In this lab, you will use Wireshark to observe the ARP protocol in action.
This lab is based on Mike Erlinger's lab on observing ARP with Wireshark, which is in turn based on a lab from Kurose and Ross's Computer Networking.
You may work individually or in pairs. You have one week to complete this assignment.
Read the man page on arp: man 8 arp. What does the ARP program do?
Invoke /usr/sbin/arp -n
to learn the contents of the workstation's ARP cache. Copy this into
your lab notebook. Can you explain why any (or all) of the entries are
there?
What is /usr/sbin/arp -s supposed to do, according to the man page? Try to use it. What happens? Are you surprised?
Invoke man 7 arp
to read about the Linux ARP kernel module. What is the default amount
of time that an ARP entry remains in the cache before being removed?
Identify another host on the MathLAN that is not your workstation and not already in your ARP cache, such as turing.cs.grinnell.edu. (You can use /usr/sbin/arp, with no command-line arguments, to see the names of hosts in your ARP cache.) What host did you choose? Use nslookup to find its IP address.
Read the man page for the arping program. What does it do?
Start Wireshark and begin a trace.
Use arping to send exactly one ARP request to your chosen host.
Stop the Wireshark trace.
Use the arp
program to verify that your chosen host is now in the ARP cache. (Note
that it will time out fairly quickly---If you don't see it, try arping again without tracing in Wireshark.)
Tell Wireshark to show only protocols below IP. To do this, choose Enabled Protocols under the Analyze menu. In the resulting dialog, uncheck the box for IP and click OK. (Wireshark may complain that it can't save your settings---ignore this.)
Find the ARP request message from your workstation to the chosen host.
What are the hex values for the source and destination addresses in the Ethernet frame containing the ARP request message?
Give the hex value for the two-byte Ethernet frame type field.
What is the ARP opcode? How many bytes into the Ethernet frame does it appear?
What are the four addresses in the ARP request? Why do you think that particular value was used for the target MAC address?
Find the ARP response message.
What is the value of the opcode field?
Where in the ARP response does the "answer" to the the ARP request appear?
Do you see other ARP messages in your trace? About how many? Are the addresses from these messages in your ARP cache? Why or why not?
As a point of side interest, notice the STP packets, which you might have seen in your earlier explorations using Wireshark. You should now be able to figure out what these packets are about. What are they? What notable fields do you seen in the packet contents?
Quit Wireshark. Verify that the chosen host has timed out of the ARP cache.
I have no particular advice. If you think of anything, let me know!
In your lab notebook, include the requested output and your answers to questions from parts A and B, as well as answers to the discussion questions.
Based on the
contents of the ARP cache, what seems to be the range of addresses that
your workstation considers to be on its local area network? What would
the netmask be? Try using ifconfig to test your hypothesis. After you've done so, read this commentary from Mr. Stone.
What do you think of the style of RFC 826 versus any later RFCs you've looked at?
About how long did this lab take to complete?
Janet Davis (davisjan@cs.grinnell.edu)
Created February 24, 2009