Here are some example questions for the midterms and final of CIS656.

Information you may need that I do not expect you to memorize is given. 
I am likely to give information you do not need.

Frame Types in Ethernet (Ether Types) (in hexadecimal):

IPv4	0800
IPv6	86DD
ARP	0806
RARP	8035

Protocol Identifiers in IPv4:

ICMP	 1
IGMP	 2
IPv4	 4
TCP	 6
EGP	 8
UDP	17
IPv6	41
RSVP	46
OSPFIGP 89


Next Header identifiers in IPv6:

The ``next header identifier'' in IPv6 points either at an extension
header (see below) or at a ``next protocol'', e.g. IPv4, IPv6, TCP,
UDP, etc.. In the latter case, the ``extension header'' has the format
of the protocol header in question (with the exception of of Protocols
1 and 2), and the same identifier as under IPv4.
Under IPv6 there is a new protocol ICMPv6 which combines functionalities
of ICMP and IGMP. It has ``next header identifier'' 2 (?). 
The ``next protocol'' always is the last in the sequence of ``next 
headers''. It's header has the format as we learned it. It is followed by 
``its'' options and then ``its'' data.
Next Header - Next protocol (as above):
IPv4		4
TCP		6
UDP	       17
IPv6	       41	
Next Header - Extension Header:
Null:                  59
Hop-by-hop Option:      0
Source Routing:	       43	
Fragmentation:         44
Authentication:        51


Version numbers:

IPv4	4
IPv6	6

In an ICMP Echo-request, the type is 8 and the code is 0.
In an ICMP Echo-response, the type is 0 and the code is 0.

In an ICMP Time-exceeded error reporting message, the type is 11.
In this message, the code is 0 if a router reports that the TTL 
decreased to zero. The code is 1 if a (destination) host reports that
some but not all fragments arrived, and the packet timed out. 

IP Options:
You must know the EoO Option and the No-Op Option. 
The Record-Route Option has code 7, Length and Pointer as needed.
The Strict Source Route Option has code 137, Length and Pointer as needed.
(Be sure to understand strict source route as done in class!).
The Loose Source Route Option has code 131, Length and Pointer as needed.
The Time Stamp Option has code 68, Length and Pointer as needed, 4 Overflow
bits, and 4 Flag bits.

TCP Options:
You must know the EoO Option and the No-Op Option.
The Maximum Segment Size Option has Code 2, Length 4.
The Window Scale Option has Code 3, Length 3.
The SACK-Permitted Option has code 4, length 2. (In Syn and Syn-Ack).
The SACK Option has code 5, length as needed (at least 10). (Later packets).
The Time Stamp Option has code 8, length as needed.

Port Numbers   UDP/TCP	  Protocol
  7	       UDP/TCP	  Echo
 20	       UDP/TCP	  FTP, Data
 21	       UDP/TCP	  FTP, Control
 23            UDP/TCP	  TELNET
 80	       UDP/TCP	  HTTP (``Web Traffic'')
443	       UDP/TCP	  HTTPS (Secure HTTP)
111	       UDP/TCP	  RPC
119	       UDP/TCP	  NNTP (Network News Transfer Protocol)
123	       UDP/TCP	  NTP (Network Time Protocol)
179	       TCP	  BGP
520	       UDP	  RIP (Border Gateway Protocol)
While often TCP and UDP both are ``legal'', often only one makes sense.
(e.g. FTP, TELNET, HTTP, NNTP all need the reliability of TCP.)

An ethernet packet that carries (directly, no encapsulation in-between)
an IP packet of which the destination address is an IP multicast address
has as physical destination address one that starts with 1:0:5E: ,
and the 25-th bit always is zero.

---

Keep all your responses  BRIEF  and  CONCISE  !!
Checksums: Explain what it is for, and over what bytes it is computed
(data only, or header only, or Pseudo-Header, or ...), whether it is 
voluntary or compulsory (and why), but do  NOT  explain  HOW it is 
computed.

Typical questions:

1. Draw an ethernet packet and BRIEFLY describe the size, meaning, 
   and use of all fields.

2. Draw the header of an IP packet without options, BRIEFLY describe 
   the size, meaning and use of all fields. 

3. Draw the header of an ICMP echo request and BRIEFLY describe the size,
   meaning, and use of all fields.

4. Draw the header of and ICMP error reporting message reporting a packet
   was dropped because the TTL expired. BRIEFLY explain the use of all 
   fields.

5. Draw the header of a UDP packet and  BRIEFLY describe size, meaning, 
   and use of all fields.

6. ARP and RARP: I expect ``passive'' knowledge. For example: 
   Suppose  ARP  is used to help find Physical Addresses in the case 
   IPv4 over Ethernet. What is the Hardware Length? What is the 
   Protocol Length? 
   I will not ask to draw the header or enumerate the fields.
   But you must know meaning and function of the fields.

7. IPv6 has Version number 6, Protocol Identifier 41, and Frame Type
   (also called Ether Type) 86DD (in hexadecimal).
   Give examples of how each of these identifiers is used.
   BRIEFLY (!!) explain your answer.

8. (A) When the ARP software in a computer broadcasts an ARP request, 
   does it use an IP broadcast address? If yes, which one?
   (B) Or does it use an address for a physical broadcast?
   (C) Or both?
   (D) or neither?
   BRIEFLY  explain your answer.

   Harder question: Suppose that in question 8 your answer is 
   ``physical broadcast only''. What additional information do 
   you need to be able to find out the actual physical broadcast 
   address? 

   (answer: you have to know the hardware type! You should not 
   simply assume the hardware type is ethernet! *IF* it is ethernet,
   the physical broadcast address is 48 ones).

9. Explain what the ``10'' and ``2'' and ``5'' and ``T'' mean in
   10Base2, 10Base5, 10Base-T .

10. BRIEFLY explain the difference between a repeater and a bridge.

11. In the ``classfull'' scheme, what is the class of 128.235.204.127 ?
   (Any address could be used!).

12. Describe the mask of the network (or subnetwork) 170.170.0.0/20  .

13. Given a network address  x.y.z.u/k , which of the following ... 
    IP addresses are in that network?

14. Suppose you did not know that the Ether Type of IPv6 is 86DD (hex).
   How would you find out? Give enough detail that ``anybody'' can
   follow your directions.

   Hint for this Monday: Do it, and memorize the names of the URLs
   you use, items you click on, patterns you search for.
   This is one of the few cases where I encourage memorizing!

15. Given a specific packet, and an MTU, describe how the packet will
    be fragmented to satisfy the MTU.
    (I  COULD  be tricky and give you a packet with  DF = 1).

16. Suppose we have an IPv6 packet inside an IPv4 packet, inside an
    ethernet packet.
    Give the Frame Type in the ethernet header, the version numbers 
    in the IPV4 and IPv6 headers, and the protocol identifier in the 
    IPv4 header.

17. Describe how a host gets the physical address of a different host 
    on the same subnet, of which it knows the IP address.

18. Look at the following output:



berman-41 ott>: ping -s ftp.nl.net 100 10
PING ftp.nl.net: 100 data bytes
108 bytes from ftp0.svc.ops.eu.uu.net (195.129.111.8): icmp_seq=0. time=111. ms
108 bytes from ftp0.svc.ops.eu.uu.net (195.129.111.8): icmp_seq=1. time=108. ms
108 bytes from ftp0.svc.ops.eu.uu.net (195.129.111.8): icmp_seq=2. time=115. ms
108 bytes from ftp0.svc.ops.eu.uu.net (195.129.111.8): icmp_seq=3. time=88. ms
108 bytes from ftp0.svc.ops.eu.uu.net (195.129.111.8): icmp_seq=4. time=113. ms
108 bytes from ftp0.svc.ops.eu.uu.net (195.129.111.8): icmp_seq=5. time=120. ms
108 bytes from ftp0.svc.ops.eu.uu.net (195.129.111.8): icmp_seq=6. time=116. ms
108 bytes from ftp0.svc.ops.eu.uu.net (195.129.111.8): icmp_seq=7. time=102. ms
108 bytes from ftp0.svc.ops.eu.uu.net (195.129.111.8): icmp_seq=8. time=109. ms
108 bytes from ftp0.svc.ops.eu.uu.net (195.129.111.8): icmp_seq=9. time=90. ms

----ftp.nl.net PING Statistics----
10 packets transmitted, 10 packets received, 0% packet loss
round-trip (ms)  min/avg/max = 88/107/120




What is the meaning of the numbers 100 and 10 in the command line?
What is the meaning of the number 108 on the next lines?
Give another name for the computer  ftp.nl.net  .
What is the IP address of  ftp0.svc.ops.eu.uu.net  ?

What is the size of the whole IP packets? (include ICMP and IP 
headers, but exclude frame headers, because you do not know the 
hardware type: probably is different on the multiple hops anyhow). 

Make a plausible guess for the distance from   berman  to   ftp.nl.net  
in km. Assume there is no congestion (no queueing delay).
(With that assumption your answer will be way off, it is the method 
that counts!). Show your reasoning.

(c = 300,000 km/sec, for the speed of light in glass and for the speed 
of electrical signal in coax etc take  c x .7 ).

Do not confuse one way delay and round trip time! (factor 1/2).

19. Questions about nslookup, ping, traceroute .

20. Questions about encapsulation.

All questions above are good examples also for the second midterm.
Some more examples:

21. Draw the header of a TCP packet without options. BRIEFLY describe
    the size, meaning, and use of all fields. 

22. Suppose a TCP receiver is SACK competent and knows the sender also
    is SACK competent. Suppose this receiver receives a data packet,
    and after the data have been inserted the receive window contains
    the following bytes (sequence numbers). (description). 
    Does the receiver include a SACK option in its next acknowledgement?
    If yes, describe the SACK Option sent.

23. Describe the functions of the ECT and CE flags in the IP header.

24. Describe the functions of the ECE and CWR flags in the TCP header.

25. What do Internet People mean when they talk about the ``Silly Window
    Syndrome''? Is it good or bad? Why?

26. Describe ``Nagle's Algorithm''.

27. Describe ``Delayed acknowledgements''. Why are they used?

28. What is a Duplicate Acknowledgement?
    In TCP Reno (also in newReno), how many Duplicate Acknowledgments 
    must a sender receive to cause it to re-transmit? In that case,
    what packet does it re-transmit?

29. In the network in the drawing given, (for example the one now in 
    Dr Ott's website), a host in network XI wants to send an IP packet
    to a host on network VI, and it wants to make sure the packet passes
    through  exactly the routers R9, R12, R10, R1, R3. (And not for 
    example R8, R1, R2). 
    Is this legal?
    If yes: Describe the Strict Source Route IP Option attached to the 
    IP header of this packet as it leaves the source host. Also:
    Describe the Strict Source Route IP Option attached to the IP 
    header of his packet as it enters R1, and as it leaves R1.   
    Instead of IP addresses, us S for the address of the source host, 
    D for the address of the destination host, and the port names 
    (e.g. A1, A27) for the addresses of the Router Interfaces.

30. Over what fields is the TCP checksum computed?
    Is use of this checksum voluntary or compulsory? Why?

31. Similar for the IP checksum, UDP checksum.

32. Describe the TCP three-way handshake for connection establishment.

33. Describe the TCP four-way handshake for connection termination.

34. Describe Karn's algorithm.

35. Give a way to estimate RTT for which at any point in time there is 
    at most one ``timed packet'' outstanding.

36. Give a way to detect lost packets by a time-out mechanism for which at 
    any point in time there is at most 1 time-out timer outstanding.

37. What does MSS stand for? What is it used for?

38. What does MTU stand for? What is it used for?

39. What is window scaling? What is it good for?

40. Is IP address 229.128.15.15 a multicast address?
    Why, or why not?

41. Suppose an ethernet packet carries an IP packet with the address 
    229.128.15.15 as destination address. If there is no other header
    in-between, what is the physical destination address of the ethernet
    packet?

42. In question 41, why is the correct rersponse not ff:ff:ff:ff:ff:ff ?

43. Questions about tcpdump, nslookup, ping, traceroute are extremely 
    likely.

44A. Describe the mask of the (sub-)network 128.128.128.0/20 .
44B. Which of the following IP addresses is in that (sub-)network? 
    For each, answer yes or no and give a brief explanation.
    (1) 128.129.128.10
    (2) 128.128.144.170
    (3) 128.128.129.160
    (4) 128.128.128.144

45. A host receives, on one of its ethernet ports, an ethernet packet 
   with an IPv4 packet inside.
   (i) How does the Data Link Layer in the host find out that the data 
   in the ethernet packet must be handed over to the IPv4 software?
   (ii) What does the IPv4 software do to check whether what it gets 
   is indeed an IPv4 packet?


46. One of the (sub-)networks directly connected to router R is 
   170.170.16.0/20. That network has an MTU of 4464 bytes. There are 
   no complications with host-specific routes. 

   (i)  Describe what Router R does when it receives (on a different 
   interface than that to 170.170.16.0/20) the packet:

VERS = 4,  HLEN = 5,  ToS = 0,  TL = 1500
Ident = 21845,  Flags = 0,  FragOffset = 0
TTL = 31,  PROT = 17,  CheckS = 0
SourceAddr = 170.170.129.17
DestAddr = 170.170.17.17

   (Do not worry about checksums).
   If a packet, or packets, are sent out by Router R, describe the packet
   or packets. As long as it is  CLEAR,  a "differential description" is 
   OK. (e.g., "the same, only now  VERS = 6").  BRIEFLY  motivate your 
   answer.

   (ii) Same question, now the input packet is

VERS = 4,  HLEN = 5,  ToS = 0,  TL = 5376
Ident = 21845,  Flags = 0,  FragOffset = 0
TTL = 31,  PROT = 17,  CheckS = 0
SourceAddr = 170.170.129.17
DestAddr = 170.170.17.17

   (iii) Same question, now the input packet is

VERS = 4,  HLEN = 5,  ToS = 0,  TL = 5376
Ident = 21845,  Flags = 2,  FragOffset = 0
TTL = 31,  PROT = 17,  CheckS = 0
SourceAddr = 170.170.129.17
DestAddr = 170.170.17.17

   (iv) Same question, now the input packet is

VERS = 4,  HLEN = 5,  ToS = 0,  TL = 5376
Ident = 21845,  Flags = 0,  FragOffset = 0
TTL = 1,  PROT = 17,  CheckS = 0
SourceAddr = 170.170.129.17
DestAddr = 170.170.17.17

   (v) Can a router (legally) ever receive the packet 

VERS = 4,  HLEN = 5,  ToS = 0,  TL = 4460
Ident = 21845,  Flags = 3,  FragOffset = 0
TTL = 1,  PROT = 17,  CheckS = 0
SourceAddr = 170.170.129.17
DestAddr = 170.170.17.17

       Why? or Why not?

For some of the following questions you may need the following outputs of 
nslookup:


maan-719 ott>: nslookup 128.235.251.39
Server:  dns1.njit.edu
Address:  128.235.251.10

Name:    www-proxy.njit.edu
Address:  128.235.251.39

maan-720 ott>: nslookup 128.235.32.243
Server:  dns1.njit.edu
Address:  128.235.251.10

Name:    maan.njit.edu
Address:  128.235.32.243

maan-784 ott>: nslookup 128.235.35.169
Server:  dns1.njit.edu
Address:  128.235.251.10

Name:    front.njit.edu
Address:  128.235.35.169

maan-785 ott>: nslookup 128.235.32.6
Server:  dns1.njit.edu
Address:  128.235.251.10

Name:    cisnet-gw6.njit.edu
Address:  128.235.32.6


47. An ethernet packet gave the following output in TCPDump: 

18:30:45.631507 0:d0:3:70:5f:fd ff:ff:ff:ff:ff:ff 0806 60: 
arp who-has 128.235.35.169 tell 128.235.32.6

47A. Give a short explanation of every field in this tcpdump output (above).

47B. What do you know about the physical address of  front.njit.edu ?
    What do you know about the physical address of  cisnet-gw6.njit.edu ?
    What do you know about the physical address of  dns1.njit.edu ?


48. Suppose we have an HTTP packet, and suppose the IP packet that carries 
the HTTP packet is an IPv4 packet which itself is encapsulated in another 
IPv4 packet, which is carried inside an ethernet frame.

Draw this system of packets, in particular the various headers (in the
right locations). Give all ethertypes, version numbers, protocol
identifiers, and port numbers, indicating where they are located.
Do not give other information about the headers (like header lengths, 
flags, locations and sizes of other fields, etc).


49. Given the following output from traceroute:

alizarin-44 ott>: traceroute 129.105.5.186
traceroute to 129.105.5.186 (129.105.5.186), 30 hops max, 40 byte packets
 1  128.235.204.6 (128.235.204.6)  1.101 ms  0.452 ms  0.406 ms
 2  external-242-gw (128.235.242.2)  0.866 ms *  1.159 ms
 3  njit-border-gw (128.235.249.254)  2.085 ms  1.688 ms  1.519 ms
 4  Serial2-8.GW5.EWR1.ALTER.NET (157.130.11.85)  29.728 ms  16.892 ms  20.728 m
s
 5  119.ATM5-0.XR1.EWR1.ALTER.NET (146.188.180.26)  29.641 ms  21.214 ms  33.732
 ms
 6  193.at-1-0-0.XR1.NYC9.ALTER.NET (152.63.17.218)  48.318 ms  48.455 ms  47.67
4 ms
 7  0.so-3-1-0.XL1.NYC9.ALTER.NET (152.63.9.58)  52.532 ms  41.507 ms  62.896 ms
 8  POS6-0.BR1.NYC9.ALTER.NET (152.63.18.225)  60.640 ms  32.155 ms  45.342 ms
 9  p7-2.nycmny1-cr10.bbnplanet.net (4.0.6.141)  34.029 ms  46.212 ms  44.817 ms
10  p1-0.nycmny1-nbr2.bbnplanet.net (4.24.8.169)  46.259 ms  59.226 ms  69.213 m
s
11  p15-0.nycmny1-nbr1.bbnplanet.net (4.24.10.209)  71.378 ms  67.299 ms  80.391
 ms
12  so-6-0-0.chcgil2-br2.bbnplanet.net (4.24.4.17)  101.834 ms  73.561 ms  70.74
3 ms
13  p1-0.chcgil1-br2.bbnplanet.net (4.0.1.198)  64.945 ms  47.104 ms  51.184 ms
14  p5-0.chcgil1-ba2.bbnplanet.net (4.24.5.238)  39.352 ms  62.902 ms  65.726 ms
15  p2-0.chcgil1-cr4.bbnplanet.net (4.24.5.246)  71.738 ms  39.296 ms  60.583 ms
16  a4-0-3.nuit.bbnplanet.net (4.24.245.6)  73.814 ms  98.819 ms  107.329 ms
17  lev-mdf-6-vln-39.nwu.edu (199.249.169.61)  92.782 ms  88.834 ms  84.173 ms
18  tech-idf-rtr.nwu.edu (129.105.253.166)  98.899 ms  82.675 ms  85.428 ms
19  thelonious.ece.nwu.edu (129.105.5.186)  97.856 ms *  76.901 ms

49A.  BRIEFLY (dotted decimal only is OK), what list of intermediates 
     would you expect if you did 

traceroute 4.0.6.141  (from alizarin)?

49B. What RTT would you expect (roughly) if you did 

ping -s 4.0.6.141   (from alizarin)?


50. 
This is a question on RIP.
``infinity'' = 16.
DD = Direct Delivery
FW.X = Forward to router X
All distances are in hopcount

50A. What does RIP stand for?
50B. What class of routing protocols is RIP?

Suppose Router R contains the following Routing Table (Output Port
identifiers are not needed here and are not given).

Network:  1     2     3     4     5     6     7     8
Distance: 0     0     0     2     1     1     2     3
Action:   DD    DD    DD   FW.F  FW.F  FW.E  FW.E  FW.E

50C. Suppose Router R now gets the following RIP message from its
neighbor, Router G (possibly, G has been down for some time):

Network:  4    5    6    7    8    9
Distance: 0    1    2    1    0    0

What does the routing table in R look like after the update? 
Make sure I can follow your logic.

50. Suppose this internetwork uses Poisoned Reverse. Suppose router R
sends (BEFORE the update in part C) an update to its neighbor 
Router E.  Construct and give the update message.


51. RTT estimation in TCP.
   Describe how in TCP the RTT can be estimated in such a way that at 
   any point in time the source needs to ``remember'' the departure time 
   of at most one unacknowledged packet. 

52. Suppose we have an http packet, inside a TCP packet, inside an IPv6
    packet, inside an IPv4 packet, inside an ethernet packet.
    Describe in detail the locations, and where you can the values, 
    of all port numbers, next header identifiers, protocol identifiers, 
    version identifiers, frame types, source addresses, destination 
    addresses.
    Make a sketch of where the various headers are located, and where
    various fields mentioned are located in thoise headers.

53. What is the bandwidth of a SONET OC-1 connection?
    (OC-3 ? OC-6 ? ... OC-192 ?).
    What is the bandwidth of a DS-0 connection? DS-1 ? DS-3 ?
    What is the bandwidth of a T-1 connection? a T-3 
    connection?
    10 years ago I might have asked you the difference between 
    T1 and DS-1, but since i have forgotten, I won't  :-)  .

54. What does EMTU-S and EMTU-R stand for? Where and how are these 
    EMTUs used?

More questions may be added if Dr Ott has time. Check this page.

---

Don't forget: this was a  SAMPLE  only. I tried to give examples of 
the TYPE of questions I may ask. Not examples of specific questions I 
am likely to ask. 

A few specific ones are particularly likely:
Packet headers, in particular IP, TCP.
Interprete outputs of tcpdump, nslookup, ping, traceroute.

Good Luck. Study hard. Teun Ott.