 Let's do some simple analysis of our PIN capture and see how PIN works or ICMP and also ARP and we'll try and draw the exchange of messages and the packets that are being sent and we'll use Wireshark to extract that information. So we have our captured packets here, 42 packets, some are ARP, some are ICMP. Let's start with the very first packet. Let's see who sent it and we look at the Ethernet source address and we check the hardware address and correspond or check that to our nodes and if we confirm that node 1 has the hardware address that matches the source of packet 1 or frame 1, so node 1 sent that. Who does it send to? Our destination is a special case address here. This all Fs address as a hardware address represents broadcast. So essentially node 1 sent this Ethernet frame to everyone on the same LAN. Our network topology was that on the same LAN as node 1 there was only one other node, node 2 but in general there could be other nodes on the same subnet. So we'll try and draw this exchange and what I'll draw is that a message, a time sequence diagram will draw these vertical lines to represent the nodes and what's happening at those nodes over time. That one wasn't so straight, a bit better. And we'll see that for the first message the source was node 1 and the destination was broadcast. So broadcast means that this message will go from node 1 to everyone on the LAN. We will not draw it sending to itself, it will go to node 2. So we'll draw a line saying this first message which was an ARP request was sent from node 1 to node 2. Now in our case there's only one other node but in general let's say that there are some other nodes. How do we draw that? Well one thing I might do is show a few other lines to illustrate some other nodes in this network and then show that this ARP request to illustrate it's not just sent to node 2 but to other nodes. Maybe one approaches this to illustrate that if there were other nodes on the same subnet as 1 they would also receive this ARP request, it's broadcast. Then what happens next? Node 2 receives it. The request is saying, the summary information gives us good information about what the idea of this packet is. It's saying from node 1 who has the IP address 192.168.1.1. If you do tell me at 192.168.1.11. And the details of that packet we have a hardware type and a protocol type. The hardware type indicates the technology used at the lower layer Ethernet and the protocol type at the network layer IP version 4. The size is the size of the addresses for each of those layers. In bytes a hardware address or MAC address is 6 bytes or 48 bits an IPv4 address is 4 bytes or 32 bits and this is a request and then the actual addresses so the sender MAC address, the sender IP address and the target MAC address which gives us a special case of all zeros because we don't know it yet. If we knew it we wouldn't have to ask what it is. Our target IP address is 192.168.1.1. We want to know the MAC address for node 2. So we send this ARP request, node 2 receives it and sends back a reply because node 2 does know the MAC address. It sends back 192.168.1.1 is at this MAC address. We could check the source and destination addresses to see that it is sent from node 2 to node 1. Looking at the contents of this the sender MAC address is that of node 2 the sender IP is that of node 2 the target MAC we're sending it back to the source node 1 which is 1.11 as an IP address. The result of this when node 1 receives this second frame it has learnt the MAC address 08002F it has learnt the MAC address of node 1 and now can send the next ICMP request to node 1. Let's draw that. It comes back an ARP reply comes back and this was not broadcast it's unicast from node 2 direct to node 1 and as a result node 1 learns the MAC address of node 2 and now can send the IP packet for the ICMP request to node 2. You'll see ARP come up in many other exchanges it's needed before we can communicate with a node with an IP address. Back to our capture frame number 3 now that node 1 knows the router hardware address it sends the ICMP echo request destination is node 3 but because it needs to go to the router it would actually physically go to the node 2 so the Ethernet frame and this ICMP echo request destination of the next immediate destination is node 2 the IP header includes a variety of fields importantly the source is node 1 destination is node 3 the router will use the destination to know to forward it on and the ICMP message which is the purpose of this message includes the information of the type of the message it's a PIN request some sequence numbers we'll see those change in a moment some timestamp and some data let's draw it first this is coming from node 1 to node 3 but it actually goes via node 2 just draw a small arrow there to indicate this packet is going to node 3 but node 2 forwards it on and it is an ICMP echo request I'll just write a PIN request it'll go to node 2 which will forward it on to node 3 and node 3 should eventually reply let's extend our diagram here we need a bit more space and let's go to our reply and then we'll analyze them a bit more depth node 2 a little bit later sends back an echo reply so we'll draw that the ICMP reply and let's look at them in a bit more depth first we'll open the PIN request so we see the structure of the PIN request it's a frame of 98 bytes containing the Ethernet header the IPv4 header and then the ICMP packet let's first draw that as a general outline we can draw the packet one way simply to draw the headers so we think we'll make some space the structure is we have an Ethernet header IPv4 header simply IP and then the ICMP and the total length is 98 bytes so let's record that on our diagram what we'll do is draw this packet and we can use such a picture as a summary of what's going on we can understand the packet structure and while we're here let's check the length of each of the headers what are the three components that make up those 98 bytes if we go back to the packet in Wireshark and maybe we'll just close that and return to it an easy way to see that we've selected the packet number 3 or frame number 3 the Ethernet header it may be quite small but when we click on that right down the bottom of the window of the Wireshark window just above the start menu in Windows is the length of the Ethernet header it says Ethernet comma 14 bytes so we know Ethernet header is 14 bytes IPv4 is 20 bytes and the rest is the ICMP message which is 64 bytes so let's record those values Ethernet header we just noticed 14 IP was 20 bytes and ICMP was 64 that's the total 64 plus 20, 84 plus 14 is our 98 bytes so we know the size of each of the components sometimes it's useful to stop there in terms of drawing the packet but sometimes it's some additional information can be valuable to draw and of course each header is made up of a number of fields it's difficult to draw all possible fields but some fields of importance like the Ethernet header let's have a look at it I'll double click to bring it up again in a different window the Ethernet header there are three fields the destination, the source and the type destination is that of in this case is that of the node 2 the MAC address of node 2 and the source is that of node 1 and the type indicates what's inside this Ethernet frame which is an IPv4 data frame so we could list those in the diagram if we want such level of detail maybe one easy way to list it is we have the source, the destination and the type and we could list the values there maybe the source equals and I will not write the full value the source is this value 0, 8 through to 2f where as the destination you could write the full value but as you see I struggle writing sometimes on the computer save a bit of time the destination ah I've made a mistake here the source is 5e destination is 2f let's the source 5e the destination almost the same but it finishes with 2f and this is really node 1 and node 2 but the MAC address and the type says it's IPv4 so if you want to draw some of the field information then you could do it as well but as you can imagine as we start to do the same for IP headers we use up a lot of space it's very hard to visualize all the different fields so we may select some of interest maybe with IP we've got a number of fields, what's of interest usually the source and destination IP addresses not the MAC addresses but the source IP addresses so in the IP header has a number of fields the version, IPv4, the header length the protocol which indicates what's inside this IP datagram which is an ICMP packet and the source and destination addresses source is 1.11 destination is 192.168.2.21 and then the ICMP header what's important inside there let's have a look, you may not draw it all look at the structure, it says the type of the message it's a ping request code, if there's a subtype a check sums used for error detection we have some ID and some sequence number so as we do different pings we may have different IDs and the sequence number, the first ping will be 1 the second ping in this set will be 2, 3, 4 and so on there's a timestamp included to indicate so that when we get the response we can calculate the roundtrip time and then the data in this case I don't think there's any need to draw any of that information but we should maybe at least keep track it's an ICMP I'll write it in here echo request so this diagram summarizes that one packet and it's useful to at least draw the rectangles and the names of the header fields in the packet so you can quickly see what's the structure of the packet and even the size and in some cases include some of the important fields on that diagram you could try and draw it for the ICMP echo reply it would be very similar structure but different values in the fields and similarly you could draw the packets for the ARP request and ARP reply so these two types of diagrams are very useful when you're studying protocols the sequence of messages being sent between which node and which other node and the structure of the packets being sent the format of those packets try and extract that information from Weishark as you can see in this packet maybe the data is of interest the data in ICMP ping requests are not important ping is just sending a message of any data the data is not what's being communicated it's just used to measure the time the round trip time so often the data is not important what does ping do to create some fake data well the first 8 bits actually use for a timestamp but if we see here from this byte onwards we see it just increments the values 101112 as a byte 1314 it goes up to 37 in this case if the data was large it would keep going so it's just a way to create some dummy data just increment every byte if we go back to our capture see what other information we have the echo reply we've already drawn that on a sequence diagram we could draw the structure but it would look similar to the ping request and then one second later there's a second echo request and then another second later the third echo request and so on so this is the packets being generated about every one second by the source and getting a reply quite quickly and the difference between the time of the reply and the request for example in this packet 1.03 seconds in this case it's 3.3 milliseconds to 1 so the difference is about 2.3 milliseconds now this is a difference recorded by TCP dump there may be also some additional time from when the ping software gets it so it depends upon the processing of your computer so the actual difference reported in the output if we see it may be slightly larger than what's seen in TCP dump but you should see a similar trend there so we have a quick coverage of how ARP works and also ICMP and how we can use Wireshark to draw the sequence of messages and also the structure of those messages