Inthislab,we’llinvestigatethebehaviorofaNATrouter.Thislabwillbedifferentfrom our other Wireshark labs, where we’ve captured a trace file at a single Wireshark measurement point. Because we’re interested in capturing packets at both the input and output sides of the NAT device, we’ll need to capture packets at two locations. Also, because many students don’t have easy access to a NAT device or to two computers on which to take Wireshark measurements, this isn’t a lab that is easily done “live” by a student. So, in thislab, you’ll use Wireshark trace filesthat we’ve captured foryou. This should be a relatively short and easy lab since the concepts behind NAT aren’t difficult, but it’ll be good nonetheless to observe NAT in action. Before beginning this lab, you’ll probably want to review the material on NAT in section 4.3.3 in the text1.

NATMeasurementScenario

You    can    download   a    captured    packet    trace    file    (NAT_home_side         andNAT_ISP_side) from the LMS and open it in the Wireshark.

In this lab, we’ll capture packets from a simple web request from a client PC in a home networktoawww.google.comserver.Withinthehomenetwork,thehomenetworkrouter provides a NAT service, as discussed in Chapter 4. Figure 1 shows our Wireshark trace- collection scenario. As in our other Wireshark labs, we collect a Wireshark trace on the client PC in our home network. This file is called NAT_home_side. Because we are also interested inthepacketsbeingsentbytheNATrouterintotheISP,we’llcollectasecond

trace file at a PC (not shown) tapping into the link from the home router into the ISP network,asshowninFigure1.(ThehubdeviceshownontheISPsideoftherouterisused to tap into the link between the NAT router and the first hop router in the ISP). Client-to- server packets captured by Wireshark at this point will have undergone NAT translation. The Wireshark trace file captured on the ISP side of the home router is called NAT_ISP_side.

Answer the following questions (1-11) by downloading the Wireshark captured packet file NAT_home_side and NAT_ISP_sidefrom the LMS and opening it in Wireshark. To justify your answers, you must provide a detailed screenshot from the captured Wireshark file. Otherwise, you will not receive marks for the question.

OpentheNAT_home_sidefileandanswerthefollowingquestions.Youmightfindit useful to use a Wireshark filter so that only frames containing HTTP messages are displayed from the trace file.

1. Whatisthe IPaddressof theclient?
2. TheclientactuallycommunicateswithseveraldifferentGoogleserversinorderto implement “safe browsing.” (See extra credit section at the end of this lab). The main Google server that will serve up the main Google web page has IP address 64.233.169.104.InordertodisplayonlythoseframescontainingHTTPmessages thataresentto/fromthisGoogle,server,enterthe expression“http&&ip.addr== 64.233.169.104” (without quotes) into the Filter: field in Wireshark .
3. Consider now the HTTP GET sent from the client to the Google server (whose IP address is IP address 64.233.169.104) at time 7.102967.What are the source and destination IP addresses and TCP source and destination ports on the IP datagram carrying this HTTP GET?
4. At what time is the corresponding 200 OK HTTP message received from the Google server?What are the source and destination IP addresses and TCP source and destination ports on the IP datagram carrying this HTTP 200 OK message?
5. RecallthatbeforeaGETcommand canbesentto anHTTPserver,TCPmustfirst setupaconnectionusingthethree-waySYN/ACKhandshake.Atwhattimeisthe client-to-server TCP SYN segment sentthat sets up the connection used by the GETsentattime7.102967?WhatarethesourceanddestinationIPaddressesand source and destination ports for the TCP SYN segment?What are the source and destination IP addresses andsource and destination ports of the ACK sent in responsetotheSYN.AtwhattimeisthisACKreceivedattheclient?(Note:tofind these segments you will need to clear the Filter expression you entered above in step 2.If you enter the filter “tcp”, only TCP segments will be displayed by Wireshark).

In the following we’ll focus on the two HTTP messages (GET and 200 OK) and the TCPSYN and ACK segments identified above.Our goal below will be to locate these two HTTP messages and two TCP segments in the trace file (NAT_ISP_side) captured on the linkbetweentherouterandtheISP.Becausethesecapturedframeswillhavealreadybeen forwarded through the NAT router, some of the IP address and port numbers will have been changed as a result of NAT translation.

OpentheNAT_ISP_side.NotethatthetimestampsinthisfileandinNAT_home_sideare notsynchronizedsincethepacketcapturesatthetwolocationsshowninFigure1werenot started simultaneously. (Indeed, you should discover that the timestamps of a packet captured at the ISP link is actually less that the timestamp of the packet captured at the client PC).

1. In the NAT_ISP_side trace file, find the HTTP GET message was sent from the client to the Google server at time 7.102967 (where t=7.102967 is time at which this was sent as recorded in the NAT_home_side trace file).At what time does this message appear in the NAT_ISP_side trace file?What are the source and destination IP addresses and TCP source and destination ports on the IP datagram carrying this HTTP GET (as recording in the NAT_ISP_side trace file)?of these fields are the same, and which are different, than in your answer to question 3 above?
2. Areany fieldsintheHTTPGETmessage changed? Whichofthefollowingfields in the IP datagram carrying the HTTP GET are changed: Version, Header Length Flags, Checksum. If any of these fields have changed, give a reason (in one sentence) stating why this field needed to change.
3. In the NAT_ISP_side trace file, at what time is the first 200 OK HTTP message receivedfromtheGoogleserver?WhatarethesourceanddestinationIPaddresses and TCP source and destination ports on the IP datagram carrying this HTTP 200 OKmessage?Whichofthesefieldsarethesame,andwhicharedifferentthanyour answer to question 4 above?
4. In the NAT_ISP_side trace file,at what time were the client-to-server TCP SYN segmentandtheserver-to-clientTCPACKsegmentcorrespondingtothesegments inquestion5abovecaptured?WhatarethesourceanddestinationIPaddressesand source and destination ports for these two segments? Which of these fields arethe same, and which are different than your answer to question 5 above?

Figure4.22 inthetext showsthe NATtranslationtableintheNAT router.

1. Usingyouranswersto1-8above,fillintheNATtranslationtableentriesforHTTP connection considered in questions 1-8 above.
2. ExplainhowNatworks?