uccn1003 -may10_-_lab_07_-_intro_to_protocols_in_packet_tracer
TRANSCRIPT
1
UCCN1003 Data Communications and Networks
Lab 07: Introduction to Protocols in Packet Tracer Instructions:
1. Read the “Introduction” section for the background
2. Perform all the lab exercises, starting with exercise 1
3. Follow all the steps.
4. Record the results in all italic bold actions.
5. Paste your screen captures on a Word Document and save it.
6. Answer all the questions in italic and in blanks based on the observation of the results.
7. Write your answer in the same Word Document.
8. Please follow the sequence of the exercises, and don’t skip any step.
9. There is an appendix for protocol reference towards the end of this lab.
Introduction to Protocol
In the networking and communications area, a protocol is the formal specification that defines
the procedures that must be followed when transmitting or receiving data. Protocols define the
format, timing, sequence, and error checking used on the network.
In plain English, the above means that if you have 2 or more devices (e.g computers) which want
to communicate, then they need a common "Protocol" which is a set of rules that guide the
computers on how and when to talk to each other.
There are hundreds of protocols out there and it is impossible to put them all in the lab. Only
some of the more popular protocols have been included in this lab.
One thing which you should keep in mind is that as you move from the lower layers (Physical) to
the upper layers (Applications), more processing time is needed by the device that's dealing with
the protocol.
As there are a lot more network protocols around, you can read up on them and learn more about
them.
Exercise 1: Observation of ICMP and ARP
1. Set up the network according to the following figure. Make sure that Packet Tracer is in
“Simulation mode” (NOT “Realtime mode”) while you are constructing the network in.
Just put in the IP addresses but don’t configure any route yet. All masks are /24.
2
2. Click on “Edit Filters”. Select only “ARP” and “ICMP”. If some of the bubbles are still
red in the network, click on “Auto Capture / Play” to let some time passes, so these
bubbles can turn green to indicate hardware connectivity.
3. Click on the following “envelope” icon, and then click it on PC1 and PC3 to simulate a
ping. Click on “Auto Capture / Play” and observe the “movements” of packets in the
form of “envelopes”.
4. When the simulation has finished, a dialog box pops out. Click on “View Previous
Events”. Double click on little square box of the first row of the “Event List” under
“info” (next to ICMP). The dialog box shown on the following right should pop out. Try
3
to get the “Event List” as shown in the following figure (with ICMP and ARP). Save the
network file as “lab7-1.pkt”.
5. Click on the “Outbound PDU Details” tab, and answer the following questions by
referring to the information in the “Outbound PDU Details” and appendix of this lab:
a. What is the source IP address?
_________________________________________________
b. What is the destination IP address?
_________________________________________________
c. What is the value of the protocol field in IP header?
_________________________________________________
d. What does this value of the protocol in part(c) mean?
_________________________________________________
e. What is the total length of the IP packet?
_________________________________________________
4
f. What is value of the TYPE in the ICMP header?
_________________________________________________
g. What does the value of “TYPE” in the ICMP header mean?
_________________________________________________
6. In the second line of the “Event List”, an ARP has been issued. Again, double click on
the square box next to the ARP and click on the “Outbound PDU Details” tab. Answer
the following questions with the help of appendix:
a. Why an ARP has to be issued?
_________________________________________________
b. What is the destination MAC address?
_________________________________________________
c. What is special about destination MAC address in part (b)?
_________________________________________________
d. What is the value of TYPE in the Ethernet header?
_________________________________________________
e. What does the value of TYPE in part (d) mean?
_________________________________________________
f. What is the value of Hardware Type of the ARP header and what does this value
indicate?
_________________________________________________
g. What is the value of Protocol Type of the ARP header and what does this value
indicate?
_________________________________________________
h. What is the value of HLEN of the ARP header and what does this value indicate?
_________________________________________________
5
i. What is the value of PLEN of the ARP header and what does this value indicate?
_________________________________________________
j. From the ARP header, which device’s MAC address that PC1 is interested?
_________________________________________________
7. Double click on the square box (under column “Info) of the 4th
line of the “Event List” in
which the ARP data has been sent from Switch0 to Router0. The left dialog box of the
following table should pop out. Click on the “Next Layer >>” and “Previous Layer <<”
in order to read the description of Layer 2 of both “In Layers” and “Out Layers”. (Note:
“In Layers” and “Inbound PDU Details” show the layers and frame information before
the device process the frame. “Out Layers” and “Outbound PDU Details” show the layers
and frame information after the device (e.g. Router0) process the frame.)
8. Now, click on “Inbound PDU Details” tab (Router0) and answer the following questions
with the help of appendix:
a. What is the value of the Opcode of the ARP header and what does it mean?
_________________________________________________
6
b. What is the source MAC address?
_________________________________________________
9. Now, click on “Outbound PDU Details” (Router0) tab and answer the following
questions with the help of appendix:
a. What is the new value of the Opcode of the ARP header and what does it mean?
_________________________________________________
b. Which device does the destination MAC address belong to?
_________________________________________________
c. There are similar MAC addresses in both the headers, which set of MAC
addresses (Ethernet header or ARP header) will Switch0 process?
_________________________________________________
d. When this “Outbound” frame reaches PC1, what is PC1 going to do with the
information contained in this frame? (Note: Double click on the square box of line
7 of “Event List”, the ARP frame at PC1. Click on “Next Layer >>” until the
“Layer 2” is highlighted with yellow shade. Read the description, the answer can
be found in the description.)
_________________________________________________
10. Double click on the square box of Line 8 (ICMP of PC1), then click on “Outbound PDU
Details”. Compare what you observe with the “Outbound PDU Details” of Line 1 of the
“Event List” (the first ICMP). What have you observed?
_________________________________________________
11. Double click square box (should be red in color) on the last line of the “Event List”
which is an ICMP in PC1, then click on the “Inbound PDU Details” tab. Answer the
following questions with the help of appendix of this lab.
a. What are the values of TYPE and CODE of the first ICMP header?
_________________________________________________
b. What does the combination of the two values mean?
_________________________________________________
7
12. Configure default routes for both Router0 and Router1. (Note: Do not switch back to
Realtime mode).
Router0(config)#ip route 0.0.0.0 0.0.0.0 200.1.1.2
Router1(config)#ip route 0.0.0.0 0.0.0.0 200.1.1.1
13. Now, save the network as “Lab7-2.pkt”.
14. Re-open the file “Lab7-2.pkt” again. After you see all the bubbles turn to green, switch to
“Simulation mode”. You should get what is shown in the following figure (Event List
with an ICMP and ARP).
15. Check the ARP table of Router0 and Router1 by typing the following command, and
record what you have observed.
Router0#show arp
Router1#show arp
16. Click on “Auto Capture / Play” button and observe the movements of the “envelope”.
When the simulation is finished, press “View Previous Events”. You should get an
“Event List” which is similar to the following figure.
8
17. Double click on the square box of second last of the “Event List” (Router0, Router1,
ARP). Click on the “Inbound PDU Detail” tab. Answer the following questions:
a. What is the destination MAC Address?
_________________________________________________
b. What is the Target MAC Address?
_________________________________________________
c. What is the Target IP Address?
_________________________________________________
18. Check the ARP table of Router0 and Router1 again by typing the following command,
and record what you have observed. Compare this ARP table with the previous ARP
table (Ex1.15) that you have recorded.
Router0#show arp
Router1#show arp
19. Temporarily switch to “Realtime mode” and switch back to “Simulation mode”.
20. Click on “Auto Capture / Play”, you should get an “Event List” similar to the following
figure.
9
21. Double click on the square box of first ARP of the “Event List” (--, Router1, ARP). Click
on the “Inbound PDU Detail” tab. Answer the following questions:
a. What is the Target IP Address?
_________________________________________________
b. What is the source IP Address in ARP header?
_________________________________________________
22. Temporarily switch to “Realtime mode” and switch back to “Simulation mode”.
23. Click on “Auto Capture / Play”, you should get an “Event List” similar to the following
figure. ICMP should travel from PC1 to PC3 and back without any ARP.
24. Double click on the square box of 7th
ICMP of the “Event List” (Switch1, PC3, ICMP).
Click on the “Inbound PDU Detail” tab. Answer the following questions:
10
a. What is the value of TYPE in Ethernet header and what does it mean?
_________________________________________________
b. Which is the TTL value of the IP header?
_________________________________________________
25. Double click on the square box of first ICMP of the “Event List” (--, PC1, ICMP). Click
on the “Inbound PDU Detail” tab. Answer the following questions:
a. Which device does the destination MAC address belong to?
_________________________________________________
b. Which is the TTL value of the IP header?
_________________________________________________
26. Click on the “Outbound PDU Detail” tab. Answer the following questions:
a. Which device does the destination MAC address belong to?
_________________________________________________
b. Which is the TTL value of the IP header?
_________________________________________________
c. Which are the values of the TYPE and CODE in the ICMP header?
_________________________________________________
d. What does the combination of the two values mean?
_________________________________________________
27. Double click on the square box of last ICMP of the “Event List” (Switch0, PC1, ICMP).
Click on the “Inbound PDU Detail” tab. Answer the following questions:
a. Which device does the source MAC address belong to?
_________________________________________________
11
b. Which is the TTL value of the IP header?
_________________________________________________
Exercise 2: Observation of ICMP of Trace Route
Trace route is a special case of ICMP, in which the first set of ICMP packets is ICMP request
with TTL=1. The second set of ICMP packets is ICMP request with TTL=2. The TTL value of
the IP header is being incremented by 1 until the ICMP hits the true destination. As the first set
of ICMP packets with TTL=1 reach the first router, the router will decrease the TTL by 1 (TTL =
1-1 = 0). When TTL=0, the router will drop the packet, and sends an ICMP error message back
to the sender. The second router will do the same thing to the second set of ICMP packets with
TTL= 2. With this process, a “route” (with all the gateway IP) is formed as the output of the
command prompt.
1. Open “Lab7-2.pkt” again. While you are waiting for all the bubbles to turn green (in
Realtime mode). Click on the entry of the bottom right corner and then click on “Delete”,
as indicated in the following figure.
2. Use PC1 to ping PC3 in “Realtime mode” (command prompt). This is to make sure PC1
is successfully ping PC3 with the ARP tables properly built.
3. Click on “Simulation mode”. In command prompt of PC1, type “tracert 192.168.5.2”.
You should have a similar screen as the following figure. After that click on “Auto
12
Capture / Play”. The whole event will take a while. At the same time, observe the
movement of the envelopes together with the output at the command prompt. At the end
of the simulation, clink on “View Previous Events”. (If you count the entries of the
“Event List”, you should have around 75 entries)
4. Double click on the square box of first ICMP of the “Event List” (--, PC1, ICMP). Click
on the “Outbound PDU Detail” tab. Answer the following questions:
a. What is the value of the TTL in IP header?
_________________________________________________
b. What is the source and destination IP Address?
_________________________________________________
c. What are the values of TYPE and CODE of the ICMP header?
_________________________________________________
d. What does the combination of value in part (c) mean?
_________________________________________________
5. Double click on the square box of 4th
ICMP of the “Event List” (--, Router0, ICMP).
Click on the “Outbound PDU Detail” tab. Answer the following questions:
13
a. What is the value of the TTL in IP header?
_________________________________________________
b. What is the total length of the IP packet?
_________________________________________________
c. What is the source and destination IP Address?
_________________________________________________
d. What are the values of TYPE and CODE of the ICMP header?
_________________________________________________
e. What does the combination of value in part (d) mean?
_________________________________________________
6. Double click on the square box of 19th
ICMP of the “Event List” (--, PC1, ICMP), the 1st
of the four square with same color after a group of three red square, as indicated in the
figure. Click on the “Outbound PDU Detail” tab. Answer the following question:
14
a. What is the value of the TTL in IP header?
_________________________________________________
7. Double click on the square box of 23th
ICMP of the “Event List” (--, Router1, ICMP).
Click on the “Outbound PDU Detail” tab. Answer the following questions:
a. What is the source and destination IP address?
_________________________________________________
b. Which device does the destination MAC address belong to?
_________________________________________________
8. Double click on the square box of “11th
to the last” ICMP of the “Event List” (--, PC1,
ICMP). “11th
to the last” means counting 11 steps backward from the last line of ICMP.
Click on the “Outbound PDU Detail” tab. Answer the following question:
a. What is the value of the TTL in IP header?
_________________________________________________
9. Double click on the square box to the last ICMP of the “Event List” (Switch0, PC1,
ICMP). Click on the “Inbound PDU Detail” tab. Answer the following question:
a. What is the value of the TTL in IP header?
_________________________________________________
b. What are the values of TYPE and CODE of the ICMP header?
_________________________________________________
c. What does the combination of value in part (d) mean?
_________________________________________________
Exercise 3: Observation of DHCP
15
There are four phases in the DHCP process: DHCP Discover, DHCP Offer, DHCP Request, and
DHCP Acknowledge.
1. Add an additional server with the IP according to the following figure. Do this in
“Simulation mode”.
2. Set the DHCP service according to the following figure.
3. Edit the Event List Filters to view the events of DHCP only, as shown in the following
figure. Then, save the network as “Lab7-3.pkt”.
16
4. Open “Lab7-3.pkt” again. Wait for all the bubbles to turn green and then switch to
“Simulation mode”.
5. Double click on PC3. Click on “Desktop” tab, then click on “IP Configuration”. Click on
“DHCP” as shown in the following figure. In the “Event List”, “DHCP” should show up.
6. Click on “Auto Capture / Play”, and observe the movement of envelopes. As usual, wait
until the simulation ends and click on “View Previous Events”.
7. Click on the 1st DHCP of the “Event List” (--, PC3, DHCP). Click on the “Outbound
PDU Details” tab. Answer the following questions:
a. What is the value of the destination MAC address?
_________________________________________________
b. What is the source and destination IP addresses?
_________________________________________________
c. What is the value of protocol field in IP header and what does it mean?
_________________________________________________
d. What are the source and destination ports?
_________________________________________________
e. What is the server address in the DHCP header?
17
_________________________________________________
f. What is the value of the Opcode in the DHCP header and what does it mean?
_________________________________________________
8. Click on the 6th
DHCP of the “Event List” (Server0, Switch1, DHCP). Click on the
“Outbound PDU Details”. Answer the following questions:
a. What is the value of the destination MAC address?
_________________________________________________
b. What is the source and destination IP addresses?
_________________________________________________
c. What are the source and destination ports?
_________________________________________________
d. What is the server address in the DHCP header?
_________________________________________________
e. What is the value of the Opcode in the DHCP header and what does it mean?
_________________________________________________
9. Click on the 10th
DHCP of the “Event List” (PC3, Switch1, DHCP). Click on the
“Outbound PDU Details”. Answer the following questions:
a. What is the value of the destination MAC address?
_________________________________________________
b. What is the source and destination IP addresses?
_________________________________________________
c. What are the source and destination ports?
_________________________________________________
18
d. What is the server address in the DHCP header?
_________________________________________________
e. What is the value of the Opcode in the DHCP header and what does it mean?
_________________________________________________
f. What is the value of the YOUR client address in the DHCP header?
_________________________________________________
10. Click on the Last DHCP of the “Event List” (Switch1, PC3, DHCP). Click on the
“Inbound PDU Details”. Answer the following questions:
a. What is the value of the destination MAC address?
_________________________________________________
b. What is the source and destination IP addresses?
_________________________________________________
c. What are the source and destination ports?
_________________________________________________
d. What is the server address in the DHCP header?
_________________________________________________
e. What is the value of the Opcode in the DHCP header and what does it mean?
_________________________________________________
f. What is the value of the YOUR client address in the DHCP header?
_________________________________________________
19
Exercise 4: Observation of DNS
1. Configure the DNS service based on the following figure.
2. Switch to “Simulation mode”. Edit the Event List Filter to view only DNS.
3. Key in the DNS server IP in PC1 as indicated in the following figure.
4. Go to command prompt of PC1 and type in “nslookup abc.com”. The first DNS entry
should pop up in the “Event List”.
5. Click on “Auto Capture / Play”, and observe the movement of DNS envelope.
6. Refer only to the last line of DNS events. Answer the following questions:
a. What are the source and destination IP addresses (last DNS event)?
_________________________________________________
20
b. What are the source and destination ports?
_________________________________________________
c. What is the transport layer protocol of the DNS events?
_________________________________________________
d. What is the most important value of DNS query?
_________________________________________________
e. What is the most important value of DNS answer?
_________________________________________________
21
Appendix
ICMP (Internet Control Message Protocol) Header
ICMP messages generally contain information about routing difficulties with IP datagrams or
simple exchanges such as time-stamp or echo transactions.
The ICMP header structure is shown as follows (blue portion only):
Type and Code
Type Code Description
0 Echo reply.
3 Destination unreachable.
3 0 Network unreachable.
3 1 Host unreachable.
3 2 Protocol unreachable.
3 3 Port unreachable.
3 4 Fragmentation needed and DF set.
3 5 Source route failed.
4 Source quench.
5 Redirect.
5 0 Redirect datagrams for the network.
5 1 Redirect datagrams for the host.
5 2 Redirect datagrams for the type of service & network.
5 3 Redirect datagrams for the type of service & host.
8 Echo request
11 Time exceeded.
11 0 Time to live exceeded in transit.
11 1 Fragment reassemble time exceeded.
12 Parameter problem.
13 Timestamp.
14 Timestamp reply.
15 Information request.
16 Information reply.
Checksum
22
This field contains error checking data calculated from the ICMP header+data, with value 0 for
this field. When the checksum is computed, the checksum field should first be cleared to 0.
When the data packet is transmitted, the checksum is computed and inserted into this field. When
the data packet is received, the checksum is again computed and verified against the checksum
field. If the two checksums do not match then an error has occurred.
Identifier
An identifier to aid in matching requests/replies; may be zero. This field contains an ID value,
should be returned in case of ECHO REPLY.
Sequence number
Sequence number to aid in matching requests/replies. This field contains a sequence value,
should be returned in case of ECHO REPLY.
IP (Internet Protocol) Header
The Internet Protocol (IP), is the routing layer datagram service of the TCP/IP suite. All other
protocols within the TCP/IP suite, except ARP and RARP, use IP to route frames from host to
host. The IP frame header contains routing information and control information associated with
datagram delivery.
The IP header structure is as follows (blue portion only):
Version
Version field indicates the format of the Internet header.
Version Description
0 reserved
4 IPv4, Internet Protocol version 4
5 ST, ST Datagram Mode.
6 IPv6, Internet Protocol version 6
7 TP/IX, The Next Internet.
8 PIP, The P Internet Protocol.
23
IHL (Header Length)
Internet header length is the length of the Internet header in 32-bit words. Points to the beginning
of the data. The minimum value for a correct header is 5. Any value contained in the half-word
(4 bits) has to be multiplied by 4 in order to get the true value of header length (e.g. a value of 5
is 5*4=20 bytes).
Type of service
Indicates the quality of service desired. Networks may offer service precedence, meaning that
they accept traffic only above a certain precedence at times of high load. There is a three-way
trade-off between low delay, high reliability and high throughput.
Bits 0-2: Precedence
111 Network control.
110 Internetwork control.
101 CRITIC/ECP.
100 Flash override.
011 Flash.
010 Immediate.
001 Priority.
000 Routine.
Bit 3: Delay
0 Normal delay.
1 Low delay.
Bit 4: Throughput
0 Normal throughput.
1 High throughput.
Bit 5: Reliability
0 Normal reliability.
1 High reliability.
Bits 6-7: Reserved for future use.
Total length
Length of the datagram measured in bytes, including the Internet header and data. This field
allows the length of a datagram to be up to 65,535 bytes, although such long datagrams are
impractical for most hosts and networks.
Identification
Identifying value assigned by the sender to aid in assembling the fragments of a datagram.
Flags
3 bits. Control flags of fragmentation:
24
Bit 0 is reserved and must be zero
Bit 1: Don’t fragment bit:
0 May fragment.
1 Don’t fragment.
Bit 2: More fragments bit:
0 Last fragment.
1 More fragments.
Fragment offset
13 bits. Indicates where this fragment belongs in the datagram. The fragment offset is measured
in units of 8 bytes (64 bits). The first fragment has offset zero.
Time to live
Indicates the maximum time the datagram is allowed to remain in the Internet system. If this
field contains the value zero, the datagram must be destroyed. This field is modified in Internet
header processing. The time is measured in units of seconds. However, since every module that
processes a datagram must decrease the TTL by at least one (even if it processes the datagram in
less than 1 second), the TTL must be thought of only as an upper limit on the time a datagram
may exist. The intention is to cause undeliverable datagrams to be discarded and to bound the
maximum datagram lifetime.
Protocol
Indicates the next level protocol used in the data portion of the Internet datagram. The value
indicated in the following table is in decimal. The table only shows description of the first 48
values of this protocol field. For values between 49 to 255, please refer to:
http://www.networksorcery.com/enp/protocol/ip.htm#Protocol
Value Description/Protocol
0 HOPOPT, IPv6 Hop-by-Hop Option.
1 ICMP, Internet Control Message Protocol.
2 IGAP, IGMP for user Authentication Protocol.
IGMP, Internet Group Management Protocol.
RGMP, Router-port Group Management Protocol.
3 GGP, Gateway to Gateway Protocol.
4 IP in IP encapsulation.
5 ST, Internet Stream Protocol.
6 TCP, Transmission Control Protocol.
7 UCL, CBT.
8 EGP, Exterior Gateway Protocol.
9 IGRP, Interior Gateway Routing Protocol.
10 BBN RCC Monitoring.
11 NVP, Network Voice Protocol.
12 PUP.
25
13 ARGUS.
14 EMCON, Emission Control Protocol.
15 XNET, Cross Net Debugger.
16 Chaos.
17 UDP, User Datagram Protocol.
18 TMux, Transport Multiplexing Protocol.
19 DCN Measurement Subsystems.
20 HMP, Host Monitoring Protocol.
21 Packet Radio Measurement.
22 XEROX NS IDP.
23 Trunk-1.
24 Trunk-2.
25 Leaf-1.
26 Leaf-2.
27 RDP, Reliable Data Protocol.
28 IRTP, Internet Reliable Transaction Protocol.
29 ISO Transport Protocol Class 4.
30 NETBLT, Network Block Transfer.
31 MFE Network Services Protocol.
32 MERIT Internodal Protocol.
33 DCCP, Datagram Congestion Control Protocol.
34 Third Party Connect Protocol.
35 IDPR, Inter-Domain Policy Routing Protocol.
36 XTP, Xpress Transfer Protocol.
37 Datagram Delivery Protocol.
38 IDPR, Control Message Transport Protocol.
39 TP++ Transport Protocol.
40 IL Transport Protocol.
41 IPv6 over IPv4.
42 SDRP, Source Demand Routing Protocol.
43 IPv6 Routing header.
44 IPv6 Fragment header.
45 IDRP, Inter-Domain Routing Protocol.
46 RSVP, Reservation Protocol.
47 GRE, General Routing Encapsulation.
48 DSR, Dynamic Source Routing Protocol.
Header checksum
A checksum on the header only. Since some header fields change, e.g., Time To Live, this is
recomputed and verified at each point that the Internet header is processed.
Source address / destination address
32 bits each. The values contain source IP address and destination IP address.
26
Data
Not included as header.
ARP (Address Resolution Protocol) Header
TCP/IP uses the Address Resolution Protocol (ARP) and the Reverse Address Resolution
Protocol (RARP) to initialize the use of Internet addressing on an Ethernet or other network that
uses its own media access control (MAC). ARP allows a host to communicate with other hosts
when only the Internet address of its neighbors is known. Before using IP, the host sends a
broadcast ARP request containing the Internet address of the desired destination system.
The ARP/RARP header structure is shown in the illustration below.
OR
Hardware type
Specifies a hardware interface type for which the sender requires a response.
Value Description/Protocol
0 reserved.
1 Ethernet
2 Experimental Ethernet.
3 Amateur Radio AX.25.
27
4 Proteon ProNET Token Ring.
5 Chaos.
6 IEEE 802.
7 ARCNET.
8 Hyperchannel.
9 Lanstar.
10 Autonet Short Address.
11 LocalTalk.
12 LocalNet (IBM PCNet or SYTEK LocalNET).
13 Ultra link.
14 SMDS.
15 Frame Relay.
16 ATM, Asynchronous Transmission Mode.
17 HDLC.
18 Fibre Channel.
19 ATM, Asynchronous Transmission Mode
20 Serial Line.
21 ATM, Asynchronous Transmission Mode.
22 MIL-STD-188-220.
23 Metricom.
24 IEEE 1394.1995.
25 MAPOS.
26 Twinaxial.
27 EUI-64.
28 HIPARP.
29 IP and ARP over ISO 7816-3.
30 ARPSec.
31 IPsec tunnel.
32 Infiniband.
33 CAI, TIA-102 Project 25 Common Air Interface.
34 Wiegand Interface.
35 Pure IP.
36 HW_EXP1
Protocol type
Specifies the type of high-level protocol address the sender has supplied.
Value Description/Protocol
0x800 IP
Hardware Address Length (HLen)
Hardware address length in bytes. (e.g. If this is Ethernet, the value should be 6)
Protocol Address Length (PLen)
Protocol address length in bytes. (e.g. If the protocol is IP, the value should be 4)
28
Operation or Opcode
The values and descriptions are as follows:
Value Description
1 ARP request.
2 ARP response.
3 RARP request.
4 RARP response.
5 Dynamic RARP request.
6 Dynamic RARP reply.
7 Dynamic RARP error.
8 InARP request.
9 InARP reply.
Sender hardware address
As the title indicates.
Sender protocol address
As the title indicates.
Target hardware address
As the title indicates.
Target protocol address
As the title indicates.
Ethernet Header
Ethernet is a widely used data communications network standard developed by DEC, Intel, and
Xerox. It uses a bus topology and CMSA/CD access method. The terms Ethernet and the IEEE
802.3 standard are often used interchangeably.
The Ethernet header structure is shown in the illustration below (blue portion only).
(without Preamble)
(with Preamble)
29
Preamble
The Preamble consists of bytes all of the form 10101010, and is used by the receiver to allow it
to establish bit synchronization. Preamble is only read and used by the NIC hardware. It has no
meaning for users, and Wireshark won’t show it.
Destination address:
The destination MAC address to be sent to.
Source address
The MAC address of the sender.
Length/Type
In this field of Ethernet protocol, if the value is between 0x0000 to 0x05dc, the value means the
length of the Ethernet frame. If the value is above 0x6000, the value indicates the next layer
protocol contained inside the frame.
Type Description/Protocol
0x0000 to
0x05dc
Length of the frame.
0x0600 XEROX NS IDP.
0x0660
0x0661
DLOG.
0x0800 IP, Internet Protocol.
0x0801 X.75 Internet.
0x0802 NBS Internet.
0x0803 ECMA Internet.
0x0804 Chaosnet.
0x0805 X.25 Level 3.
0x0806 ARP, Address Resolution Protocol.
0x0807 XNS compatability.
0x0808 Frame Relay ARP.
0x8035 DRARP, Dynamic RARP.
RARP, Reverse Address Resolution Protocol
0x80F3 AARP, AppleTalk Address Resolution Protocol.
0x8100 EAPS, Ethernet Automatic Protection Switching.
0x8137 IPX, Internet Packet Exchange.
0x814c SNMP, Simple Network Management Protocol.
0x86dd IPv6, Internet Protocol version 6.
0x8808 MPCP, Multi-Point Control Protocol.
0x880b PPP, Point-to-Point Protocol.
0x880c GSMP, General Switch Management Protocol.
0x8847 MPLS, Multi-Protocol Label Switching (unicast).
0x8848 MPLS, Multi-Protocol Label Switching (multicast).
30
0x8863 PPPoE, PPP Over Ethernet (Discovery Stage).
0x8864 PPPoE, PPP Over Ethernet (PPP Session Stage).
0x886f Network Load Balancing.
0x888e EAPOL, EAP over LAN.
0x88a2 AoE, ATA over Ethernet.
0x88ca TIPC, Transparent Inter Process Communication Protocol.
0x88bb LWAPP, Light Weight Access Point Protocol.
0x88cc LLDP, Link Layer Discovery Protocol.
0x88dc WSMP, WAVE Short Message Protocol.
Data unit + pad (not included as header)
The data itself.
Frame Check Sequence
This field contains the Frame Check Sequence (FCS) which is calculated using a Cyclic
Redundancy Check (CRC). The FCS allows Ethernet to detect errors in the Ethernet frame and
reject the frame if it appears damaged. Same as Preamble, the FCS is only read and used by NIC
hardware.
UDP (User Datagram Protocol) Header
The User Datagram Protocol (UDP), , provides a simple, but unreliable message service for
transaction-oriented services. Each UDP header carries both a source port identifier and
destination port identifier, allowing high-level protocols to target specific applications and
services among hosts.
The UDP header structure is shown as follows:
Source port
Source port is an optional field. When used, it indicates the port of the sending process and may
be assumed to be the port to which a reply should be addressed in the absence of any other
information. If not used, a value of zero is inserted.
Destination port
Destination port has a meaning within the context of a particular Internet destination address.
31
Length
The length in octets of this user datagram, including this header and the data. The minimum
value of the length is eight.
Checksum
The 16-bit one’s complement of the one’s complement sum of a pseudo header of information
from the IP header, the UDP header and the data, padded with zero octets at the end (if necessary)
to make a multiple of two octets.
Data
UDP data field (not included as header).
DNS (Domain Name Server) Header
DHCP (Dynamic Host Control Protocol) Header
The Dynamic Host Configuration Protocol (DHCP) provides Internet hosts with configuration
parameters. DHCP is an extension of BOOTP. DHCP consists of two components: a protocol for
delivering host-specific configuration parameters from a DHCP server to a host and a
mechanism for allocation of network addresses to hosts.
The format of the header is shown in the following illustration:
OR
32
Opcode
The message operation code. Messages can be either BOOTREQUEST or BOOTREPLY.
Value Description
1 DHCP Discover.
2 DHCP Offer
3 DHCP Request
5 DHCP Acknowledge
Hardware Type
The hardware type of DHCP is similar to hardware type of ARP.
Value Description/Protocol
0 reserved.
1 Ethernet
2 Experimental Ethernet.
3 Amateur Radio AX.25.
4 Proteon ProNET Token Ring.
5 Chaos.
6 IEEE 802.
7 ARCNET.
8 Hyperchannel.
9 Lanstar.
10 Autonet Short Address.
11 LocalTalk.
12 LocalNet (IBM PCNet or SYTEK LocalNET).
13 Ultra link.
14 SMDS.
33
15 Frame Relay.
16 ATM, Asynchronous Transmission Mode.
17 HDLC.
18 Fibre Channel.
19 ATM, Asynchronous Transmission Mode
20 Serial Line.
21 ATM, Asynchronous Transmission Mode.
22 MIL-STD-188-220.
23 Metricom.
24 IEEE 1394.1995.
25 MAPOS.
26 Twinaxial.
27 EUI-64.
28 HIPARP.
29 IP and ARP over ISO 7816-3.
30 ARPSec.
31 IPsec tunnel.
32 Infiniband.
33 CAI, TIA-102 Project 25 Common Air Interface.
34 Wiegand Interface.
35 Pure IP.
Hardware address length
The hardware address length (8 bits).
Hop count.
This field is used by relay agents.
Transaction ID.
A random number chosen by the client, used by the client and server to associate messages and
responses between a client and a server.
Number of seconds.
The elapsed time in seconds since the client began an address acquisition or renewal process.
Flags.
Only the first bit of this 16 bits field is used. Indicate broadcast.
Client IP address
32 bits.
Your IP address
32 bits.
Server IP address
32 bits.
34
Gateway IP address
32 bits.
Client hardware address
16 bytes.
Server host name
64 bytes.
Boot filename
128 bytes.