The arp entry deletion failed the requested operation requires elevation

Network Lab Assignment

Activity 3.2 Page 1

MGMT 393 Laboratory Manual

Activity 3.2 — Protocols and Conversations

SOFTWARE REQUIRED. You will need Wireshark (which you downloaded in Activity 1.3), and TCPVIEW,

which you will download this week, in PART 2.

The textbook’s Hands-On Cases, in Chapter 5 and 6, step you through some of this. You may find it

useful to have it handy while doing this Activity.

DON’T PANIC. You’re still not writing a lengthy lab report here – and there’s really not a lot of things

you’ll be doing this week. But you will be cranking through some details with Wireshark, and making

notes as you go along. Don’t rush. Be patient. It will pay off in the long run!

PART 1: Identifying the TCP/IP Layers in a Frame (see Hands-On Project 5.2, pgs 211-212 in the text).

1. START WIRESHARK: Set its Interface and Capture Options so that you’re ready to capture on

your active Internet connection, with NO filtering. START the CAPTURE.

2. BROWSER window: start up your browser, and after your home page loads, exit the browser.

3. STOP CAPTURE. Now, let’s take a closer look at what WIRESHARK found.

A. Click a packet summary in the top pane with HTTP in the protocol field and an INFO line

beginning with GET. In the middle pane Wireshark shows us summaries of each protocol

header. Ignore the lines that start Frame X.

B. Expand the ETHERNET II line in the PACKET DETAILS (middle) pane.

Examine the details that this reveals.

PASTE IN A SCREEN SHOT of that expanded ETHERNET II packet details pane in your

Report. (You might want to grab Wireshark’s scroll bars and expand the window, and

MGMT 393 Laboratory Manual Last Updated 16 Jun 2013

Activity 3.2 Page 2

trim down the parts of the screen shot outside of that area. JING makes that very easy,

but so does PAINT.) What are you seeing here?

What layer of the TCP/IP protocol does this header represent?

C. Collapse that line, and then expand the line starting with INTERNET PROTOCOL. Expand its

sublevels. What is this telling you? PASTE a screen shot of that into your report. What

new information about this conversation are you seeing here?

What layer of the TCP/IP protocol does this header represent?

D. Do the same for the line that begins “Transmission Control Protocol” (expand it, screen

print, past that in your report.) What new information about this conversation are you

seeing here?

What layer of the TCP/IP protocol does this header represent?

E. Do the same for the line that begins “Hypertext Transmission Protocol” (expand it, screen

print, past that in your report.) Can you explain what we’re seeing now, and why it seems

so different than what we’ve seen at the other protocol lines we’ve looked inside?

What layer of the TCP/IP protocol does this header represent?

If you’re not going on to the next part of the lab, close Wireshark (exit without saving), save your

lab report file. Else, press on!

PART 2: Taking a good hard look at ARP (see Hands-On Project 5-4: Capturing ARP and ICMP Packets,

pgs 219-220)

You’ll again need your lab report open in one window, these instructions in another, a

Command Prompt window and a WIRESHARK window. NOTE that we’re borrowing a

typographical convention from the textbook here: instead of showing you a C:> prompt with the

command on the line, the commands you’ll need to type in to the Command Prompt window

MGMT 393 Laboratory Manual Last Updated 16 Jun 2013

Activity 3.2 Page 3

will be shown in BOLDFACE and HIGHLIGHTED in GREEN. (We’ll assume that “press Enter” is

after each command, if it’s not already shown, okay?)

ALSO NOTE that sometimes, you have to click a few different times on Wireshark’s main pane

(on a particular frame number’s line) to get it to refresh the detail panes. Minimize each line

that you expand, then click on the next frame you want, then expand its lines as you need to.

Don’t let it baffle you.

1. open a command prompt window.

2. Type arp -d and press Enter to clear your ARP cache.

NOTE that WINDOWS may respond with

The ARP deletion failed: the requested operation requires elevation.

then you will have to exit Command Prompt, and rerun it by RIGHT-CLICKING it in your

START menu, and selecting RUN AS ADMINISTRATOR.

3. Start Wireshark and click Capture Options. In the Capture Filter text box, type arp or

icmp, and then click Start.

4. At the command prompt, type tracert books.tomsho.com and press Enter. When

Tracert is finished, click the Stop the running live capture toolbar icon in Wireshark to

stop the capture. Scroll to the first packet summary line, if necessary.

5. Find the ARP packets your computer has generated by looking in the Info column for

“Who has A.B.C.D, Tell E.F.G.H” (replacing A.B.C.D with the address of your default

gateway and E.F.G.H with your computer’s IP address. Refer back to Activity 1-3 if you

forgot these.). Click this packet summary line.

6. Notice that the Dst (for destination) address is ff:ff:ff:ff:ff:ff, indicating a broadcast. In

the middle pane, click to expand the Ethernet II line. Notice that the Type field is ARP

(0x806), which tells the Network access layer which Internetwork-layer protocol should

receive the packet. Click again to collapse this line.

7. Click to expand the Address Resolution Protocol (request) line. Examine the information

in the ARP header. The ARP message has fields to indicate what technology is used in

the Network access layer (Ethernet) and the protocol type that needs the MAC address

(IP, in this case). Click again to collapse this line.

8. Next, in the top pane, click the ARP reply message immediately following the ARP

request. The Info column should be similar to “A.B.C.D is at 0A:1B:2C:3D:4E:5F.” The

MAC address in the ARP reply is the MAC address of your default gateway. Explore the

Network access and Internetwork headers for this frame. (Note: You might also find an

MGMT 393 Laboratory Manual Last Updated 16 Jun 2013

Activity 3.2 Page 4

ARP request and ARP reply for your DNS server if it's in the same network as your

computer.)

9. In the top pane, click the first ICMP Echo (ping) request message from your computer to

the destination computer at books.tomsho.com. The IP address should be

67.210.126.125, but IP addresses can change, so it might be different.

10. In the middle pane, click to expand the Internet Protocol line. Notice that the value in

the Time to live line is 1.

11. In the top pane, click the ICMP Time-to-live exceeded message that follows the Ping

request. This message was generated by the first router en route to books.tomsho.com.

Notice that the source address is the address of your default gateway.

12. Find the next ICMP Echo (Ping) Request message and view the TTL value. Tracert sends

three Echo Request messages for each TTL value, so the first three Echo Request

messages have a TTL value of 1. Find the fourth ICMP Echo (Ping) Request message and

view the TTL value, which should be 2. The Time-to-live exceeded message following it is

from the next router down the line. Tracert follows this pattern until reaching the

destination device (books.tomsho.com). Depending upon how far (how many network

devices and segments) you are from books.tomsho.com, this could be a LOT of “time

exceeded” messages.

Question: how do you think the number of such frames that Wireshark flags should

compare with the number of lines of output that Tracert generated?

13. Exit Wireshark, but leave the command prompt window open if you're continuing to the

next project.

PART 3: Working with DNS Tools (see Hands-On Project 5-7: Working with DNS tools, pgs 229-231)

You’ll again need your lab report open in one window, these instructions in another, and a

Command Prompt window -- but no WIRESHARK window. NOTE that we’re borrowing a

typographical convention from the textbook here: instead of showing you a C:> prompt with the

command on the line, the commands you’ll need to type in to the Command Prompt window

will be shown in BOLDFACE and HIGHLIGHTED in GREEN. (We’ll assume that “press Enter” is

after each command, if it’s not already shown, okay?)

In this project, you use Ipconfig to display and delete your DNS cache, and then view your Hosts

file. You also use Nslookup to query your DNS server.

QUESTION: Why would you ever want to clear or “flush” your local machine’s DNS cache? Think

about that, and have an answer together by the time you finish this Activity.

MGMT 393 Laboratory Manual Last Updated 16 Jun 2013

Activity 3.2 Page 5

1. If necessary, log on to your computer as NetAdmin and open a command prompt window.

2. To see a list of recent DNS lookups, type ipconfig /displaydns and press Enter. To delete

the entries, type ipconfig /flushdns and press Enter. (Remember, you MAY get that

WINDOWS warning about “elevation required,” if you’d already closed that elevated

Command Prompt window from Part 3). Display the DNS cache again. Unless there are

entries in your Hosts file, you should get the message “Could not display the DNS Resolver

Cache.”

Remember: At the command prompt, you can press the up and down arrow keys to

access recent commands you have entered.

3. To perform a DNS lookup, type ping www.course.com

and press Enter. Display the DNS cache again.

4. You should see a DNS record for www.course.com

that includes the IP address and other information. Another field in the DNS cache is a

TTL value, which is different from the TTL in an IP packet. This DNS TTL value is sent by the

DNS server maintaining the www.course.com record. It's measured in seconds and tells

your DNS client how long to cache the DNS record as a safeguard against clients holding

on to DNS records whose IP addresses might have changed.

5. To open your computer's Hosts file, click Start, point to All Programs, Accessories, right-

click Notepad, and click Run as administrator. In the UAC message box, click Yes. Click File,

Open from the Notepad menu. In the Open dialog box, navigate to

C:\Windows\System32\Drivers\Etc. In the File type drop-down list, click All Files. Double-

click the hosts file to open it.

6. After the last line in the file, type 67.210.126.125 books, and then save the file and exit

Notepad.

7. At the command prompt, type ipconfig /displaydns and press Enter to see that the entry is

in your DNS cache. Type ping books and press Enter. Delete the DNS cache (see Step 2),

and then display the DNS cache again. Notice that the books entry remains in the cache

because the Hosts file data always stays in the cache.

8. Type nslookup www.course.com

and press Enter. Your DNS server's name and IP address are displayed, along with the

name and IP address of www.course.com. You use Nslookup to look up a host's IP address

without actually communicating with it.

http://www.course.com/
MGMT 393 Laboratory Manual Last Updated 16 Jun 2013

Activity 3.2 Page 6

9. Type nslookup and press Enter. You enter Nslookup's interactive mode. Type

www.google.com

and press Enter. Notice that more than one address is returned along with one or more

aliases (other names that www.google.com goes by). Type www.google.com again (or

press the up arrow to repeat the last line you typed) and press Enter. You should see the

IP addresses returned in a different order. (If you don't, keep trying, and the order will

change.) The www.google.com page can be reached by a number of different IP

addresses, and the addresses are returned in a different order so that a different server is

used each time, which is called load balancing.

10. Type 198.60.123.100 and press Enter. Nslookup is also used to do reverse lookups, in

which the IP address is given and the hostname is returned.

11. To set the DNS server that Nslookup uses to a public DNS server run by Google, type

server 8.8.8.8 and press Enter. Then type www.microsoft.com

and press Enter. If you're ever concerned that your DNS server isn't working correctly,

you can test it with Nslookup and compare the results of your DNS server with the results

from another server, such as Google's.

12. Close down the Command Prompt window.

13. Go back into NOTEPAD as ADMINISTRATOR, open HOSTS, and remove the line about

books that you edited in in step 5 above.

Summarize and describe your findings in your lab report. Have you thought of some good

reasons why you might want to be able to come in and flush your DNS cache, or otherwise

directly poke at it?

This concludes this Activity. Wrap up your thoughts, and post them as an attachment to the Activity 3.2

in Module 3.