1

Wireshark
IP Lab
2 Capturing packets from an execution of
traceroute
 We’ll use the traceroute program to send
datagrams of different sizes towards
some destination X.
 traceroute operates by first sending one
or more datagrams with the time-to-live
(TTL) field in the IP header set to 1; it then
sends a series of one or more datagrams
towards the same destination with a TTL
value of 2; it then sends a series of
datagrams towards the same destination
with a TTL value of 3; and so on.
 A router must decrement the TTL in each
received datagram by 1. If the TTL
reaches 0, the router returns an ICMP
message (type 11 – TTL-exceeded) to the
sending host.
3 Capturing packets from an execution of
traceroute
 traceroute makes the sending host
learn the identities of the routers
between itself and destination X by
looking at the source IP addresses in
the datagrams containing the ICMP
TTL-exceeded messages.
 In windows, The tracert program does
not allow one to change the size of
the ICMP echo request (ping)
message sent by the tracert program
(The default packet size is 56 bytes.).
 Instead, we will use pingplotter, a nicer
Windows traceroute program
4 Capturing packets from an execution of
traceroute
 Download and install pingplotter application : http://www.pingplotter.com.
 Start up Wireshark and begin packet capture (Capture->Start) and then press OK.
 Start up pingplotter and enter the name of a target destination in the “Address to
Trace Window”, So enter gaia.cs.umass.edu or the IP address “128.119.245.12”.
 Select the menu item in pingplotter Edit -> Options -> Engine and enter a value of 56
in the Packet Size field and then press OK.
 Next, send a set of datagrams with a longer length, and enter a value of 2000 in the
Packet Size field and then press OK. Then press the Resume button.
 Finally, send a set of datagrams with a longer length, and enter a value of 3500 in the
Packet Size field and then press OK. Then press the Resume button.
 Stop Wireshark tracing.
 If you are unable to run Wireshark on a live network connection, you will find a copy
of the trace saved in IP-Trace-1 file.
5 Pingplotter
 Download and install pingplotter : http://www.pingplotter.com.
 Then enter gaia.cs.umass.edu or the IP “128.119.245.12”.

1. Enter here 2. Then press green

3. There you go
6 Pingplotter
 To edit the size of the ICMP echo request message can be explicitly set in pingplotter by
selecting the menu item Edit -> Options -> Engine and then filling in the Packet Size field.

1. Press Edit tab then Options

3. Then here you can edit

1. Start and
stop button
8 IP – Trace – 1
 Filter Wireshark for ICMP packets.
9 Part 1: IP Fields
1. Select the first ICMP Echo Request message sent by your computer, and
expand the Internet Protocol part of the packet in the packet details
window. What is the IP address of your computer?
 The IP address of my computer is 192.168.1.3
10 Part 1: IP Fields
2. Within the IP packet header, what is the value in the upper layer protocol
field?
 Within the header, the value in the upper layer protocol field is ICMP (1).
11 Part 1: IP Fields
3. How many bytes are in the IP header? How many bytes are in the
payload of the IP datagram? Explain how you determined the number of
payload bytes.
 IP Header length = 20 bytes, Total length = 56 bytes
 The payload length = Total length - IP Header length = 56 – 20 = 36 bytes
12 Part 1: IP Fields
4. Has this IP datagram been fragmented? Explain how you determined
whether or not the datagram has been fragmented.
 The datagram is not fragmented.
13 Part 1: IP Fields
5. Which fields in the IP datagram always change from one datagram to the
next within this series of ICMP messages sent by your computer?
 Identification, Time to live, and Header checksum always change.
14 Part 1: IP Fields
6. Which fields stay constant? Which of the fields must stay constant? Which
fields must change? Why?
The fields that stay constant are:
 Version (Since we are using IPv4 for all packets).
 Header length (Since these are ICMP packets).
 Source IP (Since we are sending from the same source).
 Destination IP (Since we are sending to the same destination).
 Differentiated Services (Since all packets are ICMP they use the same type
of Service class).
 Upper Layer Protocol (Since these are ICMP packets).
15 Part 1: IP Fields
6. Which fields stay constant? Which of the fields must stay constant? Which
fields must change? Why?
The fields that must stay constant are:
 The same as above.
The fields that must change are:
 Identification (To verify datagrams).
 Header Checksum (Since header changes).
 Time to live (By using traceroute, TTL is incremented).
16 Part 1: IP Fields
7. Describe the pattern you see in the values in the Identification field of the
IP datagram.
 The pattern is that the IP header Identification field increments with each ICMP
Echo (ping) request.
17 Part 1: IP Fields
8. Sort the packets by the source IP address. Find the series of ICMP TTL-
exceeded replies sent to your computer by the nearest (first hop) router.
What is the value in the Identification field and the TTL field?
 First hop (nearest router) has an IP address from the same network of my
computer.
 My computer IP address is: 192.168.1.3.
 So, the nearest router IP address is: 192.168.1.1.
 We will look at ICMP packet replies send by source address 192.168.1.1.
18 Part 1: IP Fields
8. Sort the packets by the source IP address. Find the series of ICMP TTL-
exceeded replies sent to your computer by the nearest (first hop) router.
What is the value in the Identification field and the TTL field?
 The identification field of the 1st ICMP TTL-exceeded reply is: 25211.
 TTL value is: 64.
19 Part 1: IP Fields
9. Do these values remain unchanged for all of the ICMP TTL-exceeded
replies sent to your computer by the nearest (first hop) router? Why?
 The identification field is incremented by 1 because it is a unique value. When
two or more IP datagrams have the same identification value, then it means that
these IP datagrams are fragments of a single large IP datagram.
 The TTL value remains the same because the TTL for the first hop router is always
the same since it’s the device I am connected to directly.
20 Part 2: Fragmentation
10. Find the first ICMP Echo Request message that was sent by your computer
after you changed the Packet Size in pingplotter to be 2000. Has that
message been fragmented across more than one IP datagram?
 Yes, this packet has been fragmented across more than one IP datagram.
21 Part 2: Fragmentation
11. Print out the first fragment of the fragmented IP datagram. What
information in the IP header indicates that the datagram been
fragmented? What information in the IP header indicates whether this is
the first fragment versus a latter fragment? How long is this IP datagram?
 When the More fragments is set to 1 this indicates that the datagram has been
fragmented.
 When the fragment offset is 0, we know that this is the first fragment.
 This first datagram has a total length of 1500, including the header.
22 Part 2: Fragmentation
12. Print out the second fragment of the fragmented IP datagram. What
information in the IP header indicates that this is not the first datagram
fragment? Are the more fragments? How can you tell?
 We can tell that this is not the first fragment, since the fragment offset is 1480.
 It is the last fragment, since the more fragments flag is not set.
23 Part 2: Fragmentation
13. What fields change in the IP header between the first and second
fragment?
 Total length, More fragments, Fragment offset, and Header checksum.
24 Part 2: Fragmentation
14. Now find the first ICMP Echo Request message that was sent by your
computer after you changed the Packet Size in pingplotter to be 3500. How
many fragments were created from the original datagram?
 3 Fragments with number #1224, #1225, #1226
25 Part 2: Fragmentation
15. What fields change in the IP header among the fragments?
 Same as Q.13 (Total length, More fragments, Fragment offset, and Header
checksum).