Yu Cheng (Jade)
ICS 351
Lab Report 1
September 14

[Exercise 1]
We ran tcpdump on PC1.  We pinged PC2 in another terminal window.  We saved the
output of the command `tcpdump -n -l host 10.0.1.12 | tee ex1-1.txt` into
ex1-1.txt.

We ran tcpdump again, and pinged PC2 at the same time in another terminal
window.  We saved the output of the command `tcpdump -n -l icmp host
10.0.1.12 | tee ex1-2.txt` into ex1-2.txt file.


[Exercise 2A]
We turned on wireshark and set the display filter as "ip.addr == 10.0.1.12".
We saved the output of the captured wireshark traffic into ex2-1.txt file.

Later, I realized that for this exercise we needed to use the capture filter,
so instead of display filter "ip.addr == 10.0.1.12" in the traffic-displaying
window, I think we should've done "ip host 10.0.1.12" in the "Capture Options"
window.  The output of these two should be the same, I think.


[Exercise 2B]
We entered a display filter "ip.src == 10.0.1.12" based on Exercise 2A's
output.  We saved it as ex2b-1.txt by selecting file/print.

We entered another display filter "ip.dst == 10.0.1.12" based on Exercise 2A's
output.  We saved it as ex2b-2.txt by selecting file/print.

I noticed later that the print window of wireshark has two options "capture"
and "display".  We used the default, which is "capture", so the output of
ex2a.txt, ex2b-1.txt, and ex2b-2.txt are all the same.  According to the book,
ethereal's print command saves only packets that are currently being displayed.
I think this might be a difference between wireshark and ethereal.


[Exercise 2C]
We issued ping and telnet from PC1 to PC2 at the same time and captured the
network traffic on PC1 without any capture or display filters.

We set a display filter as "ip.addr == 10.0.1.12 and icmp".  We saved the
output as ex2c-5a using print/print plain text file.

We set a display filter as "ip.addr == 10.0.1.12 and tcp".  We saved the
output as ex2c-5b using print/print plain text file.

We set a display filter as "ip.addr == 10.0.1.12 and tcp.port == 23".  We
saved the output as ex2c-5c using print/print plain text file.

These output files have the same problem as Exercise 2B.  We didn't select
"display" in the print window.  All three files are identical.


[Exercise 3A]
We deleted the ARP cache entries with command `arp -d`.  We captured the
network traffic while issuing a command `ping -c 2 10.0.1.12` from PC1.  We
saved the output as ex3a.txt.

Question 1:
The destination MAC address of the ARP request packet is "ff:ff:ff:ff:ff:ff".
This is a broadcast MAC address.  PC1 broadcasted a request to everyone in the
network asking who this certain IP address is.

Question 2:
There are two different values of the Type field in the Ethernet headers.  We
did part 1 in exercise 3, so etcfile_1 is already included with this report.

It was "ARP (0*0806)" for all of the ARP packets.  It was "IP (0*0800)" for all
of the ICMP packets.

Question 3:
The typical lifetime of an ARP entry is very short.  After a while without any
communication between PC1 and PC2, the MAC address of PC2 is deleted in PC1's
ARP table.  When a new communication is issued from PC1 to PC2, the first
thing needing to be done is an ARP request from PC1 to build its ARP table.

PC1 issues a broadcast request to everyone on the network asking who this
particular IP address is.  Then PC2 responded with PC2's MAC address.  PC1
associates this MAC address with the IP address in its ARP table.


[Exercise 3B]
Table 2.2 IP and MAC address.
Linux PC    IP Address of Ethernet Interface eth0    MAC address of eth0
PC1         10.0.1.11/24                             00:02:85:00:B8:87
PC2         10.0.1.12/24                             00:02:85:57:1B:8A
PC3         10.0.1.13/24                             00:02:85:17:5D:75
PC4         10.0.1.14/24                             00:02:A5:02:29:D0


[Exercise 3C]
We set a capture filter "ip host 10.0.1.12" and captured the network traffic
while trying to establish a telnet session from PC1 to a non-existing IP
address.  We saved the file in ex3c.txt.

Question 1:
The time interval between each ARP request issued by PC1 is 1 second.  It
looks like the time interval is determined by measuring the time between the
previous captured frame and the displayed frame.

Question 2:
IP packets all have their specified destinations.  ARP request packets could
be sent to a specified MAC address, but not necessarily.  ARP request packets
could also be sent to a broadcast address "ff:ff:ff:ff:ff:ff".  Therefore, ARP
request packets are not encapsulated.


[Exercise 4]
We saved the output of the command `netstat -in` as ex4-1.txt.
We saved the output of the command `netstat -rn` as ex4-2.txt.
We saved the output of the command `netstat -a` as ex4-3.txt.
We saved the output of the command `netstat -s` as ex4-4.txt.

Question 1:
There are two network interfaces of PC1.  They are eth0 and eth1.  Both of
them have MTU values of 1500.

Question 2:
There are 3749 IP packets received and delivered.
There are 3691 IP packets sent out.
There are 1495 ICMP messages received and sent.
There are 668 TCP segments received.
There are 679 TCP segments sent out.
There are 122 UDP packets received.
There are 1512 UDP packets sent out.

Question 3:
The loopback interface (lo) is a virtual network interface implemented in
software only and is not connected to any hardware.  It is fully integrated
into the computer system's internal network infrastructure.  Any traffic that
a computer program sends to the loopback interface is immediately received on
the same interface.  Therefore, the RX-OK and TX-OK are the same for interface
lo.

For eth0, RX-OK and TX-OK are measuring completely different things.  One is
the packets that are received.  The other one is the packets that are sent.


[Exercise 5]
We saved the output of the command `ifconfig -a` on PC4 as ex5-1.txt.
We ran the command `ifconfig eth0 10.0.1.11/24` on PC4.
We ran the command `ifconfig -a` again on PC4 and saved the output as
ex5-3.txt.

Question 1:
`ifconfig -a` displays the information regarding all of the network devices.
For each device, for example eth0, it describes the link type, the hardware
address (MAC address), IP address, net mask and the packets sending and
receiving information.


[Exercise 6]
It appears that the telnet session was established between PC3 and the first
computer to respond between PC1 and PC4.  Once the first connection was made,
PC3 rejected the second connection because the second connection's MAC address
did not match the MAC address sent with the first response.  The ARP cache was
updated on PC3 once the first connection was made, and that's how it later
determined the second connection was from an invalidly responding PC.


[Exercise 7]
We set up the interfaces of the hosts as shown in the table.  We issued a
series of ping commands.  We saved the output as ex7abc.txt.  The commands
are:

`ping -c 1 10.0.1.120` from PC1 to PC3
`ping -c 1 10.0.1.101` from PC1 to PC2
`ping -c 1 10.0.1.121` from PC1 to PC4

We also issued ping commands:

`ping -c 1 10.0.1.100` from PC4 to PC1
`ping -c 1 10.0.1.121` from PC2 to PC4
`ping -c 1 10.0.1.120` from PC2 to PC3

The output of these three commands are the same.  They are "network is not
reachable".  We didn't save these error messages, which we probably should've
done.

Question 1:
Of the six total ping commands, the only two that worked were from PC1 to PC2
and PC1 to PC3.  Only four bits are reserved for the computer on PC2 and PC4
since their netmasks are 255.255.255.240, and that is inadequate for
representing the values 120 and 121.  Therefore, PC2 and PC4 believe IP
addresses at 10.0.1.16 and greater belong to a different network.  Their
routing tables do not provide information to reach that network, and so they
determine the network is not reachable.


[Exercise 8]
We edited the file /etc/hosts and associated host names with the IP addresses.
We were then be able to ping directly using the names instead of the IP
addresses.

Question 1:
The static mapping of names and IP addresses needs to be done manually.
Therefore, it's impractical when the number of the hosts is large.

Question 2:
When multiple IP addresses are associated with the same host name in the
/etc/hosts file, we observed that only the first IP address in the file
responded to the ping.  I think, under this circumstance, the response must be
random between the two IP addresses.


[Exercise 9A]
We start the FTP server on PC2 first.  Then we initiated an FTP session to PC2
from PC1.  We captured the traffic with a capture filter "host 10.0.1.11 and
host 10.0.1.12".  The FTP traffic session was saved as ex9a.txt.

Question 1:
The port number of the FTP client is port 21.
The FTP server is "vsFTPd 2.0.6" as it shows after the first successful
response 220.

Question 2:
We can also identify the password and username in the traffic captured.  They
are "USER x" and "PASS y".


[Exercise 9B]
We failed to do the previous exercise in class with a telnet command instead
of ftp, but I did it at home.

Question 1:
Telnet does have the same security flaws as FTP.  The user name and password
were sent with no encryption.  If I go over and highlight the packets with
"telnet data...", the username and password are displayed gradually in the
telnet data section of the middle window.  They end with a "\r\n".


[Exercise 9C]
We captured the network traffic with another terminal window running telnet
from PC1 to PC2.  We typed several letters after logging in.  The wireshark
output was saved as ex9c.txt.

The first packet is sent from PC1 to PC2 with the first letter.  It's a telnet
packet.

The second packet is a TCP packet from PC2 to PC1.  It contains a message:

[This is an ACK to the segment in frame: #].

The third packet is a telnet packet from PC2 to PC1.  It repeats the letter
sent from PC1 in the first packet.