Experiment No.
–5
EXPERIMENT TITLE: Study of ARP and ICMP Protocol using Wireshark
BRIEF THEORY:
Internet Control Message Protocol (ICMP)
ICMP is a core protocol of the Internet Protocol Suite, primarily used for sending error messages
and network diagnostic functions. Unlike TCP and UDP, ICMP does not facilitate direct data
transmission between applications; instead, it helps in troubleshooting and managing network
communication.
Key Features of ICMP:-
1. Error Reporting: ICMP informs network devices when data packets fail to reach their
destination due to issues like congestion or routing errors.
2. Network Diagnostics: Utilities such as ping and traceroute use ICMP to measure network
latency and identify routing paths.
3. Connectionless Nature: ICMP operates without establishing a connection, making it
lightweight and efficient.
4. Message Types:
o Echo Request & Echo Reply (Type 8 & 0) – Used in ping to check host availability.
o Destination Unreachable (Type 3) – Indicates that a host or network cannot be
reached.
o Time Exceeded (Type 11) – Signals that a packet's Time-To-Live (TTL) has expired
in transit.
o Redirect (Type 5) – Suggests an alternative route for packet forwarding.
ICMP Packet Structure:
ICMP packets have a minimalistic structure compared to TCP and UDP.
1. Type (1 byte): Identifies the ICMP message type.
2. Code (1 byte): Provides additional context for the message type.
3. Checksum (2 bytes): Ensures data integrity.
4. Rest of Header (4 bytes): Varies depending on the ICMP message type.
5. Data (Optional): Contains the original IP header and additional information.
Security Vulnerabilities in ICMP:
While ICMP is useful for diagnostics, it is also susceptible to various attacks:
1. ICMP Flood (Ping Flood): Overloads a target with excessive ping requests, causing network
congestion.
2. Smurf Attack: Uses ICMP Echo Requests with spoofed source addresses to amplify traffic
and overwhelm a victim.
3. ICMP Redirect Attacks: Maliciously redirects network traffic to unauthorized devices.
4. Ping of Death: Sends oversized ICMP packets, causing system crashes or network failures.
34
�Fig: ICMP Packet Structure
Address Resolution Protocol (ARP) Poisoning
ARP is a crucial protocol used to resolve IP addresses into MAC addresses within a local network
(LAN). However, ARP lacks authentication mechanisms, making it vulnerable to spoofing attacks.
How ARP Works:
1. When a device wants to communicate within a LAN, it sends an ARP Request to find the
MAC address of the destination IP.
2. The device with the matching IP replies with an ARP Reply, providing its MAC address.
3. The sender updates its ARP cache with the resolved MAC address for future
communication.
ARP Packet Structure:
1. Hardware Type (2 bytes): Specifies the link-layer protocol (e.g., Ethernet).
2. Protocol Type (2 bytes): Indicates the network-layer protocol (e.g., IPv4).
3. Hardware Address Length (1 byte): Defines the size of the MAC address.
4. Protocol Address Length (1 byte): Defines the size of the IP address.
5. Operation (2 bytes): Specifies whether the packet is an ARP request (1) or reply (2).
6. Sender MAC Address (6 bytes): Contains the MAC address of the sender.
7. Sender IP Address (4 bytes): Contains the IP address of the sender.
8. Target MAC Address (6 bytes): Initially empty in a request but filled in a reply.
9. Target IP Address (4 bytes): Specifies the IP address being queried.
How ARP Poisoning Works:
ARP poisoning (or ARP spoofing) is a type of Man-in-the-Middle (MITM) attack, where an
attacker sends forged ARP responses to associate their MAC address with another device’s IP
address. This misleads devices into sending traffic to the attacker's system instead of the intended
recipient.
35
�Consequences of ARP Poisoning:
1. Man-in-the-Middle (MITM) Attacks: The attacker intercepts and manipulates network
traffic.
2. Denial of Service (DoS): Redirecting or dropping packets can disrupt communication.
3. Session Hijacking: The attacker can steal login credentials or sensitive information.
4. Network Sniffing: Capturing data packets for unauthorized access to confidential
information.
Mitigation Strategies for ARP Poisoning:
1. Static ARP Entries: Manually configure ARP tables to prevent unauthorized modifications.
2. Packet Filtering: Use firewall rules to block suspicious ARP packets.
3. Dynamic ARP Inspection (DAI): A security feature in managed switches that verifies ARP
packets before forwarding.
4. Encryption (HTTPS, VPN): Prevents attackers from interpreting intercepted data.
5. Using Secure Network Protocols: Implement IPv6, which uses the more secure Neighbor
Discovery Protocol (NDP) instead of ARP.
Fig: ARP Packet Structure
36
�TASK 1:-STEPS FOR THE PING TEST FOR ICMP PROTOCOL
1. Type the following command in the Command Prompt to check the connection of Google’s
Server using ping test.
Fig 1: Result of ping command. It sends 4 echo requests to the given server, which sends echo
reply and the ping command measures the time it takes to receive the echo reply.
2. Filtering the ICMP in Wireshark
Fig 2: A network capture shows ICMP echo requests from device 10.30.7.224 to Google's server
at 216.239.38.120. Four requests (TTL 117) and four replies (TTL 128) were successfully
exchanged, confirming a working connection. This communication occurs at the router
level, with no UDP or TCP involved.
3. ICMP Echo(Ping) Request
37
�Fig 3: Breakdown of ICMP Echo Request
• Ethernet Header: Includes the MAC addresses of the source and destination devices for
Layer 2 communication.
• IP Header: Displays the source and destination IP addresses, the Time-To-Live (TTL)
value, and the protocol type used in transmission.
• ICMP Segment:
o Message Type & Code:
▪ Type 8 indicates an Echo Request.
▪ Type 0 represents an Echo Reply.
o Identifier & Sequence Number: Helps correlate request and response packets.
o Checksum: Verifies data integrity to detect transmission errors.
• Payload Section: Contains the data sent within the request for testing network response.
4. ICMP Echo(Ping) Reply
Fig 4: Breakdown of ICMP Echo Reply
• Ethernet Header: Contains the source and destination MAC addresses for Layer 2
communication.
• IP Header: Displays source and destination IP addresses, TTL (Time-To-Live), and
protocol type used for routing.
• ICMP Segment:
o Message Type & Code:
▪ Type 0 indicates an Echo Reply.
▪ Code 0 signifies a standard reply message.
o Identifier & Sequence Number: Matches the reply with the corresponding Echo
Request.
o Checksum: Ensures data integrity by detecting errors.
• Payload Section: Contains the same data as the Echo Request to verify successful
transmission.
38
�TASK 2:- Traceroute(tracert) COMMAND FOR ICMP PROTOCOL
.
1. Type the following command in the Command Prompt to shows the route and delay of packets
on a network
Fig 1: The traceroute command mapped the path to Google's server, showing device sequences,
latency, and identifying an issue at one hop.
2. Filtering the ICMP in Wireshark
Fig2: A network capture shows ICMP echo requests being sent from 10.30.62.221 to
216.239.38.120 with incrementing TTL values, characteristic of a tracert (traceroute)
command. Intermediate routers respond with "Time-to-Live exceeded" messages,
revealing the path taken by the packets through the network.
3. Analyzing the ICMP Protocol "Time-to-Live exceeded" messages using tracert command
39
�Fig 3: Breakdown of ICMP Time Exceeded Messages
• Message Type: 11 (Indicating Time Exceeded)
• Code: 0 (TTL Expired During Transmission)
• Origin: Generated by each router along the network path
• Function: When a packet's TTL (Time-To-Live) drops to zero, the router discards it and
returns an ICMP "Time Exceeded" message to the sender.
• Significance: Enables the tracert command to map the network route by identifying each
router encountered along the way to the destination.
TASK 3:- Analyzing ARP PROTOCOL
1. Type the following command in the Command Prompt to delete all hosts, so the we
can catch packets
Fig 1: The image shows a command prompt window in Windows. The command "arp -d *" has
been executed, which deletes all entries from the Address Resolution Protocol (ARP)
cache. The subsequent blank line indicates the command has finished, and the prompt is
ready for the next command. This action is often used to troubleshoot network
connectivity issues.
Enter the given link in your browser: http://gaia.cs.umass.edu/wieshark-labs/HTTP-
wireshark-file3.html
2. Filtering the ARP in Wireshark
Fig 2: This Wireshark capture displays ARP (Address Resolution Protocol) traffic within a local
network, showing devices resolving IP addresses to MAC addresses for communication.
The capture includes an ARP request from AzureWaveTec_4a:d6 broadcasting to find the
MAC address of 10.30.56.250, followed by an ARP announcement from Cisco 82:bd:a0,
informing the network of its IP address 10.30.60.80. Multiple ARP responses are seen,
where devices like Cisco, Intel, and AzureWaveTec share their MAC addresses with
corresponding IPs. This exchange ensures proper network communication by allowing
devices to discover each other dynamically.
40
�3. ARP Announcement from a Cisco Device in Wireshark Capture
Fig 3: This Wireshark capture shows an ARP (Address Resolution Protocol) packet exchange on a
local network. The highlighted frame is an ARP announcement from a Cisco device with
MAC address d2:6a:b7:38:6a:29, informing all devices that its IP address is 10.30.60.80.
This gratuitous ARP is sent as a broadcast (destination ff:ff:ff:ff:ff:ff) to update the network
about its IP-MAC association. The detailed packet breakdown includes Ethernet headers,
protocol type (IPv4), hardware type (Ethernet), and opcode indicating a request. Such ARP
announcements help prevent IP conflicts and ensure accurate MAC address resolution
within the network.
4. ARP Reply Mapping IP to MAC Address
Fig 4: The image shows a Wireshark capture of an Address Resolution Protocol (ARP) reply. The
packet details indicate that a Cisco device with MAC address c8:f9:f9:58:32:00 is
responding to an ARP request, stating that the IP address 10.30.56.250 is associated with
this MAC address. The ARP reply is directed to an AzureWave device with MAC address
48:e7:da:4a:d6:db. This confirms that the sender's IP-MAC mapping is being shared with
the requester, allowing proper communication between devices on the network.
Conclusion:-
Through this experiment, we gained a deeper understanding of essential network protocols by
capturing and analyzing network traffic using Wireshark. ICMP testing demonstrated how pings
diagnose reachability, latency, and errors, while ARP highlighted the process of mapping IP
addresses to MAC addresses. Additionally, clearing the browser cache minimized interference
from previously cached content, allowing for a more precise analysis. This process is crucial for
network diagnostics, security monitoring, and troubleshooting.
41
