
TCP/IP NETWORK SERVICE PACKET EXCHANGE


Below, to give you some familiarization with tcpdump output, is a
session log showing a ping command and its output, followed by a copy
of the resultant packets (sniffed by the tcpdump program) that were
exchanged between the two machines.

COMMAND SESSION SCREEN OUTPUT:

[root@EMACH1 /etc]# ping -c2 www.ibm.net
PING www.ibm.net (32.97.166.71) from 206.170.217.84 : 56(84) bytes of data.
64 bytes from 32.97.166.71: icmp_seq=0 ttl=247 time=289.2 ms
64 bytes from 32.97.166.71: icmp_seq=1 ttl=247 time=270.2 ms

--- www.ibm.net ping statistics ---
2 packets transmitted, 2 packets received, 0% packet loss
round-trip min/avg/max = 270.2/279.7/289.2 ms
[root@EMACH1 /etc]#

CORRESPONDING LOGGED PACKET TRAFFIC:

13:51:01.875892 > 206.170.217.84 > 32.97.166.71: icmp: echo request
13:51:02.154824 < 32.97.166.71 > 206.170.217.84: icmp: echo reply
13:51:02.874916 > 206.170.217.84 > 32.97.166.71: icmp: echo request
13:51:03.134835 < 32.97.166.71 > 206.170.217.84: icmp: echo reply

icmp protocol does not involve ports so no port numbers appear here. But
for protocols that do (TCP, UDP), tcpdump's output shows them as suffixes
to IP addresses, separated from them with a period. You will see that in
the logs/dumps that follow.

=========================================================================


Below are 6 further logs, reflecting 6 separate sessions. These sessions
resulted from various activities. The questions relate to these sessions.


PACKET LOG FOR SESSION 1

13:28:51.345823 > 206.170.217.84.1032 > 206.13.28.123.110: S 2204991905:2204991905(0) win 32648 <mss 1484,sackOK,timestamp 616932 0,nop,wscale 0> (DF)
13:28:51.544828 < 206.13.28.123.110 > 206.170.217.84.1032: S 633103984:633103984(0) ack 2204991906 win 10136 <nop,nop,timestamp 90226683 616932,nop,wscale 0,mss 1460> (DF)
13:28:51.554969 > 206.170.217.84.1032 > 206.13.28.123.110: . 1:1(0) ack 1 win 32648 <nop,nop,timestamp 616953 90226683> (DF)
13:28:51.804895 < 206.13.28.123.110 > 206.170.217.84.1032: P 1:131(130) ack 1 win 10136 <nop,nop,timestamp 90226704 616953> (DF)
13:28:51.807039 > 206.170.217.84.1032 > 206.13.28.123.110: . 1:1(0) ack 131 win 32518 <nop,nop,timestamp 616978 90226704> (DF)


PACKET LOG SESSION 2

15:48:31.322269 B 192.168.3.1.137 > 192.168.3.255.137:NBT UDP PACKET(137): RELEASE; REQUEST; BROADCAST
15:48:32.005678 B 192.168.3.1.137 > 192.168.3.255.137:NBT UDP PACKET(137): RELEASE; REQUEST; BROADCAST
15:48:32.019823 B 192.168.3.1.138 > 192.168.3.255.138: NBT UDP (138)
15:48:32.677522 B 192.168.3.1.138 > 192.168.3.255.138: NBT UDP (138)
15:48:32.677841 B 192.168.3.1.137 > 192.168.3.255.137:NBT UDP PACKET(137): RELEASE; REQUEST; BROADCAST
15:48:32.690866 B 192.168.3.1.137 > 192.168.3.255.137:NBT UDP PACKET(137): RELEASE; REQUEST; BROADCAST
15:48:32.691520 B 192.168.3.1.137 > 192.168.3.255.137:NBT UDP PACKET(137): RELEASE; REQUEST; BROADCAST
15:48:32.691692 B 192.168.3.1.137 > 192.168.3.255.137:NBT UDP PACKET(137): RELEASE; REQUEST; BROADCAST


PACKET LOG SESSION 3

13:33:46.077027 > 206.170.217.84.1036 > 198.147.67.242.80: S 2514286391:2514286391(0) win 32648 <mss 1484,sackOK,timestamp 646405 0,nop,wscale 0> (DF)
13:33:46.274818 < 198.147.67.242.80 > 206.170.217.84.1036: S 2192517045:2192517045(0) ack 2514286392 win 8760 <mss 1460> (DF)
13:33:46.284909 > 206.170.217.84.1036 > 198.147.67.242.80: . 1:1(0) ack 1 win 32648 (DF)


PACKET LOG SESSION 4

16:19:13.815758 B 192.168.3.1.137 > 192.168.3.255.137:NBT UDP PACKET(137): REGISTRATION; REQUEST; BROADCAST
16:19:13.815968 B 192.168.3.1.137 > 192.168.3.255.137:NBT UDP PACKET(137): REGISTRATION; REQUEST; BROADCAST
16:19:13.816095 B 192.168.3.1.137 > 192.168.3.255.137:NBT UDP PACKET(137): REGISTRATION; REQUEST; BROADCAST
16:19:14.574523 B 192.168.3.1.137 > 192.168.3.255.137:NBT UDP PACKET(137): REGISTRATION; REQUEST; BROADCAST
16:19:14.574769 B 192.168.3.1.137 > 192.168.3.255.137:NBT UDP PACKET(137): REGISTRATION; REQUEST; BROADCAST
16:19:14.575060 B 192.168.3.1.137 > 192.168.3.255.137:NBT UDP PACKET(137): REGISTRATION; REQUEST; BROADCAST
16:19:15.329728 B 192.168.3.1.137 > 192.168.3.255.137:NBT UDP PACKET(137): REGISTRATION; REQUEST; BROADCAST
16:19:15.329958 B 192.168.3.1.137 > 192.168.3.255.137:NBT UDP PACKET(137): REGISTRATION; REQUEST; BROADCAST
16:19:15.330237 B 192.168.3.1.137 > 192.168.3.255.137:NBT UDP PACKET(137): REGISTRATION; REQUEST; BROADCAST
16:19:16.085021 B 192.168.3.1.137 > 192.168.3.255.137:NBT UDP PACKET(137): REGISTRATION; REQUEST; BROADCAST
16:19:16.085265 B 192.168.3.1.137 > 192.168.3.255.137:NBT UDP PACKET(137): REGISTRATION; REQUEST; BROADCAST
16:19:16.085550 B 192.168.3.1.137 > 192.168.3.255.137:NBT UDP PACKET(137): REGISTRATION; REQUEST; BROADCAST
16:19:22.178927 B 192.168.3.1.137 > 192.168.3.255.137:NBT UDP PACKET(137): REGISTRATION; REQUEST; BROADCAST
16:19:22.180750 B 192.168.3.1.137 > 192.168.3.255.137:NBT UDP PACKET(137): REGISTRATION; REQUEST; BROADCAST
16:19:22.926338 B 192.168.3.1.137 > 192.168.3.255.137:NBT UDP PACKET(137): REGISTRATION; REQUEST; BROADCAST
16:19:22.928298 B 192.168.3.1.137 > 192.168.3.255.137:NBT UDP PACKET(137): REGISTRATION; REQUEST; BROADCAST
16:19:23.676261 B 192.168.3.1.137 > 192.168.3.255.137:NBT UDP PACKET(137): REGISTRATION; REQUEST; BROADCAST
16:19:23.678242 B 192.168.3.1.137 > 192.168.3.255.137:NBT UDP PACKET(137): REGISTRATION; REQUEST; BROADCAST
16:19:24.426225 B 192.168.3.1.137 > 192.168.3.255.137:NBT UDP PACKET(137): REGISTRATION; REQUEST; BROADCAST
16:19:24.428189 B 192.168.3.1.137 > 192.168.3.255.137:NBT UDP PACKET(137): REGISTRATION; REQUEST; BROADCAST
16:19:24.680605 B 192.168.3.1.138 > 192.168.3.255.138: NBT UDP (138)
16:19:26.567938 B 192.168.3.1.138 > 192.168.3.255.138: NBT UDP (138)


PACKET LOG SESSION 5

13:29:51.725734 > 206.170.217.84.1033 > 206.13.28.241.25: S 2266116067:2266116067(0) win 32648 <mss 1484,sackOK,timestamp 622970 0,nop,wscale 0> (DF)
13:29:51.924825 < 206.13.28.241.25 > 206.170.217.84.1033: S 2021549207:2021549207(0) ack 2266116068 win 10136 <nop,nop,timestamp 29018839 622970,nop,wscale 0,mss 1460> (DF)
13:29:51.934902 > 206.170.217.84.1033 > 206.13.28.241.25: . 1:1(0) ack 1 win 32648 <nop,nop,timestamp 622991 29018839> (DF)
13:29:52.174832 < 206.13.28.241.25 > 206.170.217.84.1033: P 1:98(97) ack 1 win 10136 <nop,nop,timestamp 29018860 622991> (DF)
13:29:52.184939 > 206.170.217.84.1033 > 206.13.28.241.25: . 1:1(0) ack 98 win 32551 <nop,nop,timestamp 623016 29018860> (DF)


PACKET LOG SESSION 6

15:25:14.406350 > 64.130.228.61.1025 > 206.13.29.12.53: 5868+ A? www.ibm.net. (29)
15:25:14.470691 < 206.13.29.12.53 > 64.130.228.61.1025: 5868* 1/3/3 A 32.97.166.71 (186) (DF)
15:25:14.471815 > 64.130.228.61 > 32.97.166.71: icmp: echo request
15:25:14.559263 < 32.97.166.71 > 64.130.228.61: icmp: echo reply

=========================================================================


QUESTIONS

Answer the questions on a scantron. Note special instructions given below for questions 6 and higher.

1. The Windows workstation is shutting down in:
a. Session 1
b. Session 2
c. Session 3
d. Session 4
e. none of the above

2. The client uses IP broadcast to locate another computer in:
a. Session 3
b. Session 4
c. Session 5
d. Session 6
e. none of the above

3. The client uses the ARP protocol to locate another computer in:
a. Session 3
b. Session 4
c. Session 5
d. Session 6
e. none of the above

4. The Windows workstation is starting up in:
a. Session 1
b. Session 2
c. Session 3
d. Session 4
e. none of the above

5. The client uses the DNS protocol to locate another computer in:
a. Session 3
b. Session 4
c. Session 5
d. Session 6
e. none of the above



These 10 answers lettered a to j are available for the next 8 questions,
which are numbered with even numbers from 6 to 20:

a. 25				f. 138
b. 110			g. 1033
c. 137			h. 1025
d. 1036			i. 1032
e. 80				j. 53

SPECIAL INSTRUCTIONS: Scantron lines have room for only 5 answers, a to e.
But more than 5 are possible here, a to j. So to accomodate, please treat
odd numbered scantron lines as continuation lines for the preceding even line,
providing space for answers f through j. Please map f to a, g to b, h to c,
i to d, and j to e on the odd-numbered scantron answer line.

For example, if you think the answer to question 6 is b, mark b on the
scantron's line 6. But if you think it is h, please "spill over" to line 7
where you are to mark c. Or, if you thought it were j, you would mark e.
(Don't worry there is no question "7" so we can devote line 7 on the
scantron to question 6.) 

 
6. The client port in Session 1 is ____?

8. The server port in Session 1 is ____?

10. The client port in Session 3 is ____?

12. The server port in Session 3 is ____?

14. The client port in Session 5 is ____?

16. The server port in Session 5 is ____?

18. The client port in Session 6 is ____?

20. The server port in Session 6 is ____?



These 9 answers lettered a to i are available for the next 9 questions,
which are numbered with even numbers from 22 to 38:

a. 206.170.217.84		e. 198.147.67.242
b. 206.13.28.123		f. 206.13.28.241
c. 192.168.3.1		g. 64.130.228.61
d. 192.168.3.255		h. 206.13.29.12
				i. 32.97.166.71

22. The IP address of the client sending mail messages is ____?
24. The IP address of the server through which he is sending it is ____?

26. The IP address of www.ibm.net is ____?

28. The IP address of the name server is ____?

30. The IP address of the web server is ____?

32. The IP address of the web client is ____?

34. The IP address of the Windows workstation is ____?

36. The IP address of the client collecting incoming mail is ____?
38. The IP address of the server from which he is collecting it is ____?