Q1:
a. To obtain the mac address of 172.26.190.1.
b. The host with IP address of 172.26.191.183 and MAC address of d4:be:d9:9d:97:e8. Each of them is fine.
c. No. Because 172.26.190.1 directly responds within a standard frame to the 172.26.191.183 not in the broadcast manner.
d. To query for the mac address of the IP 172.26.190.1.
e. 127. The Mac address of IP 172.26.190.1 which is 00:00:0c:07:ac:02.
f. The packet is a Gratuitous ARP message which is useful for the purposes below:
- detect IP conflicts. When a machine receives an ARP request containing a source IP that matches its own, then it knows there is an IP conflict.
- assist in the updating of other machines’ ARP tables. Clustering solutions utilize this when they move an IP from one NIC to another, or from one machine to another. Other machines maintain an ARP table that contains the MAC associated with an IP. When the cluster needs to move the IP to a different NIC, be it on the same machine or a different one, it reconfigures the NICs appropriately then broadcasts a gratuitous ARP reply to inform the neighboring machines about the change in MAC for the IP. Machines receiving the ARP packet then update their ARP tables with the new MAC.
- inform switches of the MAC address of the machine on a given switch port, so that the switch knows that it should transmit packets sent to that MAC address on that switch port.
- Every time an IP interface or link goes up, the driver for that interface will typically send a gratuitous ARP to preload the ARP tables of all other local hosts. Thus, a gratuitous ARP will tell us that that host just has had a link up event, such as a link bounce, a machine just being rebooted or the user/sysadmin on that host just configuring the interface up. If we see multiple gratuitous ARPs from the same host frequently, it can be an indication of bad Ethernet hardware/cabling resulting in frequent link bounces.
Mentioning the Gratuitous ARP message and one of the above purpose is fine.
g. d4:be:d9:9d:b4:ba. This can be acheived from sender MAC address of any packet which has the source IP address of capturing host (172.26.191.153).
Q2:
a. 137.132.83.7 and 137.132.83.6
b. No. By finding the DHCP ack packets, we can find 137.132.83.7 and 137.132.83.6 as the source IP address. By finding the subnet mask for 172.26.191.153 which is 255.255.254.0, we can find that they are not in the same subnet.
c. Two. We can obtain this by list all the DHCP Discover messages and then count the number of different mac address.
d. Because the capturing host wants to keep its previous IP address if it is possible.
Q3:
a. 137.132.87.2, 137.132.85.2 and 137.132.94.2
b. The client may contacts several DNS server in parallel to save the time in the case of failure of one or when an address may not be cached in one DNS
server but may be cached in another.
c. 9 min and 31 second comes form 137.132.85.2 DNS server.
Q4:
a. The first certificate certifies the public key of diasy.ubuntu.com, signed by “Go Daddy Secure Certificate Authority”. The second certificate certifies the
public key of “Go Daddy Secure Certificate Authority”, signed by “Go Daddy Root Certificate Authority”. The third certificate certifies the public key of “Go Daddy Root Certificate Authority”, signed by “Go Daddy Class 2 Certification Aut”.
b. Yes. A root CA can sign itself.
c. Packet 211 contains the master key encrypted with the public key of diasy.ubuntu.com.