CPSC 341 - ARP Lab work
Earl Rodd
In this lab work, I have supplied a Wireshark trace and the LINUX console.
The console contains primarily "arp" and "ping" commands which are similar
to Windows. There is also an "ifconfig" command, similar to Windows "ipconfig"
and an "lpr" command which prints a small file.
Answer the questions on this handout. To save writing, whenever a
question asks for the MAC address, just write the last byte of
the MAC. All the MAC addresses in this exercise have unique last bytes and
this saves a lot of tedious copying.
After the first question, if an IP address is requested and the prefix is
the local subnet, just answer with the host address part to save writing.
- What is IP address of the machine on which I am working? ___________________
- What is the MAC address of the machine on which I am working?
____________________
- What is the local subnet address in CIDR form: ___________________
- The initial "arp" command shows one entry in the ARP table.
What would you suspect it is? Remember this is right after boot so no
user initiated activity has taken place. ________________________________________
- After the initial "ping" to 201, what MAC address is added to the
ARP table? _____________________
- Which frame number in the trace supplied this MAC address to the
ARP table? _____________________
- What machines will examine the content of Frame #1?
_____________________________________
- How many machines appear to respond to Frame #1? ______________
After frame #3 (the "Ping" to 192.168.35.201), why don't we see the
host at 201 send an ARP to us to find out our MAC address?
_________________________________________________________
- Why are there no UDP or TCP headers in this trace? ____________________________________________________
Why do the frames other than ICMP have no IP headers?
_______________________________________
- Why is the "ping" response in Frame #4 so fast?
_______________________________________
- Was the ARP sequence in Frames 7/8 (and 5/6) a broadcast? _________________
- The ARP sequence in 5/6 shows a MAC in the format "QuantaCo_9c:78:A0"
and the sequence in 7/8 shows a MAC in the format "AsusteckC_88:8a:50".
Explain this format: ______________________________________________
__________________________________________________________
- The "ping" to 98.137.246.8 was done at about time 50 seconds.
The ARP command prior to this "ping" does not show an ARP entry for
this IP address. Does the Wireshark trace show an ARP prior to sending
the ICMP Echo for the ping? _______________________________________
Why or why not? _______________________________________________
- The "ping" in frame 9 goes to what MAC address? _____________________
What IP address does this correspond to? __________________________
What is this machine? ___________________________________
- Why is the ping RTT (84ms) in frames
9/10 so much greater than the first one in frames 3/4(.276 ms)?
________________________________________________________
- The "lpr" command to print a small file was done at about time 69
seconds. Given the ARP in frame #13, what is the IP address of the printer?
________________________________
What frame tells us the MAC address of the printer? _________________
What is the MAC addres of the printer? __________________________
- Why don't we see the data being sent to the printer in the Wireshark
trace?
_______________________________________
- What is the manufacturer of the printer (or at least its NIC)?
________________________________
How did you determine this? ___________________________________
- BONUS: Can you think of what might be the cause of the ARP sequences in
frames 5/6, 7/8, and 11/12?
_________________________________________________________________
_________________________________________________________________
_________________________________________________________________
_________________________________________________________________
- BONUS #2: Why don't we see the ARP reply to Frame #15?
____________________________________________________