CS320 Networks Laboratory - Understanding Ethernet, IP, and ARP
Student Name:
Student Username:
Lab Session Attended:
Objective
In this lab you will learn about Ethernet in terms of it’s frame format and the protocol. You will see how Linux binds an IP layer on top of Ethernet (which is pretty much the same as how Windows does it) and how IP uses a protocol known as ARP (Address Resolution Protocol) to help it transport IP datagrams across Ethernet.
Layer 1 to 3
As you will have seen throughout the course the first three layers in the OSI model are shown in the figure below:
When running the Internet over an Ethernet network, Ethernet specifies how layer 1 and 2 operate, whilst IP (in conjunction with a number of other protocols) run at layer 3. So although IP specifies the standard packet format (i.e. the IP datagram) and the protocol for communication across the Internet, when running IP over an Ethernet network all datagrams must be transported in Ethernet frames.
The first task in setting up IP over Ethernet is therefore to specify the relationship between the two. The command line tool that is used in Linux for doing this is called ifconfig.
ifconfig
ifconfig (which gets its name from interface configure) can be run directly from the command line as shown
johnmcd@l4e-13:/$ ifconfig
eth0 Link encap:Ethernet HWaddr 00:18:8B:19:F9:62
inet addr:149.157.241.113 Bcast:149.157.241.255 Mask:255.255.255.0
inet6 addr: fe80::218:8bff:fe19:f962/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:23713 errors:2387 dropped:0 overruns:0 frame:0
TX packets:13163 errors:0 dropped:0 overruns:0 carrier:0
collisions:2387 txqueuelen:1000
RX bytes:5782678 (5.5 MiB) TX bytes:2732538 (2.6 MiB)
Interrupt:16
lo Link encap:Local Loopback
inet addr:127.0.0.1 Mask:255.0.0.0
inet6 addr: ::1/128 Scope:Host
UP LOOPBACK RUNNING MTU:16436 Metric:1
RX packets:1764 errors:0 dropped:0 overruns:0 frame:0
TX packets:1764 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:1542580 (1.4 MiB) TX bytes:1542580 (1.4 MiB)
As can be seen above, the output from ifconfig provides details on each of the interfaces that is configured on the machine, with the interface name shown in left hand column. The type of interface is shown in the Link encap field. The first interface is eth0 and is the Ethernet interface.
The second interface, lo, is known as a loopback device which is a software interface that simply relays all packets sent to it straight back to the machine. The purpose of this interface is to provide a means of testing network software even in the absence of a physical/hardware network interface. As can be seen from the output, the IP address (inet addr) of the loopback is 127.0.0.1.
-
Try to connect to your own machine over the loopback using ssh. To do this you should specify the loopback IP address as the destination address. Provide the command that you used below:
Answer:_________________________________
The most important thing to realise here is that each interface has a unique IP address. So, for example, all datagrams destined for 149.157.241.113 will arrive via the eth0 interface.
-
Have a closer look at the various other fields associated with your machine’s eth0 interface. Try to understand the meaning of each of these fields. To assist you in this you should read the following http://www.faqs.org/docs/linux_network/x-087-2-iface.ifconfig.html
Answer each of the following:
-
What is the maximum size IP datagram that can be carried by the Ethernet interface?
Answer:_______________________
-
What is the Ethernet address of the eth0?
Answer:_______________________
-
What is the purpose of the metric field?
Answer:_______________________
-
What is the purpose of the broadcast IP address and what is the address for your machine?
Answer:_______________________
Ethernet Addressing
As was discussed in lectures, and as can be seen above, Ethernet addresses consist of a 6-byte number. These numbers are assigned uniquely to vendors by the IEEE. The notation used in specifying Ethernet addresses is shown in the following example:
00:19:7E:DD:08:17
Note that sometimes a hyphen is used instead of a colon (i.e. 00-19-7E-DD-08-17). Also, note that each two digit numbers is a hexadecimal number in that it ranges from 00 to FF.
To understand how to interpret these addresses you should read the following wikipedia page:
http://en.wikipedia.org/wiki/MAC_address
At the bottom of the above page you will find a link to the following webpage:
http://standards.ieee.org/regauth/oui/index.shtml
This page allows you to lookup the Organisationally Unique Identifier for a particular MAC address.
3. Using the above web page, find out the OUI or your Ethernet card. What is the company name of the vendor:
Answer:_______________________
Using Ethernet to transport IP datagrams
Now that you understand the system of binding the IP address of the local machine to the Ethernet address we will move onto looking at how IP transports a datagram using an Ethernet frame. To understand this process you should first review the section of the MAC layer notes on the Ethernet frame format (on the course website).
IEEE 802.3 vs. DIX/Ethernet II
Notice how there are two frame formats defined. The first one, that is the DIX format (also known as Ethernet II framing), specifies a type field, whilst the IEEE 802.3 format specifies a length field. The reason for this is that firstly since the DIX standard only specifies the payload types which carry length information themselves (e.g. an IP datagram) it is always possible to compute the length. The 802.3 standard moved away from this convention and did not require this in the payload packet. Instead 802.3 simply states that the size of the data (plus padding if needed) can range from 46-1500 bytes. Rather than computing the length by peering into the payload the length field provides the necessary information.
Aside: In fact there is another reason in that the IEEE 802.2 LLC protocol must run in conjunction with 802.3. The 802.2 fields which follow the 802.3 contain a similar type field and therefore would make any type field in the 802.3 frame redundant.
The important thing to note is that both types of frame can in fact exist on the same Ethernet network. This is due to the fact that firstly, since all frames can carry a maximum of 1500 bytes then the highest value that a 802.3 frame can have in its length field is 05DC (which is 1500 in hexadecimal). Secondly the DIX format specifies a list of numeric identifiers for the various formats that it can carry, none of which are within the range 0000-05DC. For example all IPv4 datagrams are identified as type 0800, whilst ARP packets are of type 0806. So the convention for distinguishing between Ethernet frames is to treat all frames with the Type/Length field having a value below 0600 as 802.3 format, and those having a value greater that 0600 as DIX/Ethernet II format.
OK! So assuming it’s Ethernet II how does is carry an IP datagram
When transporting an IP datagram over Ethernet, we can distinguish between two situations:
-
the destination machine is on the local Ethernet segment, and,
(ii) the destination machine is not on the local Ethernet segment.
In the first case the datagram can be placed into an Ethernet frame with the destination Ethernet address set to the Ethernet address of the destination machine.
The second case is more difficult since, even if we know the destination machine’s Ethernet address, sending a frame with this destination address will not work because the frame can only traverse the local network. However IP is clever enough to know this since it can compare the destination IP address with its own network address. When it sees that it is outside the local area network it simply sends this datagram to the gateway. The gateway is a machine that is both on the local network and is connected to the external network (i.e. it can route traffic which needs to travel outside the LAN).
4. Using the route command list the various networks of which IP is aware. Traffic which is destined to travel outside the LAN must be routed to the default route via the gateway. What is the IP address of this gateway?
Answer:_______________________
Capturing and Analysing Ethernet Traffic
In this section we will use Wireshark to capture live traffic from the network. The purpose of this will be to see IP working over Ethernet.
Complete the following steps:
-
To start you will need to run Wireshark with super-user privileges. To do this use the following command (typing in your password when asked):
sudo wireshark &
Remember that the ampersand at the end of the command runs wireshark in the background, meaning that you immediately regain control of the terminal.
-
Next find out the name of your neighbour’s machine and make a note of it.
-
Start capturing traffic on the Ethernet interface by selecting the
Capture->Interfaces menu and clicking the start button for eth0.
-
Switch to the terminal and ssh to your neighbours machine, login, and then logout.
-
Now click the stop button in wireshark’s traffic capture window.
-
In the main wireshark window you will see lots of packets, some of which are due to your ssh connection. Find the initial TCP connection request and highlight it.
-
Expand the Ethernet II section in the detail window. Using the details shown answer the following questions:
5. What is the source address in the frame?
Answer:_______________________
6. Using ifconfig verify that this is the hardware address of your machine.
Answer: YES NO
7. What is the destination address in the frame? Answer:_______________________
8. Is this the address of your neighbours machine? (You can find out by asking them ).
Answer: YES NO
9. Give the hexadecimal value of the type field.
Answer:_______________________
10. How does wireshark know that the frame is an Ethernet II frame as opposed to an 802.3 frame?
Answer:_______________________
Next you will perform the same packet capture but this time using firefox to connect to an external website.
Complete the following steps:
-
Start up firefox and clear its cache by selecting Tools->Clear private data from the menu. This ensures that when you connect to a webpage it will not be able to get it from its local cache.
-
Next start capturing the traffic on eth0 again, as you did in the previous set of steps. [Note if a message box pops up you should select Continue without saving.]
-
Now using firefox connect to an external website such as www.google.com.
-
Once the page has been downloaded stop the traffic capture.
-
Again, in the main wireshark window you will see lots of packets, some of which are due to firefox connecting to the website. Find the initial HTTP GET request and highlight it.
-
Expand the IP details and answer the following questions.
11. What is the source IP address in the datagram?
Answer:_______________________
12. Using ifconfig verify that this is the IP address of your machine.
Answer: YES NO
13. What is the destination IP address in the datagram? Answer:_______________________
14. Is this the IP address of the webserver? (You can find out by using the host command).
Answer: YES NO
-
Expand the Ethernet II details and answer the following questions.
15. What is the source address in the frame?
Answer:_______________________
16. Using ifconfig verify that this is the hardware address of your machine.
Answer: YES NO
17. What is the destination address in the frame? Answer:_______________________
18. Is this the hardware address of the webserver?
Answer: YES NO
19. If the answer to the previous question was NO, then to what machine does the hardware address belong?
Answer:_______________________
-
Find the first response to the GET request and expand the IP datagram and Ethernet II frame details. Verify that the source and destination addresses in both the IP datagram and the Ethernet II frame are reversed.
Answer: YES NO
Address Resolution Protocol (ARP)
In the previous section we have seen that given the destination IP address that IP can figure out the IP address of the next machine in the chain of communication i.e. either the destination machine itself or the gateway. However we have not seen how IP can find out the Ethernet address of the next machine in the chain. To do this it must have a way of translating (or resolving) IP addresses to Ethernet addresses. The protocol it uses for this is the Address Resolution Protocol (ARP).
The ARP protocol typically maintains a cache of IP-to-Ethernet address translation pairs on your computer of the most recent translations that it has performed. The arp command (in both MSDOS and Linux/Unix) is used to view and manipulate the contents of this cache. Since the arp command and the ARP protocol have the same name, it’s understandably easy to confuse them. But keep in mind that they are different - the arp command is used to view and manipulate the ARP cache contents, while the ARP protocol defines the format and meaning of the messages sent and received, and defines the actions taken on message transmission and receipt.
20. Using the arp command on your machine, list the entries in the ARP cache on your machine. Cut-and-paste the list below.
Answer:
21. Is there an entry for your neighbour’s machine? Why?
Answer:
22. Is there an entry for the website you just connected to? Why?
Answer:
23. Using the arp command with the –d option invalidate/delete the entry for your neighbour’s machine. Note you should verify that the entry is deleted. Give the command below.
Answer:
Now once again carry out the full packet capture that you performed earlier when you ssh’d to your neighbour’s machine. Once you have logged out of your neighbour’s machine you should stop the packet capture.
In the captured traffic, find the first two ARP packets and answer the following questions:
24. What are the hexadecimal values for the source and destination addresses in the Ethernet frame containing the ARP request message? What type of address is the destination address?
Answer:
25. Download the ARP specification from the link on the course website
A readable, detailed discussion of ARP is also at
http://www.erg.abdn.ac.uk/users/gorry/course/inet-pages/arp.html.
a) How many bytes from the very beginning of the Ethernet frame does the
ARP opcode field begin?
Answer:
b) What is the value of the opcode field within the ARP-payload part of the
Ethernet frame in which an ARP request is made?
Answer:
c) Does the ARP message contain the IP address of the sender?
Answer:
d) Where in the ARP request does the “question” appear – the Ethernet
address of the machine whose corresponding IP address is being queried?
Answer:
26. Now find the ARP reply that was sent in response to the ARP request.
a) How many bytes from the very beginning of the Ethernet frame does the
ARP opcode field begin?
Answer:
b) What is the value of the opcode field within the ARP-payload part of the
Ethernet frame in which an ARP response is made?
Answer:
c) Where in the ARP message does the “answer” to the earlier ARP request
appear – the IP address of the machine having the Ethernet address whose
corresponding IP address is being queried?
Answer:
27. What are the hexadecimal values for the source and destination addresses in the Ethernet frame containing the ARP reply message?
Answer:
Share with your friends: |