Classroom Public page

Lab 2-1: Ethernet and ARP

633 words

Course: NET-101, Week 2 Time: ~90 minutes Tools: Academy pcap-tools workbench at /pcap-tools/ Captures: fundamentals-arp-request-reply.pcap, arp-storm.pcap

Part 1: Normal ARP exchange (~30 minutes)

Load fundamentals-arp-request-reply.pcap in pcap-tools. This capture contains two packets: one ARP request and one ARP reply.

Exercise 1.1 -- Ethernet header:

Click the ARP request packet. Expand "Ethernet II" in the packet detail pane.

  1. What is the destination MAC address? (Write it out in full: XX:XX:XX:XX:XX:XX)
  2. What does that destination MAC tell you about the type of this frame? (Hint: compare to ff:ff:ff:ff:ff:ff)
  3. What is the source MAC address?
  4. What is the EtherType field value? What protocol does it indicate?

Click the ARP reply packet. Expand "Ethernet II."

  1. What is the destination MAC address of the reply? Is this a broadcast or unicast?
  2. The reply's destination MAC should be the same as the request's source MAC. Verify this.

Exercise 1.2 -- ARP fields:

Click the ARP request packet. Expand "Address Resolution Protocol (request)."

  1. What is the Operation field value? What does it mean?
  2. What is the Sender Protocol Address (sender's IP)?
  3. What is the Target Protocol Address (the IP being queried)?
  4. What is the Target Hardware Address? Why is it all zeros?

Click the ARP reply packet. Expand "Address Resolution Protocol (reply)."

  1. What is the Operation field value?
  2. What is the Sender Hardware Address in the reply? This is the answer to the ARP question.
  3. What is the Sender Protocol Address in the reply?

Write a one-paragraph summary: In plain English, describe what happened in this two-packet exchange. Include: who asked, what they asked, who answered, and what information was exchanged.

Part 2: ARP anomaly -- the storm (~30 minutes)

Load arp-storm.pcap. Apply the display filter arp.

Exercise 2.1 -- Statistics:

  1. How many total ARP packets are in the capture?
  2. Apply arp.opcode == 1. How many ARP requests?
  3. Apply arp.opcode == 2. How many ARP replies?
  4. What is the ratio of requests to replies? Is this what you would expect from normal ARP behavior?

Exercise 2.2 -- Source analysis:

Remove the filter and look at the packet list.

  1. Is there one source MAC address responsible for most of the ARP requests, or many sources?
  2. What IP address is being requested most frequently?
  3. What is the approximate time (in seconds) between consecutive ARP requests? You can see the Time column in the packet list. Wireshark > Preferences > Columns to add "Time Delta" if needed.

Exercise 2.3 -- Anomaly reasoning:

  1. In a normal network, when does a host send an ARP request? How often does it need to do this?
  2. Based on the rate and volume you observed, what do you think is generating these ARP requests? (Hypothesize; you do not need to be certain.)
  3. If you were monitoring this network and saw this pattern, what would you do next?

Part 3: Write a display filter and artifact

Exercise 3.1:

Write a single Wireshark display filter that would show ONLY the ARP requests from arp-storm.pcap where the source MAC is the main offender you identified in Exercise 2.2.

Hint: arp.src.hw_mac == "XX:XX:XX:XX:XX:XX" and arp.opcode == 1

Test your filter. How many packets match?

Artifact:

Create a file lab-2-1.md in your net-101/ Git repository with:

  • Your answers to Exercises 1.1, 1.2 (summary paragraph), 2.1, 2.2, 2.3
  • Your display filter from Exercise 3.1
  • One additional observation from either capture that you found interesting and were not prompted to record

Commit the file with a meaningful commit message.

Grading criteria

  • Exercise 1.1-1.2: all fields correctly identified and described (10 pts)
  • Part 1 summary paragraph: accurate, in your own words (10 pts)
  • Exercise 2.1-2.3: anomaly identified; questions answered accurately (10 pts)
  • Exercise 3.1: filter correct and tested (5 pts)
  • Artifact committed to Git (5 pts)