Skip to content

WA5. ICMP Traffic Analysis with Wireshark

Statement

Your organization has recently become aware of potential ICMP-related attacks on its network and has tasked you with investigating this issue. As part of your investigation, you are to analyze ICMP traffic patterns in the network to gain a better understanding of the situation. One aspect of this investigation will involve looking at ICMP messages generated by Ping programs. In particular, you will be tasked with answering the following questions:

  1. Choose the first ICMP request packet that you come across and answer the following questions:
    1. a. What is the packet protocol and protocol number?
    2. b. What are the type and code number values of the ICMP packet?
    3. c. What is the checksum number and status?
  2. Examine the corresponding ICMP reply packet and answer the following questions:
    1. d. What type and code number values do the ICMP packets have?
    2. e. How many bytes are the checksum and identifier fields?
  3. Another aspect of this investigation will involve looking at ICMP messages generated by traceroute programs. In particular, you will be tasked with answering the following questions:
    1. f. What is the IP address of your host PC (from the traceroute result)?
    2. g. What is the IP address of the target destination host (from the traceroute result)?
  4. Additionally, as part of your investigation, you will need to save and submit two Wireshark capture files (one for the ping command capture and one for the traceroute command capture).
  5. Finally, you will need to take screenshots of the relevant information for all of the questions outlined above (a-g), along with their answers, and include them in an MS Word or PDF file. This file should then be submitted as your assignment.

Answer

1. Choose the first ICMP request packet that you come across and answer the following questions

  • I started the Wireshark capture and then ran the command ping google.com -c 5 according to the notes from Noviantika (2023).
  • We see that google.com lives at 216.58.204.78 and the results take about 10-15ms to return.
  • The results of the ping command are shown in the following screenshot:

ping command

a. What is the packet protocol and protocol number?

  • Then I filtered the Wireshark capture by icmp to show only the ICMP packets and found the first ICMP request packet.
  • The protocol is ICMP and the protocol number is 1.
  • The results are shown in the following screenshot:

icmp protocol

b. What are the type and code number values of the ICMP packet?

  • The type number is 8 and the code number is 0.
  • The results are shown in the following screenshot:

icmp type and code

c. What is the checksum number and status?

  • The checksum number is 0x9d7a and the status is Good.
  • The results are shown in the following screenshot:

icmp checksum

2. Examine the corresponding ICMP reply packet and answer the following questions

  • The next packet is the ICMP reply packet to the request packet we just analyzed; the arrow in the screenshot below shows the request and reply packets.

icmp request and reply

d. What type and code number values do the ICMP packets have?

  • The type number is 0 and the code number is 0.
  • The results are shown in the following screenshot:

icmp type and code

e. How many bytes are the checksum and identifier fields?

  • The checksum is 0xa57a which is 6 bytes according to UoPeople (2024).
  • The identifiers: BE 0x180d and LE 0x0d18 which are 6 bytes according to UoPeople (2024).
  • The results are shown in the following screenshot:

icmp checksum and identifier

3. Another aspect of this investigation will involve looking at ICMP messages generated by traceroute programs. In particular, you will be tasked with answering the following questions

  • I ran the command traceroute -Iq 1 google.com according to the notes from Dancuk (2021).
  • The -I flag is used to specify that ICMP ECHO requests should be used (as the default is to use UDP datagrams).
  • The -q 1 flag is used to specify the number of queries to send to each hop, we chose 1 to make the results more readable.
  • The results of the traceroute command are shown in the following screenshot:

traceroute command

f. What is the IP address of your host PC (from the traceroute result)?

  • The IP address of my host PC is 192.168.0.1 according to the traceroute result, however, this is the IP address of the gateway of the WIFI router and my host IP address, as my host IP address is 192.168.0.5 according to the ipconfig command.
  • We can confirm this in Wireshark by filtering the filtering for icmp and looking through the results.
  • The results are shown in the following screenshot:

host IP address

g. What is the IP address of the target destination host (from the traceroute result)?

  • The IP address of the target destination host is 142.250.200.46 according to the traceroute result.
  • We can confirm this in Wireshark in the image below:

destination IP address

4. Additionally, as part of your investigation, you will need to save and submit two Wireshark capture files (one for the ping command capture and one for the traceroute command capture)

There are two Wireshark capture files attached to this document:

  • ping.pcapng: This file contains the Wireshark capture of the ping command.
  • traceroute.pcapng: This file contains the Wireshark capture of the traceroute command.

5. Finally, you will need to take screenshots of the relevant information for all of the questions outlined above (a-g), along with their answers, and include them in an MS Word or PDF file. This file should then be submitted as your assignment

The screenshots and answers are included in this document.

References