Wireshark Lab: ICMP v7.0 Adapted from: Supplement to Computer Networking: A Top-Down Approach, 7th ed., J.F. Kurose and K.W. Ross “Tell me and I forget. Show me and I remember. Involve me and I understand.” Chinese proverb   © 2005-2016, J.F Kurose and K.W. Ross, All Rights Reserved In this lab, we’ll explore several aspects of the ICMP protocol: ICMP messages generating by the Ping program; ICMP messages generated by the Traceroute program; the format and contents of an ICMP message. Before attacking this lab, you’re encouraged to review the ICMP material in section 5.6 of the text[1].  ICMP is the Internet Control Message Protocol which allows network devices (like routers) to send information about errors or current state.  ICMP and Ping Let’s begin our ICMP adventure by capturing the packets generated by the Ping program. The Ping program is simple tool that allows anyone (for example, a network administrator) to verify if a host is live or not. The Ping program in the source host sends a packet to the target IP address; if the target is live, the Ping program in the target host responds by sending a packet back to the source host. As you might have guessed (given that this lab is about ICMP), both of these Ping packets are ICMP packets. Do the following[2]: Let’s begin this adventure by opening a terminal (Linux/Mac) or the Windows Command Prompt application (which can be found in your Accessories folder). Start up the Wireshark packet sniffer, and begin Wireshark packet capture. The ping command is in c:\windows\system32, so type either “ping –n 10 hostname” or “c:\windows\system32\ping –n 10 hostname” in the MS-DOS command line (without quotation marks) or for Mac/Linux type "ping -c 10 hostname" on the command line (again without quotation marks), where hostname is a host on another continent. If you’re outside of Asia, you may want to enter www.ust.hk for the Web server at Hong Kong University of Science and Technology. The argument “-n 10” (windows) or "-c 10" (unix/mac) indicates that 10 ping messages should be sent. Then run the Ping program by typing return. When the Ping program terminates, stop the packet capture in Wireshark. At the end of the experiment, your Command Prompt Window should look something like Figure 1. In this example, the source ping program is in Adelaide and the destination Ping program is in Massachusetts, USA. From this window we see that the source ping program sent 10 query packets and received 10 responses. Note also that for each response, the source calculates the round-trip time (RTT), which for the 10 packets is on average 375 msec. Figure 1 Command Prompt window after entering Ping command. Figure 2 provides a screenshot of the Wireshark output, after “icmp” has been entered into the filter display window. Note that the packet listing shows 20 packets: the 10 Ping queries sent by the source and the 10 Ping responses received by the source. Also note that the source’s IP address is a private address (behind a NAT) of the form 192.168/12; the destination’s IP address is that of the Web server at University of Massachusetts. Now let’s zoom in on the first packet (sent by the client); in the figure below, the packet contents area provides information about this packet. We see that the IP datagram within this packet has protocol number 01, which is the protocol number for ICMP. This means that the payload of the IP datagram is an ICMP packet.  Figure 2 Wireshark output for Ping program with Internet Protocol expanded. Figure 3 focuses on the same ICMP but has expanded the ICMP protocol information in the packet contents window. Observe that this ICMP packet is of Type 8 and Code 0 - a so-called ICMP “echo request” packet. (See Figure 5.19 of text.) Also note that this ICMP packet contains a checksum, an identifier, and a sequence number. Figure 3 Wireshark capture of ping packet with ICMP packet expanded. Answer the following questions: When using echo request/reply ICMP does not use port numbers (as TCP and UDP do). Why?   [1] References to figures and sections are for the 7th edition of our text, Computer Networks, A Top-down Approach, 7th ed., J.F. Kurose and K.W. Ross, Addison-Wesley/Pearson, 2016. [2] If you are unable to run Wireshark live on a computer, you can download the zip file http://gaia.cs.umass.edu/wireshark-labs/wireshark-traces.zip and extract the file ICMP-ethereal-trace-1. The traces in this zip file were collected by Wireshark running on one of the author’s computers, while performing the steps indicated in the Wireshark lab. Once you have downloaded the trace, you can load it into Wireshark and view the trace using the File pull down menu, choosing Open, and then selecting the ICMP-ethereal-trace-1 trace file. You can then use this trace file to answer the questions below.