Course: NET-101, Week 4
Time: ~90 minutes
Tools: Academy pcap-tools workbench; your terminal (for live traceroute)
Captures: fundamentals-icmp-ping.pcap
Part 1: Read an ICMP ping exchange in a capture (~30 minutes)
Load fundamentals-icmp-ping.pcap in pcap-tools. This is a minimal capture: one ICMP Echo Request and one ICMP Echo Reply.
Exercise 1.1 -- Packet 1 (Echo Request):
Click the first packet. Expand "Internet Control Message Protocol" in the packet detail pane.
- What is the Type field value? What does it mean?
- What is the Code field value?
- What is the Checksum field value? (You do not need to verify it manually.)
- What is the Identifier field value? Why does this field exist?
- What is the Sequence Number field value?
- Is there any data payload after the ICMP header? If so, what is its length?
Exercise 1.2 -- Packet 2 (Echo Reply):
Click the second packet. Expand "Internet Control Message Protocol."
- What is the Type field value? What does it mean?
- Is the Identifier the same as in the Echo Request? Is the Sequence Number the same?
- Wireshark often shows "Response time" in the ICMP header decoded view. What is the measured response time for this exchange?
Exercise 1.3 -- IP layer:
- In the Echo Request: what is the TTL? What is the destination IP address?
- In the Echo Reply: what is the TTL? Note that the TTL in the reply may be different from the TTL in the request if the reply traveled a different path or was sent by a different OS.
Part 2: Run a live traceroute (~30 minutes)
Open your terminal. Run:
traceroute 8.8.8.8
(On Windows: tracert 8.8.8.8. If traceroute is not installed on Linux: sudo apt install traceroute.)
Exercise 2.1 -- Read the output:
Copy the full traceroute output into your lab file. For each hop that responded (not * * *):
| Hop | IP Address | Avg RTT (ms) |
|---|---|---|
| 1 | ||
| 2 | ||
| ... |
Exercise 2.2 -- Analysis:
- How many total hops did your traceroute take?
- Which hops showed
* * *? What does that mean? - Is there a hop where the RTT jumps significantly (more than 30ms more than the previous hop)? What might cause that jump?
- What is the total RTT to the final hop (8.8.8.8)?
Exercise 2.3 -- Compare two targets:
Run a second traceroute to a different host, such as:
traceroute 1.1.1.1
How many hops? Do the first few hops overlap with the 8.8.8.8 traceroute? Where do the paths diverge?
Part 3: Display filter exercises (~20 minutes)
Load fundamentals-icmp-ping.pcap in pcap-tools.
Exercise 3.1: Apply the filter icmp.type == 8. How many packets match? What do they all have in common?
Exercise 3.2: Apply the filter icmp.type == 0. How many packets match?
Exercise 3.3: Apply the filter icmp.type == 11. No packets should match in this fundamentals capture (there are no TTL-exceeded events). What would you load to see ICMP type 11? (Hint: a traceroute capture would have them.)
Exercise 3.4: Apply icmp. How many packets match? Is this different from applying icmp.type == 8 or icmp.type == 0? Why?
Part 4: Hypothesis exercise (~10 minutes)
You receive a packet capture and see the following pattern:
- 30 outgoing ICMP type 8 packets, each with increasing sequence numbers (1, 2, 3...)
- The first 10 outgoing packets each receive an ICMP type 0 reply within 20ms
- Packets 11-30 receive no reply
Formulate two hypotheses for what happened between packet 10 and packet 11. For each hypothesis, describe one additional Wireshark filter or observation that would help confirm or rule it out.
Artifact
Create lab-4-1.md in your net-101/ Git repo with:
- Answers to all exercises
- Your live traceroute outputs (both targets)
- The traceroute table (hop, IP, RTT)
- Your hypothesis analysis from Part 4
Commit with a meaningful commit message.