Wireshark Labs(6): IP v7.0

1. Capturing packets from an execution of traceroute

下载并安装PingPlotter，打开后将www.baidu.com设为target

2. A look at the captured trace

1. Select the first ICMP Echo Request message sent by your computer, and expand the Internet Protocol part of the packet in the packet details window. What is the IP address of your computer?
   

2. Within the IP packet header, what is the value in the upper layer protocol field?
   本问中的“upper layer protocol”对应IPv4数据包格式中的“上层协议”，看格式图我们可以找到，其位置在TTL和Header Checksum中间
   

3. How many bytes are in the IP header? How many bytes are in the payload of the IP datagram? Explain how you determined the number of payload bytes.
   IP header：20 B
   payload（有效载荷）：56 - 20 = 36 B
   根据 Total Length = Header + payload 计算即可（参考书P215关于“数据报长度“的说明）
   

4. Has this IP datagram been fragmented? Explain how you determined whether or not the datagram has been fragmented.
   没有被分片，因为Flag中最后一位为0，且offset为0，这意味着该包是最后一个分片，且偏移量为0，换句话说，一个包就装下了所有的data。
   

Next, sort the traced packets according to IP source address by clicking on the Source column header.

5. Which fields in the IP datagram always change from one datagram to the next within this series of ICMP messages sent by your computer?

   
   Identification: 0x4a23 (18979)
   Time to Live: 1
   Header Checksum: 0x2312 [validation disabled]

   
   Identification: 0x4a24 (18980)
   Time to Live: 2
   Header Checksum: 0x2211 [validation disabled]

   
   Identification: 0x4a25 (18981)
   Time to Live: 3
   Header Checksum: 0x2110 [validation disabled]

6. Which fields stay constant? Which of the fields must stay constant? Which fields must change? Why?
   
   Version不变；Header Length不变；DSF不变；Total Length不变；
   Identification变；Flag不变；Fragment Offset不变；
   TTL变；Protocol不变；Header Checksum变；
   source Address 不变；Destination Address不变

   原因：发送方每发送一个datagram，Identification++；TTL++；Header Checksum随datagram中其他字节变而变；

7. Describe the pattern you see in the values in the Identification field of the IP datagram
   Identification++；

Next (with the packets still sorted by source address) find the series of ICMP TTLexceeded replies sent to your computer by the nearest (first hop) router.

首先通过PingPlotter找到first hop router：

然后在wireshark中找到nearest router发的f ICMP TTL-exceeded replies

1. What is the value in the Identification field and the TTL field?

   
   Identification: 0x27c4 (10180)
   Time to Live: 255
   
   Identification: 0x27d3 (10195)
   Time to Live: 255
   
   Identification: 0x27ea (10218)
   Time to Live: 255

2. Do these values remain unchanged for all of the ICMP TTL-exceeded replies sent to your computer by the nearest (first hop) router? Why?
   Identification变。因为每发一个IP datagram，Identification++;
   TTL ≡ 255不变。TTL在datagram中用 8 bit 表示，（初始）最大值为 255 ，TTL每经过一个router才减1，考虑到这是 nearest router，和发送方之间一个router都没有，所以TTL不会减，一直是255；

3. Fragmentation

Sort the packet listing according to time again by clicking on the Time column.

10. Find the first ICMP Echo Request message that was sent by your computer after you changed the Packet Size in pingplotter to be 2000. Has that message been fragmented across more than one IP datagram?

    首先将Packet Size设置为2000 B，其中包括了20B 的 IP header和1980B的data。
    
    观察发的第一个ICMP Echo Request（TTL = 1），由于Ethernet网卡将最大IP数据包的长度限制为1500个字节，所以该ICMP Echo Request被分成了两个包发送，如以下两张图：
    第一个包：IP datagram被限制为1500B，第一个包中有20B的header和1480B的data，flag的最后一位为1表示”more gragment“还有后续分片；
    
    第二个包：还剩1980B - 1480B = 500B的数据，加上IP Header的20 B ，所以第二个包大小为 520B，Flag中最后一位为0，所以说明这就是最后一个分片了，Fragment offset=1480代表这个包的第一个字节为data的第1480 个Byte（字节序号从0开始，第一个包为第0~1479个Byte）。
    注：下图中最下方用红框圈住的带[]的部分不属于IP datagram的内容，而是Wireshark为辅助分析提供的。
    

11. Print out the first fragment of the fragmented IP datagram. What information in the IP header indicates that the datagram been fragmented? What information in the IP header indicates whether this is the first fragment versus a latter fragment? How long is this IP datagram?
    Flag和Fragment offset可以判断是否被分片：
    最后一位为1，代表还有“more fragment”。
    最后一位为0，再看fragment offset是否为0，若也为0，则未被分片；若非0，则代表datagram被分片，且当前包是分片的最后一片。
    
    first fragment的特点为：flag=1；offset=0；
    latter fragment（不考虑最后一片）的特点为：flag=1；offset≠0；

    该IPdatagram包长度为 1500B

    12. Print out the second fragment of the fragmented IP datagram. What information in the IP header indicates that this is not the first datagram fragment? Are the more fragments? How can you tell?
        offset=1480说明不是first datagram；
        flag最后一位为0，说明这是分片的最后一片，没有更多fragment了
        

    13. What fields change in the IP header between the first and second fragment?
        主要有：Total Length，Flag的最后一位，Fragment Offset

Now find the first ICMP Echo Request message that was sent by your computer after you changed the Packet Size in pingplotter to be 3500.

14. How many fragments were created from the original datagram?
    共3个分片。
    第一个：
    
    第二个：
    
    第三个：
    

15. What fields change in the IP header among the fragments?
    flag的最后一位分别为：1；1；0
    fragment offset分别为：0；1480；2960