Midterm, CIS 456, April 07, 2006. 6:00 - 7:15. Dr Ott. Use the paper provided. Leave a margin. Name on every sheet. 1. Draw, in detail, the header of a TCP packet without options. Explain all fields. Give the sizes of all fields. Where relevant, give the units the field is expressed in. 2. The following is a line of output from a tcpdump session, edited and broken into 4 lines for readability. Explain the meaning of every field. Is this packet part of a handshake? What application is being served by this packet? Is the client the sender or the destination? BRIEFLY explain. (Just enough to convince me you understand, are not just guessing.) 14:40:12.129786 0:2:b3:cd:cc:d 0:e0:81:28:c2:cb 0800 74: 10.14.0.1.34562 > 64.233.161.104.80: S [tcp sum ok] 2275654207:2275654207(0) win 5840 (DF) (ttl 63, id 1216, len 60) Model solution: 14:40:12.129786 tcpdump timestamp, i.e. the time tcpdump saw the frame. hours:minutes:seconds.microseconds. 0:2:b3:cd:cc:d Source Physical (ethernet) Address. (This is NOT the physical address of the computer the IP packet originated at!) 0:e0:81:28:c2:cb Destination Physical (ethernet) Address. 0800 ethertype. I.e., the packet inside this ethernet frame is an IP packet. 74 framesize. Size of ethernet frame, excluding preamble and CRC. 10.14.0.1.34562 Source IP address plus portnumber. 64.233.161.104.80 Destination IP address plus portnumber. So this is an ``http'' or ``www'' packet. The source host is the client (high port number) and the destination is the server. S [tcp sum OK] The IP packet contains a TCP segment. The TCP checksum is OK. and the TCP segment has its SYN flag set. So it is part of an initial handshake. 2275654207:2275654207(0) The sequence number in the TCP header is 2275654207, and there are no (TCP) data Bytes. win 5840 The advertised window is 5840 Bytes. mss 1460 (TCP option) sender wants an MSS of (at most) 1460 Bytes. sackOK (TCP option) sender understands SACK. timestamp 17022719 0 (TCP option) sender understands TCP timestamps and sends a TSValue of 17022719. The TSEcho is 0: this segment must be an ``original SYN''. (Which we also noticed when there was no Ack_Seq number). nop (TCP option: No-Op) wscale 4 (TCP option) the sender understands window scaling and if the other side also understands window scaling the sender will use a window scale factor of 4. (DF) The IP header has the ``do not fragment'' bit set. ttl 63 The TTL field in the IP header contains the number 63. id 1216 The Identification number in the IP header is 1216. len 60 The TL (Total Length) of the IP packet is 60 Bytes. Please note that this agrees with the length of the ethernet frame: 60 + 14 = 74, and 6 + 6 + 2 = 14. Some people forgot to answer the specific questions I asked: This packet ``is'' (or contains) a TCP segment which is the original SYN in an initial (three way) handshake. It is an http (or www) packet. The source is the client and the destination is the server. 3. The following is the representation, from a tcpdump session, of the first ``so many'' bytes of a packet, in hexadecimal. I sneakily removed the ``text'' part of the output and only kept the hexadecimal representation. 45c0 0030 0000 0000 0211 370a 80eb 2006 e000 0002 07c1 07c1 001c 7986 0000 0803 0a82 0100 6e6a 6974 3138 3831 80eb 2001 What kind of packet is this? (IPv4, IPv6, ARP, RARP, ICMP, TCP, UDP, Unicast, Multicast, Broadcast, etc.) BRIEFLY explain. Compute and give: IP Total Length, More bit, DF bit, TTL, Prot, Source IP address, Destination IP address, Source Port, Dest Port. What application is being served by this packet? Is this the whole packet or only part of it? 4: Version. This must be an IPv4 packet. 5: Header Length. So the IPv4 header has 4x5 = 20 Bytes: No options. c0: DSCP field. If you say ToS field that is OK. (That is enough. If you insist: c0 = 1100 0000, so the precedence bits are 110 = 6. So ``high priority''.) 0030: TL, thus 3x16 = 48. The Total Length of this packet is 48 Bytes. 0000: Identifier. 0000: FragFlags and FragOffset. All zero. Hence DF = 0 and M = 0. 02: TTL. The TTL = 2. (This seems like a very low number, but actually makes sense given it is multicast etc.) 11: Prot. The Prot is 16 + 1 = 17: The IP packet contains a UDP packet. 370a: IP checksum. We do not care. 80eb 2006: Source IP address. (8x16).(14x16 + 11).(2x16).(6) = 128.235.32.6 e000 0002: Dest IP address. (14x16).(0).(0).2 = 224.0.0.2 . This is a multicast address. I looked it up: All Routers this subnet. (IANA) This is the end of the IPv4 header. Now the UDP header: 07c1: Source Port. 7x256 + 12x16 + 1 = 1985. In the information given to you it says: port 1985 is the ``Hot Standby Router Protocol''. 07c1: Dest Port. Also port 1985. More is not needed. This is an IPv4 Multicast packet. The destination address (not asked) is ``to all Routers this subnet''. It contains a UDP packet with both portnumbers equal: 1985, that is the ``Hot Standby Router Protocol''. DF = M = 0. The Total length is 48 Bytes, and we see 3x16 = 48 Bytes, so we see the whole packet. 4. A network has address 128.235.64.0/20 . For each of the following addreses, tell whether it can be: Address of interface on the network / source address of packet in the network / destination address of packet in ther network. With a BRIEF but convincing explanation. 128.235.64.0/20 = 1000 0000 . 1110 1011 . 0100 twiggle 0000 . 0000 0000 a. 128.235.64.0 n/n/n this is the network address. Yes, Comer p 44 says that the network address can be used as surrogate for directed broadcast (n/n/y), but in class I said I did not want that. It is ``against the rules''. b. 128.235.64.1 y/y/y perfecty legal (lowest possible) interface address in this LAN. c. 128.135.63.255 n/y/y could be legal interface address in some other LAN. d. 10.0.1.2 n/n/n private address e. 128.235.79.254 y/y/y 70.254 = 1000 twiggle 1111 . 1111 1110 . This is a perfectly legal (highest possible) interface address in this LAN. f. 0.0.0.0 n/y/n The ``I am stupid'' source address. (Formally: ``THIS host on THIS network''.) g. 128.235.79.255 n/n/y The ``directed broadcast'' address. See e above. h. 224.0.0.1 n/n/y A multicast address. This one happens to be the ``all systems this LAN'' address. i. 127.234.63.1 n/n/n loopback address. j. 255.255.255.255 n/n/y the ``limited broadcast'' address. Grade distribution (perfect = 100): 92 , 86 , 80 , 75 , 74 , 67 , 66 , 62 , 61 , 58 , 51 , 46 , 43 . Observation: I gave as homework: Do the homework in the TCPdump tutorial. Will not be graded, but similar questions will be asked in the midterm. Some students believed me. Some did not. Next time, better believe me.