Topic Information
This case is the fourth question in Sharkfest 2015 Packet Challenge, WHATS UP?, and the packet trace file is whatsup.pcapng .
The main description is as follows:
1. Why did a device send an ICMP Type 3/Code 4 packet in this trace file?
2. What was the MTU size before the drop in size?
3. What is the IP address of the router that can’t forward larger sized frames?
4. What is the IP address of the host that adjusted its MTU?
5. How many more frames would be required to send a 6,000‐byte file using the smaller MTU size than using the larger MTU size?
Packet information
The basic information of the packet trace file is as follows:
λ capinfos whatsup.pcapng
File name: whatsup.pcapng
File type: Wireshark/... - pcapng
File encapsulation: Ethernet
File timestamp precision: microseconds (6)
Packet size limit: file hdr: (not set)
Number of packets: 52
File size: 34 kB
Data size: 32 kB
Capture duration: 65.134372 seconds
First packet time: 2014-08-21 11:14:34.045564
Last packet time: 2014-08-21 11:15:39.179936
Data byte rate: 498 bytes/s
Data bit rate: 3989 bits/s
Average packet size: 624.65 bytes
Average packet rate: 0 packets/s
SHA256: f977684e55b4bd48479781547c4e510cb89367785917a4d94c743e93193fff2e
RIPEMD160: fa09efc58691773c2636bbd4d0f844a4f8eb8834
SHA1: d91aa2ab506b07ddb4653728c28983e2e996635c
Strict time order: True
Capture oper-sys: 64-bit Windows 8, build 9200
Capture application: Dumpcap 1.10.9 (v1.10.9-0-g6b041ab from master-1.10)
Number of interfaces in file: 1
Interface #0 info:
Name = \Device\NPF_{BD0C1124-CBA7-41BB-95BA-DB895B9631F2}
Encapsulation = Ethernet (1 - ether)
Capture length = 262144
Time precision = microseconds (6)
Time ticks per second = 1000000
Time resolution = 0x06
Operating system = 64-bit Windows 8, build 9200
Number of stat entries = 1
Number of packets = 52
Number of resolved IPv4 addresses in file: 1
λ
Captured directly through Wireshark on a Winows 8 system, without truncation, the file size is 34 KB, the number of captured packets is 52, the capture duration is 65.13 seconds, and the average rate is 3989 bps.
The session information statistics are as follows. There is only one TCP flow.
The expert information is shown as follows. When the total number of packets is small, the number of Warning packets is relatively large, including disorder, uncaptured segments, D-SACK, etc.
Packet Analysis
The initial expanded information of the packet trace file is as follows, and Packet List
there will be obvious black and red warning information prompts on the far right.
1. Why did a device send an ICMP Type 3/Code 4 packet in this trace file?
In this trace file , why would a device send an ICMP Type 3/Code 4 packet?
Analysis steps
First, let’s review the ICMP data packet. Type 3/Code 4 is described as follows:
TYPE | CODE | Description | Error |
---|---|---|---|
3 | 4 | Fragmentation needed but no frag. bit set— Fragmentation is needed but the no-fragmentation bit is set | x |
The above information has actually been described very clearly, because when the device forwards the data packet, it finds that the outbound port needs to fragment the data packet due to the relatively small MTU, but because the data packet is marked as not fragmented, it discards the data packet and sends a Type 3/Code 4 message to the source through ICMP.
After filtering, we can see that No.19 is an ICMP Type 3/Code 4 data packet, which indicates that the destination is unreachable (needs fragmentation) and indicates that the next-hop MTU is 1480.
Which is the original data packet? Expand No.19. The data packet details are as follows. You can easily find the original data packet through IP.ID.
Filter comparison shows that the original data packet is No.18, MTU is 1492, which is greater than 1480, and cannot be fragmented because DF is set to 1.
Analyze the answer
In this trace file, why would a device send an ICMP Type 3/Code 4 packet? : No.18 The packet needs to be fragmented due to MTU reasons, but fragmentation is not allowed.
2. What was the MTU size before the drop in size?
What the MTU size was before the packet size was scaled down.
Analysis steps
MTU and MSS have always been an interesting topic in the analysis of network protocol packets. Question 2 is also quite interesting. It asks about the MTU before the packet size is reduced. Based on the analysis of question 1, it can be considered as the MTU before No.18.
From the TCP three-way handshake, we can see that the local MTU of the client and server is 1500 (1460 + 20 IP header + 20 TCP header), and the MTU of the server-> client transmission direction in the intermediate path is also 1500 (1514-14 Ethernet header).
Analyze the answer
The MTU size before the packet size is reduced is: 1500.
3. What is the IP address of the router that can’t forward larger sized frames?
What is the IP address of a router that cannot forward larger frames?
Analysis steps
In fact, the answer is already marked in the analysis of question 1.
The slightly problematic part is that the destination IP of the IP address and the original data packet are the same, and it seems that the IP address of the anonymized data packet was wrong. . .
Analyze the answer
The IP address of the router that cannot forward larger frames is: 108.160.172.65.
4. What is the IP address of the host that adjusted its MTU?
What is the IP address of the host that is adjusting the MTU?
Analysis steps
After the client receives the ICMP message No.19, the client adjusts the MTU size in packet No.20 to 1480 (1494 – 14 Ethernet header)
Analyze the answer
The IP address of the host that adjusts the MTU is: 192.168.1.71.
5. How many more frames would be required to send a 6,000‐byte file using the smaller MTU size than using the larger MTU size?
How many more data frames are required to send a 6000-byte file using a smaller MTU than using a larger MTU?
Analysis steps
With a larger MTU of 1500, MSS of 1460, a data frame of 6000-byte file size will be divided into 5 (4 of 1460 bytes + 1 of 160 bytes). With a smaller MTU of 1480, MSS of 1440, a data frame of 6000-byte file size will be divided into 5 (4 of 1440 bytes + 1 of 240 bytes). So in terms of the number of data frames, there is no change.
Analyze the answer
How many more data frames are required to send a 6000-byte file using a smaller MTU than using a larger MTU: 0.