Wireshark IP实验（自顶向下方法第七版）

下载PingPlotter，向baodu.com发送报文

1. Select the first ICMP Echo Request message sent by your computer, and expand the Internet Protocol part of the packet in the packet details window，What is the IP address of your computer?

我电脑的IP地址是100.64.100.229

2. Within the IP packet header, what is the value in the upper layer protocol field?

       1，因为ICMP报文的字段值就是1

3. How many bytes are in the IP header? How many bytes are in the payload of the IP datagram? Explain how you determined the number of payload bytes.

Header Length: 20 bytes (5)，所以是20bit，Total Length: 56，Header Length: 20 bytes，得到Payload=56−20=36 bytes，

4. Has this IP datagram been fragmented? Explain how you determined whether or not the datagram has been fragmented.

这个 IP 数据报没有被分段，Flags: 0x00 —— 这里的三个标志位（Reserved, DF, MF）都为 0，特别是 MF（More Fragments）=0，表示“没有更多片段”。Fragment Offset: 0 —— 偏移量为 0，说明这是数据报的第一个（也是唯一的）片段。

5. Which fields in the IP datagram always change from one datagram to the next within this series of ICMP messages sent by your computer?

Identification（ID）字段，每发一个新的 IP 数据报，ID 都会增加，用于区分不同的 datagram 以及分片时重组。

TTL（Time To Live）字段，Traceroute 程序会每次发送时修改TTL。逐渐增大获得每一跳的超时报文

Header Checksum（校验和），每个数据报的 checksum 基本不同，因为 header 中一些字段（如 TTL、ID）改变，会导致校验和变化。

6. Which fields stay constant? Which of the fields must stay constant? Which fields must change? Why?

不变的：Source IP，Destination IP

Version（IPv4）、Header Length（通常 20B）都由协议固定，且没有使用 options。

Protocol = 1，表示 ICMP，整个序列都是 ICMP Echo Request，因此保持不变。

必须不变的：Source IP     代表发送方身份，Destination IP     表示目标主机

Protocol 表示上层协议 ICMP，Version  必须是 IPv4

       必须改变的：Identification       每个 IP 数据报必须有唯一 ID，便于分片重组

TTL  每过一跳 TTL 减 1，而 traceroute/ping 通常通过设置不同 TTL 来探测路由

Header Checksum      头部任何字段变动都必须使校验和改变

7. Describe the pattern you see in the values in the Identification field of the IP datagram

       Identification递增，通常是加一，这反映了操作系统为每个发送的数据报分配唯一标识号的方法。

8. What is the value in the Identification field and the TTL field?

      

       0X3da8和255

9. Do these values remain unchanged for all of the ICMP TTL-exceeded replies sent to your computer by the nearest (first hop) router? Why

找到第一个超时报文，确定第一跳地址后，再找到同样源地址的超时报文，发现他们俩ttl值一样，因为这是路由器返回给电脑的报文，只与路由器的设置有关，路由器到电脑是一跳是固定的，所以TTL的减少值也一样，可以看出TTL是255

10. Find the first ICMP Echo Request message that was sent by your computer after you changed the Packet Size in pingplotter to be 2000. Has that message been fragmented across more than one IP datagram?

      

        

是的，被分段了，因为length小于2000，且Fragment Offset: 1480，表明是已有1480的有效荷载被传输，且More fragment为0，是最后一个分片，前面的是这个IPV4报文，如图所示可以算出是对的。

11. Print out the first fragment of the fragmented IP datagram. What information in the IP header indicates that the datagram been fragmented? What information in the IP header indicates whether this is the first fragment versus a latter fragment? How long is this IP datagram?

第一个片段在上题中贴出，More fragments是1看出还有分片， Fragment Offset: 0看出是第一个，从total length – header length = 1480算出荷载

12. Print out the second fragment of the fragmented IP datagram. What information in the IP header indicates that this is not the first datagram fragment? Are the more fragments? How can you tell?

第二个片段也在10题贴出了，Fragment Offset: 1480表明不是第一个分片，More fragments是0，看出是最后一个分片

13. What fields change in the IP header between the first and second fragment?

More fragments，Fragment Offset，length发生了变化，且发现identification没变，因为是一个报文分成两片

14. How many fragments were created from the original datagram?

       可以看出被分成了三片，如图所示，两个IPV4，一个ICMP

15. What fields change in the IP header among the fragments?

       More fragments，Fragment Offset，length发生了变化