert command is in c:/windows/system32, so type either “tracert hostname” or “c:/windows/system32/tracert hostname” in the command line (no quotation marks), where hostname is a host on another continent. • When the Traceroute program terminates, stop packet capture in Wireshark 5 At the end of the experiment, the Command Prompt Window should look something like Figure 4. In this figure, the client Traceroute program is in Massachusetts and the target destination is in France. From this figure, it is seen that the source program sends three probe packets for each TTL value. Traceroute displays the RTTs for each of the probe packets, as well as the IP address (and possibly the name) of the router that returned the ICMP TTLexceeded message. Meanwhile, Figure 5 displays the Wireshark window for an ICMP packet returned by a router. Note that this ICMP error packet contains many more fields than the Ping ICMP message. Figure 4: Command Prompt window displays the results of the Traceroute program 6               Figure 5: Wireshark window of ICMP fields expanded for one ICMP error packet What to Hand In For  this  part  of  the  lab,  you  should  hand  in  a  screen  shot  of  the  Command  Prompt  window  and   answer   the   following   questions.   Whenever   possible,   when   answering   a   question   below,   you   should   hand   in   a   printout   of   the   packet(s)   within   the   trace   that   you   used   to   answer   the   question   asked.     Annotate   the   printout   to   explain   your   answer.   To   print   a   packet,   use   File-­‐ >Print,   choose   Selected   packet   only,   choose   Packet   summary   line,   and   select   the   minimum   amount   of   packet   detail   that   you   need   to   answer   the   question. The output can be send to a PDF writer.       7   Answer the following questions 5) What is the IP address of your host? What is the IP address of the destination host? 6) If ICMP sent UDP packets instead (as in Unix/Linux), would the IP protocol number still be 01 for the probe packets? If not, what would it be? 7) Examine the ICMP echo packet in the screenshot. Is this different from the ICMP ping query packets in the first half of this lab? If yes, how so? 8) Examine the ICMP error packet in your screenshot. It has more fields than the ICMP echo packet. What is included in those fields? 9) Examine the last three ICMP packets received by the source host. How are these packets different from the ICMP error packets? Why are they different? 10) Within the tracert measurements, is there a link whose delay is significantly longer than others? Refer to the screenshot in Figure 4, is there a link whose delay is significantly longer than others? On the basis of the router names, can you guess the location of the two routers on the end of this link? Submission Guidelines All submissions must be done on Canvas. You are required to submit a single file in either word or pdf form. Answer all the questions, providing the appropriate screenshots where asked. Mention your Name and student number at the top right of the page in the header. 8