【Wireshark Lab v8.0】Lab6：IP

以下实验步骤均来自实验指导手册。

实验指导手册下载地址：Jim Kurose Homepage (umass.edu)

1.Capturing packets from an execution of traceroute

由于traceroute不允许更改ICMP echo报文的大小，所以我们使用pingplotter，软件如下

2.A look at the captured trace

1. Select the first ICMP Echo Request message sent by your computer, and expand the Internet Protocol part of the packet in the packet details window.What is the IP address of your computer?

   

2. Within the IP packet header, what is the value in the upper layer protocol field?

   

3. How many bytes are in the IP header? How many bytes are in the payload of the IP datagram? Explain how you determined the number of payload bytes.

   

4. Has this IP datagram been fragmented? Explain how you determined whether or not the datagram has been fragmented.

   

5. Which fields in the IP datagram always change from one datagram to the next within this series of ICMP messages sent by your computer?

   

   

6. Which fields stay constant? Which of the fields must stay constant? Which fields must change? Why?

   The fields that must stay constant are:

   Version (since we are using IPv4),

   header length (since these are UDP packets),

   source IP (since all packets are sent from my computer),

   destination IP (since we are sending to the same host),

   Differentiated Services (since all packets are UDP),

   Upper Layer Protocol (since these are UDP packets)

   The fields that must change are:

   Identification (IP packets have different ids),

   Time to live (traceroute increments each packet),

   Header checksum (since header changes)

7. Describe the pattern you see in the values in the Identification field of the IP datagram

   

Next (with the packets still sorted by source address) find the series of ICMP TTL exceeded replies sent to your computer by the nearest (first hop) router.

8. What is the value in the Identification field and the TTL field?

   

9. Do these values remain unchanged for all of the ICMP TTL-exceeded replies sent to your computer by the nearest (first hop) router? Why?

   The values of identification field changes for all the ICMP TTL‐exceeded replies since the identification field is a unique value. If two or more IP datagrams have the same identification value, then it means that these IP datagrams are fragments of a single large IP datagram.

   The TTL field was unchanged since the TTL for the nearest router is always the same

Fragmentation

10. Find the first ICMP Echo Request message that was sent by your computer after you changed the Packet Size in pingplotter to be 2000. Has that message been fragmented across more than one IP datagram? [Note: if you find your packet has not been fragmented, you should download the zip file http://gaia.cs.umass.edu/wireshark-labs/wireshark-traces.zip and extract the ip ethereal-trace-1packet trace. If your computer has an Ethernet interface, a packet size of 2000 should cause fragmentation.3] (待补充)

    

11. Print out the first fragment of the fragmented IP datagram. What information in the IP header indicates that the datagram been fragmented? What information in the IP header indicates whether this is the first fragment versus a latter fragment? How long is this IP datagram?（待补充）

    More fragments被设置为 Set

    Fragment Offset值为0

    

12. Print out the second fragment of the fragmented IP datagram. What information in the IP header indicates that this is not the first datagram fragment? Are the more fragments? How can you tell?（待补充）

13. What fields change in the IP header between the first and second fragment?

    Fragment off

Now find the first ICMP Echo Request message that was sent by your computer after you changed the Packet Size in pingplotter to be 3500.（待补充）

14. How many fragments were created from the original datagram?

15. What fields change in the IP header among the fragments?