Wireshark Lab: Ethernet and ARP v7.0 Wireshark Lab：以太网和 ARP v7.0 Supplement to Computer Networking: A Top-Down Approach, 7th ed., J.F. Kurose and K.W. Ross 计算机网络补充：自上而下的方法，第 7 版，J.F. Kurose 和 K.W. Ross “Tell me and I forget. Show me and I remember. Involve me and I understand.” Chinese proverb “告诉我，我就忘了。给我看，我就记住了。让我参与进来，我就会明白。 中国谚语 © 2005-2016 J.F Kurose and K.W. Ross, All Rights Reserved © 2005-2016 J.F Kurose 和 K.W. Ross，保留所有权利

In this lab, we’ll investigate the Ethernet protocol and the ARP protocol. RFC 826 (ftp://ftp.rfc-editor.org/in-notes/std/std37.txt) contains the gory details of the ARP protocol, which is used by an IP device to determine the IP address of a remote interface whose Ethernet address is known.
在本实验中，我们将研究以太网协议和 ARP 协议。RFC 826 （ftp://ftp.rfc-editor.org/in-notes/std/std37.txt） 包含 ARP 协议的血腥细节，IP 设备使用该协议来确定以太网地址已知的远程接口的 IP 地址。

1. Capturing and analyzing Ethernet frames
1. 捕获和分析以太网帧

Let’s begin by capturing a set of Ethernet frames to study. Do the following¹
让我们从捕获一组以太网帧开始研究。执行以下作¹:

First, make sure your browser’s cache is empty. To do this under Mozilla Firefox V3, select Tools->Clear Recent History and check the box for Cache. For Internet Explorer, select Tools->Internet Options->Delete Files. Start up the Wireshark packet sniffer
首先，确保浏览器的缓存为空。要在 Mozilla Firefox V3 下执行此作，请选择 Tools->Clear Recent History 并选中 Cache 复选框。对于 Internet Explorer，请选择“工具”-“>Internet 选项”-“>删除文件”。 启动 Wireshark 数据包嗅探器

Enter the following URL into your browser
在浏览器中输入以下 URL
http://gaia.cs.umass.edu/wireshark-labs/HTTP-ethereal-lab-file3.html
Your browser should display the rather lengthy US Bill of Rights.
您的浏览器应该显示相当长的美国权利法案。

Stop Wireshark packet capture. First, find the packet numbers (the leftmost column in the upper Wireshark window) of the HTTP GET message that was sent from your computer to gaia.cs.umass.edu, as well as the beginning of the HTTP response message sent to your computer by gaia.cs.umass.edu. You should see a screen that looks something like this (where packet 4 in the screen shot below contains the HTTP GET message)
停止 Wireshark 数据包捕获。首先，找到从您的计算机发送到 gaia.cs.umass.edu 的 HTTP GET 消息的数据包编号（上部 Wireshark 窗口中最左边的列），以及 gaia.cs.umass.edu 发送到计算机的 HTTP 响应消息的开头。您应该会看到一个如下所示的屏幕（其中下面屏幕截图中的数据包 4 包含 HTTP GET 消息）

Since this lab is about Ethernet and ARP, we’re not interested in IP or higher-layer protocols. So let’s change Wireshark’s “listing of captured packets” window so that it shows information only about protocols below IP. To have Wireshark do this, select Analyze->Enabled Protocols. Then uncheck the IP box and select OK. You should now see an Wireshark window that looks like:
由于本实验是关于以太网和 ARP 的，因此我们对 IP 或更高层协议不感兴趣。因此，让我们更改 Wireshark 的“捕获数据包列表”窗口，使其仅显示有关 IP 以下协议的信息。要让 Wireshark 执行此作，请选择 Analyze->Enabled Protocols。 然后取消选中 IP 框并选择 OK。您现在应该会看到一个 Wireshark 窗口，如下所示：

In order to answer the following questions, you’ll need to look into the packet details and packet contents windows (the middle and lower display windows in Wireshark).
为了回答以下问题，您需要查看数据包详细信息和数据包内容窗口（Wireshark 中的中间和下部显示窗口）。

Select the Ethernet frame containing the HTTP GET message. (Recall that the HTTP GET message is carried inside of a TCP segment, which is carried inside of an IP datagram, which is carried inside of an Ethernet frame; reread section 1.5.2 in the text if you find this encapsulation a bit confusing). Expand the Ethernet II information in the packet details window. Note that the contents of the Ethernet frame (header as well as payload) are displayed in the packet contents window.
选择包含 HTTP GET 消息的以太网帧。（回想一下，HTTP GET 消息是在 TCP 段内部传输的，而 TCP 段是在 IP 数据报内部传输的，而 IP 数据报又在以太网帧内部传输;如果您觉得这种封装有点令人困惑，请重新阅读文本中的第 1.5.2 节）。展开数据包详细信息窗口中的 Ethernet II 信息。请注意，以太网帧的内容（报头和负载）显示在数据包内容窗口中。

Answer the following questions, based on the contents of the Ethernet frame containing the HTTP GET message. Whenever possible, when answering a question you should hand in a printout of the packet(s) within the trace that you used to answer the question asked. Annotate the printout¹ to explain your answer. To print a packet, use File->Print, choose Selected packet only, choose Packet summary line, and select the minimum amount of packet detail that you need to answer the question.
根据包含 HTTP GET 消息的以太网帧的内容回答以下问题。在回答问题时，您应该尽可能提交用于回答所提问题的跟踪中数据包的打印输出。注释打印输出¹ 以解释您的答案。要打印数据包，请使用 File->Print，选择 Selected packet only （仅选定的数据包），选择 Packet summary line（数据包摘要行），然后选择回答问题所需的最小数据包详细信息量。

What is the 48-bit Ethernet address of your computer?
您计算机的 48 位以太网地址是多少？

What is the 48-bit destination address in the Ethernet frame? Is this the Ethernet address of gaia.cs.umass.edu? (Hint: the answer is no). What device has this as its Ethernet address? [Note: this is an important question, and one that students sometimes get wrong. Re-read pages 468-469 in the text and make sure you understand the answer here.]
以太网帧中的 48 位目标地址是什么？这是 gaia.cs.umass.edu 的以太网地址吗？（提示：答案是 不）。什么设备将此地址作为其以太网地址？[注意：这是一个重要的问题，学生有时会出错。重新阅读文本中的第 468-469 页，并确保您理解此处的答案。

Give the hexadecimal value for the two-byte Frame type field. What upper layer protocol does this correspond to?
为双字节的 Frame type 字段提供十六进制值。这对应于什么上层协议？

How many bytes from the very start of the Ethernet frame does the ASCII “G” in “GET” appear in the Ethernet frame?
“GET”中的 ASCII“G”在以太网帧中从以太网帧的开头开始出现多少字节？

Next, answer the following questions, based on the contents of the Ethernet frame containing the first byte of the HTTP response message.
接下来，根据包含 HTTP 响应消息第一个字节的以太网帧的内容回答以下问题。

What is the value of the Ethernet source address? Is this the address of your computer, or of gaia.cs.umass.edu (Hint: the answer is no). What device has this as its Ethernet address?
以太网源地址的值是多少？这是您计算机的地址，还是 gaia.cs.umass.edu 的地址（提示：答案是否定的）。什么设备将此地址作为其以太网地址？

What is the destination address in the Ethernet frame? Is this the Ethernet address of your computer?
以太网帧中的目标地址是什么？这是您计算机的以太网地址吗？

Give the hexadecimal value for the two-byte Frame type field. What upper layer protocol does this correspond to?
为双字节的 Frame type 字段提供十六进制值。这对应于什么上层协议？

How many bytes from the very start of the Ethernet frame does the ASCII “O” in “OK” (i.e., the HTTP response code) appear in the Ethernet frame?
以太网帧中“OK”中的 ASCII“O”（即 HTTP 响应代码）从以太网帧的开头开始显示多少字节？

2. The Address Resolution Protocol
2. 地址解析协议

In this section, we’ll observe the ARP protocol in action. We strongly recommend that you re-read section 6.4.1 in the text before proceeding.
在本节中，我们将观察 ARP 协议的运行情况。我们强烈建议您在继续之前重新阅读文本中的第 6.4.1 节。

ARP Caching
ARP 缓存

Recall that the ARP protocol typically maintains a cache of IP-to-Ethernet address translation pairs on your comnputer The arp command (in both MSDOS and Linux/Unix) is used to view and manipulate the contents of this cache. Since the arp command and the ARP protocol have the same name, it’s understandably easy to confuse them. But keep in mind that they are different - the arp command is used to view and manipulate the ARP cache contents, while the ARP protocol defines the format and meaning of the messages sent and received, and defines the actions taken on message transmission and receipt.
回想一下，ARP 协议通常在计算机上维护 IP 到以太网地址转换对的缓存arp 命令（在 MSDOS 和 Linux/Unix 中）用于查看和作此缓存的内容。由于 arp 命令和 ARP 协议具有相同的名称，因此很容易混淆它们，这是可以理解的。但请记住，它们是不同的 - arp 命令用于查看和作 ARP 缓存内容，而 ARP 协议定义发送和接收消息的格式和含义，并定义对消息传输和接收执行的作。

Let’s take a look at the contents of the ARP cache on your computer:
让我们看一下您计算机上的 ARP 缓存的内容：

MS-DOS. The arp command is in c:\windows\system32, so type either “arp” or “c:\windows\system32\arp” in the MS-DOS command line (without quotation marks).
MS-DOS 的。 arp 命令位于 c：\windows\system32 中，因此请在 MS-DOS 命令行中键入“arp”或“c：\windows\system32\arp”（不带引号）。

Linux/Unix/MacOS. The executable for the arp command can be in various places. Popular locations are /sbin/arp (for linux) and /usr/etc/arp (for some Unix variants).
Linux/Unix/MacOS 的。arp 命令的可执行文件 可以位于不同位置。热门位置是 /sbin/arp（适用于 Linux）和 /usr/etc/arp（适用于某些 Unix 变体）。

The Windows arp command with no arguments will display the contents of the ARP cache on your computer. Run the arp command.
不带参数的 Windows arp 命令将显示计算机上 ARP 缓存的内容。运行 arp 命令。

Write down the contents of your computer’s ARP cache. What is the meaning of each column value?
记下计算机的 ARP 缓存的内容。每个列值的含义是什么？

In order to observe your computer sending and receiving ARP messages, we’ll need to clear the ARP cache, since otherwise your computer is likely to find a needed IP-Ethernet address translation pair in its cache and consequently not need to send out an ARP message.
为了观察您的计算机发送和接收 ARP 消息，我们需要清除 ARP 缓存，否则您的计算机可能会在其缓存中找到所需的 IP-以太网地址转换对，因此不需要发送 ARP 消息。

MS-DOS. The MS-DOS arp –d * command will clear your ARP cache. The –d flag indicates a deletion operation, and the * is the wildcard that says to delete all table entries.
MS-DOS 的。 MS-DOS arp –d * 命令将清除您的 ARP 缓存。–d 标志表示删除作，* 是表示删除所有表条目的通配符。

Linux/Unix/MacOS. The arp –d * will clear your ARP cache. In order to run this command you’ll need root privileges. If you don’t have root privileges and can’t run Wireshark on a Windows machine, you can skip the trace collection part of this lab and just use the trace discussed in the earlier footnote.
Linux/Unix/MacOS 的。 arp –d * 将清除 ARP 缓存。要运行此命令，您需要 root 权限。如果您没有 root 权限，并且无法在 Windows 计算机上运行 Wireshark，则可以跳过本实验的跟踪收集部分，只使用前面脚注中讨论的跟踪。

Observing ARP in action
观察 ARP 的实际应用

Do the following¹
执行以下作¹:

Clear your ARP cache, as described above.
如上所述，清除 ARP 缓存。

Next, make sure your browser’s cache is empty. To do this under Mozilla Firefox V3, select Tools->Clear Recent History and check the box for Cache. For Internet Explorer, select Tools->Internet Options->Delete Files.
接下来，确保浏览器的缓存为空。要在 Mozilla Firefox V3 下执行此作，请选择 Tools->Clear Recent History 并选中 Cache 复选框。对于 Internet Explorer，请选择“工具”-“>Internet 选项”-“>删除文件”。

Start up the Wireshark packet sniffer
启动 Wireshark 数据包嗅探器

Enter the following URL into your browser
在浏览器中输入以下 URL
http://gaia.cs.umass.edu/wireshark-labs/HTTP-wireshark-lab-file3.html
Your browser should again display the rather lengthy US Bill of Rights.
您的浏览器应该再次显示相当长的美国权利法案。

Stop Wireshark packet capture. Again, we’re not interested in IP or higher-layer protocols, so change Wireshark’s “listing of captured packets” window so that it shows information only about protocols below IP. To have Wireshark do this, select Analyze->Enabled Protocols. Then uncheck the IP box and select OK. You should now see an Wireshark window that looks like:
停止 Wireshark 数据包捕获。同样，我们对 IP 或更高层的协议不感兴趣，因此请更改 Wireshark 的“捕获数据包列表”窗口，使其仅显示有关 IP 以下协议的信息。要让 Wireshark 执行此作，请选择 Analyze->Enabled Protocols。 然后取消选中 IP 框并选择 OK。您现在应该会看到一个 Wireshark 窗口，如下所示：

In the example above, the first two frames in the trace contain ARP messages (as does the 6^th message). The screen shot above corresponds to the trace referenced in footnote 1.
在上面的示例中，跟踪中的前两个帧包含 ARP 消息（第 6^条消息也是如此）。上面的屏幕截图对应于脚注 1 中引用的跟踪。

Answer the following questions:
请回答以下问题：

What are the hexadecimal values for the source and destination addresses in the Ethernet frame containing the ARP request message?
包含 ARP 请求消息的以太网帧中的源地址和目标地址的十六进制值是多少？

Give the hexadecimal value for the two-byte Ethernet Frame type field. What upper layer protocol does this correspond to?
为双字节 Ethernet Frame type 字段提供十六进制值。这对应于什么上层协议？

Download the ARP specification from
从 ARP 规范下载

ftp://ftp.rfc-editor.org/in-notes/std/std37.txt. A readable, detailed discussion of ARP is also at http://www.erg.abdn.ac.uk/users/gorry/course/inet-pages/arp.html
ftp://ftprfc-editor.org/in-notes/std/std37.txt。对 ARP 的可读、详细讨论也在 http://www.erg.abdn.ac.uk/users/gorry/course/inet-pages/arp.html.

How many bytes from the very beginning of the Ethernet frame does the ARP opcode field begin?
ARP 作码字段 从以太网帧的最开头开始多少字节？

What is the value of the opcode field within the ARP-payload part of the Ethernet frame in which an ARP request is made?
在发出 ARP 请求的以太网帧的 ARP-payload 部分中，opcode 字段的值是多少？

Does the ARP message contain the IP address of the sender?
ARP 消息是否包含发送方的 IP 地址？

Where in the ARP request does the “question” appear – the Ethernet address of the machine whose corresponding IP address is being queried?
ARP 请求中的哪个位置显示“问题”——正在查询其相应 IP 地址的计算机的以太网地址？

Now find the ARP reply that was sent in response to the ARP request.
现在，找到为响应 ARP 请求而发送的 ARP 回复。

How many bytes from the very beginning of the Ethernet frame does the ARP opcode field begin?
ARP 作码字段 从以太网帧的最开头开始多少字节？

What is the value of the opcode field within the ARP-payload part of the Ethernet frame in which an ARP response is made?
在进行 ARP 响应的以太网帧的 ARP-payload 部分中，opcode 字段的值是多少？

Where in the ARP message does the “answer” to the earlier ARP request appear – the IP address of the machine having the Ethernet address whose corresponding IP address is being queried?
在 ARP 消息中，对先前 ARP 请求的“应答”出现在何处 – 具有以太网地址的机器的 IP 地址，该地址正在查询其相应的 IP 地址？

What are the hexadecimal values for the source and destination addresses in the Ethernet frame containing the ARP reply message?
包含 ARP 回复消息的以太网帧中的源地址和目标地址的十六进制值是多少？

Open the ethernet-ethereal-trace-1 trace file in http://gaia.cs.umass.edu/wireshark-labs/wireshark-traces.zip. The first and second ARP packets in this trace correspond to an ARP request sent by the computer running Wireshark, and the ARP reply sent to the computer running Wireshark by the computer with the ARP-requested Ethernet address. But there is yet another computer on this network, as indicated by packet 6 – another ARP request. Why is there no ARP reply (sent in response to the ARP request in packet 6) in the packet trace?
在 http://gaia.cs.umass.edu/wireshark-labs/wireshark-traces.zip 中打开 ethernet-ethereal-trace-1跟踪文件。此跟踪中的第一个和第二个 ARP 数据包对应于运行 Wireshark 的计算机发送的 ARP 请求，以及具有 ARP 请求的以太网地址的计算机发送到运行 Wireshark 的计算机的 ARP 答复。但是这个网络上还有另一台计算机，如数据包 6 所示 - 另一个 ARP 请求。为什么数据包跟踪中没有 ARP 回复（为响应数据包 6 中的 ARP 请求而发送）？