Assignment 3: Solutions


a. To obtain the mac address of

b. The host with IP address of and MAC address of d4:be:d9:9d:97:e8. Each of them is fine.

c. No. Because directly responds within a standard frame to the not in the broadcast manner.

d. To query for the mac address of the IP

e. 127. The Mac address of IP which is 00:00:0c:07:ac:02.

f. The packet is a Gratuitous ARP message which is useful for the purposes below:

  • detect IP conflicts. When a machine receives an ARP request containing a source IP that matches its own, then it knows there is an IP conflict.
  • assist in the updating of other machines’ ARP tables.  Clustering solutions utilize this when they move an IP from one NIC to another, or from one machine to another. Other machines maintain an ARP table that contains the MAC associated with an IP. When the cluster needs to move the IP to a different NIC, be it on the same machine or a different one, it reconfigures the NICs appropriately then broadcasts a gratuitous ARP reply to inform the neighboring machines about the change in MAC for the IP. Machines receiving the ARP packet then update their ARP tables with the new MAC.
  • inform switches of the MAC address of the machine on a given switch port, so that the switch knows that it should transmit packets sent to that MAC address on that switch port.
  • Every time an IP interface or link goes up, the driver for that interface will typically send a gratuitous ARP to preload the ARP tables of all other local hosts. Thus, a gratuitous ARP will tell us that that host just has had a link up event, such as a link bounce, a machine just being rebooted or the user/sysadmin on that host just configuring the interface up. If we see multiple gratuitous ARPs from the same host frequently, it can be an indication of bad Ethernet hardware/cabling resulting in frequent link bounces.

Mentioning the Gratuitous ARP message and one of the above purpose is fine.

g. d4:be:d9:9d:b4:ba. This can be acheived from sender MAC address of any packet which has the source IP address of capturing host (


a. and

b. No. By finding the DHCP ack packets, we can find and as the source IP address. By finding the subnet mask for which is, we can find that they are not in the same subnet.

c. Two. We can obtain this by list all the DHCP Discover messages and then count the number of different mac address.

d. Because the capturing host wants to keep its previous IP address if it is possible.


a., and

b. The client may contacts several DNS server in parallel to save the time in the case of failure of one or when an address may not be cached in one DNS
server but may be cached in another.

c. 9 min and 31 second comes form DNS server.


a. The first certificate certifies the public key of, signed by “Go Daddy Secure Certificate Authority”. The second certificate certifies the
public key of “Go Daddy Secure Certificate Authority”, signed by “Go Daddy Root Certificate Authority”. The third certificate certifies the public key of “Go Daddy Root Certificate Authority”, signed by “Go Daddy Class 2 Certification Aut”.

b. Yes. A root CA can sign itself.

c. Packet 211 contains the master key encrypted with the public key of

22 comments to Assignment 3: Solutions

  1. Oh Shunhao says:

    So, since some of my answers are a little different, I would like to ask why the answers are as such:

    2a) Why do we give the public IP addresses of the DHCP servers (the relay addresse)?
    Shouldn’t we give the private addresses given in the DHCP server identifier field? aka:

    2b) Instead of comparing public address ( with private address (, shouldn’t we compare private address ( with private address ( to check if they are in the same subnet?

    2c) I only see 3 DHCP Discover messages, all coming from the same MAC address Supermic_ff:14:3c. (thus shouldn’t the answer be 1?)

    Q4c) Since packet 211 is sent from to the capturing host, if it is holding a master key, shouldn’t it be encrypted with the public key of the capturing host?
    ….or did the question actually mean packet 213?

    • saeid says:


      2a) Yes they are acceptable.

      2b) Yes. As long as you explain that you found the subnet mask of the capturing host, it is fine.

      2c) That is right but including capturing host (mentioned in the question) there are 2 :(

      4c). This is a typo. So, we accept both answers.

      Best Regards,

      • Oh Shunhao says:

        But the capturing host does not send out a DHCP Discover message during the capture period.

        • saeid says:

          It obtains an IP adrress through DHCP protocol and the question asking for the number of host which obtains the IP address through DHCP during capture time.

          • Oh Shunhao says:

            Wasn’t the IP address obtained before capture time?
            (for the capturing host)

          • Oh Shunhao says:

            Ok, it seems after a bit of discussion with a friend, there seems to be a bit of misunderstanding regarding the interpretation of question 2c.

            The question is asking one of these two:
            1) How many distinct clients request for an IP address from the DHCP server…?
            2) How many distinct clients request for the IP address of the DHCP server…?

            I had assumed it is the latter, due to the use of the word “the” (confusing grammar). Hence my answer is 1.

            However, I have recently come to realise that the question might be actually asking for the former.

            So is it supposed to be (1) or (2)?

        • saeid says:


          The question fro the pdf file is:
          “(c) (2 points) How many distinct clients (including the capturing host) request for the DHCP IP address in the subnet of capturing host during the trace time?”

          SO, the answer is 2.

          Best Regards,

          • Oh Shunhao says:

            As in, a number of people I know misinterpreted the question as asking for “how many clients are requesting for the IP address of the DHCP server?”

            ^- as in the IP address of the DHCP server itself. (like

            (the confusion came from the use of the word “the”)

            If the question refers to an IP address to be used by the client, it should say “a DHCP IP address”, because it can’t be possible that all clients are asking for the same IP address, as the word “the” seems to imply. Hence the misinterpretation.

  2. Yang Shun says:

    Hi Prof Ooi,

    May I know what is the difference between the meaning of answers for 1a and 1d? Do they mean different things?

    Yang Shun

  3. saeid says:


    The objectives of both packets are the same. However, they are issued by different hosts.


  4. Chan Jun Wei says:

    I just realize I have a typo on IP address:

    I wrote 172/26.190.1
    So I will get it wrong? :O

  5. Huang zhanxiang says:

    Hi Prof,
    For 2(b), can we check by observing the relay agent IP address field in packet DHCP ACK for capturing host? Because we can see or, which means that DHCP server is in different subnets so that relay agents are used to transfer the packets between client and DHCP server.

  6. Eric Liu Longyin says:

    I don’t think the public key of the server in question 4c) is used for encryption at all. Instead, there’s an additional server key exchange process involved in the TLS handshake that transfers a separate key which is used to replace the public key exchanged during the server certificate step.

    • saeid says:


      As mentioned there is typo in the question, the packet should be 213 in the question as Shunhao explained.

      Best Regards,

  7. LIN BAOYU says:

    for Q4.(C), the packet 211 mainly contains the certificate of server. According to textbook page 739, the packet with certificate contains the public key of server, which is encrypted by the private key of the CA.

  8. Seyrerir says:

    If you already feel that you are not coping with assignments from college, you can visit the service at and order a job. Experts will fulfill any of your assignments at the highest level.

  9. Jametta says:

    An indispensable assistant for students is the website and there is no exaggeration in this. Just use his services and you will understand everything yourself.

  10. Donald Lear says:

    Lots of students get help in Assignment by the Wikipedia, because there are lots of articles there to provide information about the subjects that they want, will help you to get the Wikipedia page

  11. solai says:

    I really enjoyed this site. This is such a Great resource that you are providing and you give it away for free. candy crush soda

  12. chin woo says:

    i like this word counter

Leave a Reply

Your email address will not be published. Required fields are marked *