Course: NET-101, Week 3
Time: ~90 minutes
Tools: Academy pcap-tools workbench at /pcap-tools/
Captures: fundamentals-icmp-ping.pcap, fundamentals-http-get.pcap
Part 1: Read the IPv4 header from a simple capture (~30 minutes)
Load fundamentals-icmp-ping.pcap in pcap-tools. This is the simplest IP-bearing capture in the fundamentals set: just ICMP echo request and reply.
Click the first packet (ICMP Echo Request). Expand "Internet Protocol Version 4" in the packet detail pane.
Record the following fields:
| Field | Value you see |
|---|---|
| Version | |
| Header Length | |
| DSCP | |
| Total Length | |
| Identification | |
| Flags (DF, MF) | |
| Fragment Offset | |
| Time to Live | |
| Protocol | |
| Header Checksum | |
| Source Address | |
| Destination Address |
Questions:
- What does the Protocol field value tell Wireshark about what follows the IP header?
- The total length field covers the IP header plus the payload. If the IP header is 20 bytes and the total length is X, how many bytes is the ICMP payload?
- The Fragment Offset is 0 and the MF (More Fragments) flag is not set. What does that tell you about this packet?
- What is the TTL? What does that value suggest about the operating system that generated this packet? (Hint: Windows typically uses 128; Linux typically uses 64.)
Part 2: Compare fields across a multi-layer capture (~30 minutes)
Load fundamentals-http-get.pcap. This capture has 10 packets. Click through each one and record the following for the first 4 packets:
| Packet # | Protocol (in IP header) | TTL | Total Length | Source IP | Dest IP |
|---|---|---|---|---|---|
| 1 | |||||
| 2 | |||||
| 3 | |||||
| 4 |
Questions:
- All packets in this capture use the same source and destination IPs. What are they, and what does the address range (
192.0.2.x) indicate? (Look up RFC 5737.) - The Protocol field should be 6 for all TCP packets. Verify this for at least two packets. What would the Protocol field be for a UDP packet?
- Compare the Total Length of the first SYN packet (just a TCP header, no data) to a later packet that carries HTTP payload. How many bytes of difference is there? What does that difference represent?
Part 3: Apply display filters to find specific IP field values (~20 minutes)
Using either capture loaded in pcap-tools:
Exercise 3.1: Write and apply a filter that shows only packets with TTL less than 64:
ip.ttl < 64
How many packets match in fundamentals-icmp-ping.pcap? In fundamentals-http-get.pcap?
Exercise 3.2: Write a filter that shows only packets where the source IP is in the 192.0.2.0/24 range:
ip.src == 192.0.2.0/24
How many packets match?
Exercise 3.3: The DF (Don't Fragment) bit is flag bit 1 in the IP Flags field. Write a filter that shows packets with DF set:
ip.flags.df == 1
In fundamentals-http-get.pcap, do the TCP packets have DF set? Does this make sense? (Hint: think about TCP's Path MTU Discovery.)
Part 4: Subnetting check (~10 minutes)
Without using a calculator:
- Is
192.0.2.10on the same /24 subnet as192.0.2.20? Show the AND calculation. - Is
10.0.0.100on the same /8 subnet as10.255.0.1? Show the AND calculation. - Is
172.16.5.50on the same /12 subnet as172.31.255.1? Show the AND calculation. (Hint: /12 =255.240.0.0)
Artifact
Create lab-3-1.md in your net-101/ Git repo with:
- The header table from Part 1
- The comparison table from Part 2
- Answers to all questions (numbered)
- The three display filters from Part 3 with their packet counts
- The subnetting calculations from Part 4
Commit with a meaningful commit message.