Tên:Trương Anh Bảo

MSSV:1811550

Wireshark Lab 4b
8. What IP address is the DHCP server offering to your host in the DHCP Offer message? Indicate
which DHCP message contains the offered DHCP address.

Answer: My client is offered 192.168.1.101 by the DHCP server. The offer message contains the
DHCP address offered by the server.

9. In the example screenshot in this assignment, there is no relay agent between the host and the
DHCP server. What values in the trace indicate the absence of a relay agent? Is there a relay
agent in your experiment? If so what is the IP address of the agent?

Answer: In the example given, the value that indicates there is no relay agent is 0.0.0.0, in the
case of my capture, I also have a value for the relay agent of 0.0.0.0 indicating that I too did not
have a relay agent.
10. Explain the purpose of the router and subnet mask lines in the DHCP offer message.

Answer: The subnet mask line tells the client which subnet mask to use.
The router line indicates where the client should send messages by default.

11. In the DHCP trace file noted in footnote 2, the DHCP server offers a specific IP address to the
client (see also question 8. above). In the client’s response to the first server OFFER message,
 does the client accept this IP address? Where in the client’s RESPONSE is the client’s requested
address?
Answer: The client accepts the IP address given in the offer message within the request
message. After being offered the IP address 192.168.1.101 in the offer message, my client sent
back a message further requesting that specific IP address.

12. Explain the purpose of the lease time. How long is the lease time in your experiment?

Answer: The purpose of lease time is to tell the client how long they can use the specific IP
address assigned by the server before they will have to be assigned a new one.
The lease time in my experiment is 86400 seconds or 1 day.
13. What is the purpose of the DHCP release message? Does the DHCP server issue an
acknowledgment of receipt of the client’s DHCP request? What would happen if the client’s
DHCP release message is lost?

Answer: The purpose of the release message is to release the IP address back to the server.
There is no verification that the release message has been received by the server.
If the message is lost, the client releases the IP address, but the server will not reassign that
address until the clients lease on the address expires.
14. Clear the bootp filter from your Wireshark window. Were any ARP packets sent or received
during the DHCP packet-exchange period? If so, explain the purpose of those ARP packets.

Answer: Yes, they appear to be broadcasts sent out by the network to build up the known IP
addresses by the clients network.
 Wireshark Lab 4c
1. What is the IP address of the client?

Answer: The IP address of the client is 192.168.1.100.

2. The client actually communicates with several different Google servers in order to implement
“safe browsing.” (See extra credit section at the end of this lab). The main Google server that
will serve up the main Google web page has IP address 64.233.169.104. In order to display only
those frames containing HTTP messages that are sent to/from this Google, server, enter the
expression “http && ip.addr == 64.233.169.104” (without quotes) into the Filter: field in
Wireshark .
Answer:
3. Consider now the HTTP GET sent from the client to the Google server (whose IP address is IP
address 64.233.169.104) at time 7.109267. What are the source and destination IP addresses
and TCP source and destination ports on the IP datagram carrying this HTTP GET?

Answer: The source address is 192.168.1.100, the destination address is 64.233.169.104. The
TCP source port 4335, the destination port is 80.
4. At what time is the corresponding 200 OK HTTP message received from the Google server?
What are the source and destination IP addresses and TCP source and destination ports on the
IP datagram carrying this HTTP 200 OK message?

Answer: The corresponding 200 OK HTTP message received from the Google server is at
7.158798.
The source IP address is 64.233.169.104, the destination IP address is 192.168.1.100. The TCP
source port is 80, the TCP destination port is 4335.

5. Recall that before a GET command can be sent to an HTTP server, TCP must first set up a
connection using the three-way SYN/ACK handshake. At what time is the client-to-server TCP
SYN segment sent that sets up the connection used by the GET sent at time 7.109267? What are
the source and destination IP addresses and source and destination ports for the TCP SYN
segment? What are the source and destination IP addresses and source and destination ports of
the ACK sent in response to the SYN. At what time is this ACK received at the client? (Note: to
find these segments you will need to clear the Filter expression you entered above in step 2. If
you enter the filter “tcp”, only TCP segments will be displayed by Wireshark).

Answer: The client-to-server TCP SYN segment sent that sets up the connection used by the GET
is at 7.07567. The source IP address for the TCP SYN segment is 192.168.1.100, the destination
IP address is 64.233.169.104. The source port for the TCP SYN segment is 4335, the destination
port is 80.
The source IP address of the ACK sent in response to the SYN is 64.233.169.104, the destination
IP address is 192.168.1.100. The source port of the ACK sent in response to the SYN is 80, the
destination port is 4335. This ACK received at the client at 7.108986
6. In the NAT_ISP_side trace file, find the HTTP GET message was sent from the client to the
Google server at time 7.109267 (where t=7.109267 is time at which this was sent as recorded in
the NAT_home_side trace file). At what time does this message appear in the NAT_ISP_side
trace file? What are the source and destination IP addresses and TCP source and destination
ports on the IP datagram carrying this HTTP GET (as recording in the NAT_ISP_side trace file)?
Which of these fields are the same, and which are different, than in your answer to question 3
above?
 Answer: The HTTP GET message appears at 6.069168.
The source IP address is 71.192.34.104, the destination IP address is 64.233.169.104. The TCP
source port is 4335, the TCP destination port is 80.
Only the source IP address are different than in my answer to question 3 above.

7. Are any fields in the HTTP GET message changed? Which of the following fields in the IP
datagram carrying the HTTP GET are changed: Version, Header Length, Flags, Checksum. If any
of these fields have changed, give a reason (in one sentence) stating why this field needed to
change.

Answer: No, all fields in the HTTP GET message are still the same.
Only the Checksum in the IP datagram carrying the HTTP GET are changed. Since the IP source
address has changed, and the checksum includes the value of the source IP address, the
checksum has changed.
8. In the NAT_ISP_side trace file, at what time is the first 200 OK HTTP message received from the
Google server? What are the source and destination IP addresses and TCP source and
destination ports on the IP datagram carrying this HTTP 200 OK message? Which of these fields
are the same, and which are different than your answer to question 4 above?

Answer: The first 200 OK HTTP message received from the Google server is at 6.308118.
The source IP address is 64.233.169.104, the destination IP address is 71.192.34.104. The TCP
source port on the IP datagram carrying this HTTP 200 OK message is 80, the TCP destination
port is 4335.
Only the destination IP address has changed.
9. In the NAT_ISP_side trace file, at what time were the client-to-server TCP SYN segment and the
server-to-client TCP ACK segment corresponding to the segments in question 5 above captured?
What are the source and destination IP addresses and source and destination ports for these
two segments? Which of these fields are the same, and which are different than your answer to
question 5 above?

Answer: The client-to-server TCP SYN segment is captured at 6.035475 the server-to-client TCP
ACK segment is captured at 6.067775.
For the SYN: Source IP address: 71.192.34.104. Destination IP address: 64.233.169.104. Source
port: 4335. Destination port: 80.
For the ACK: Source IP address: 64.233.169.104. Destination IP address: 71.192.34.104. Source
port: 80. Destination port: 4335.
For the SYN, the source IP address has changed. For the ACK, the destination IP address has
changed. The port numbers are unchanged.
10. Using your answers to 1-8 above, fill in the NAT translation table entries for HTTP connection
considered in questions 1-8 above.

Answer:

NAT translate table