Homework 1; COM S 519, Spring 2002

Examining Network Activity

Homework 1; COM S 519, Spring 2002

Note: Until Ethereal is available in 315 Upson, you may want to refer to text copies of the captured trace: summary view and detailed view .

In this first assignment, I am providing you with a trace of network activity ( example.cap ) that I captured. You should download the trace file and open it with a network protocol analyzer called Ethereal ( www.ethereal.com ). If you have never used Ethereal, you should use this assignment as an opportunity to familiarize yourself with its capabilities. I suggest that you experiment with a variety of its display tools and filters.

I also encourage you to use the machines in Upson 315 to capture a few traces of your own activity and analyze them in a similar manner. You might also consider downloading some of the sample trace files from www.ethereal.com and examining them as well.

Answer the following questions. I suggest that you save this HTML file and insert your answsers. If you do not know how to easily answer a question, feel free to give an educated guess. I am not asking you to research the answers. I want to get a feeling for what you already know!

Have fun!
Jeanna

Q1: After starting the trace capture, I issued an "ipconfig /renew" command. Which packets are a direct result of this command? Can you say specifically what is being accomplished by these packets?

Q2: The second thing I did was to open a browser window and go to the URL http://www.oreilly.com. What is the purpose of the DNS A query for www.oreilly.com in packet 25? Does this imply anything about how long it has been since traffic was exchanged with www.oreilly.com?

Q3: Packets 27-29 show the three way handshake that establishes the TCP connection between the local machine and www.oreilly.com. What is the value in the sequence number field and the ack field for each of packets 27-29? Can you explain the purpose of these numbers?

Q4: What port numbers are used for each end of the TCP connection to www.oreilly.com?

Q5: Once the TCP connection to www.oreilly.com is open, packet 30 contains the HTTP GET request? Is packet 30 an HTTP packet? a TCP packet or both?

Q6: Packet 30 takes up 383 bytes? What accounts for the bulk of this space? Look in the detailed view of the packet and describe some of the information sent with the GET request.

Q7: There are actually two TCP connections established to www.oreilly.com. Which packets show the opening of the second connection? Why might a web browser establish 2 connections?

Q8: How many distinct objects are fetched from www.oreilly.com? How do you know? How many objects go over each of the two TCP connections?

Q9: What is the purpose of the HTTP Continuation packets?

Q10. How many bytes total are transferred from www.oreilly.com to the local machine? How many bytes total are transferred in the other direction? How do you know? (Hint: Try the Follow TCP Stream option under the Tools menu. Hint 2: Use the beginning and ending sequence numbers.)

Q11: After visiting Oreilly, I opened my browser to www.gnu.org. How many distinct objects and or bytes are fetched from www.gnu.org? (Open both www.gnu.org and www.oreilly.com yourself and see if you can see why.)

Q12: I have a google toolbar in my browser that displays the "page rank" for each page I visit. What evidence can you find for this in the trace? How is the "page rank" information obtained? (Note: Page rank is typically a value from 1-10. www.oreilly.com had rank 9.

Q13: The browser reset the connection to www.oreilly.com after the connection to gnu.org is established. Which packets show this happening? Why do you think the connection is reset when it is?

Q14: What is the difference between DNS A reqeusts and DNS PTR requests?

Q15: In packet 3, there is DNS PTR request for 1.1.168.192.in-addr.arpa? Does this mean the query is for IP address 1.1.168.192 or 192.168.1.1?

Q16: What application do you suspect is the source of the DNS PTR requests? Hint: It isn't the web browser.

Q17: The local machine I was using was sitting behind a combination firewall, and network address translation (NAT) server? Can you see evidence of this in the trace?

Q18: Packets 5-8, 9-12 and 13-16 are three tries of NBNS and ICMP to the firewalls internal interface. What is the purpose of these messages?

Q19: Please give me your general reaction to this exercise. Did you find it interesting? What percentage of the answers were obvious to you? Had you done something like this before in a class or on your own?

Q20: If you noticed anything else cool in this trace or in other traces you examined. I would love to hear about it.