Objective

To look at the details of UDP (User Datagram Protocol). UDP is a transport protocol used throughout the Internet as an alternative to TCP when reliability is not required. It is covered in §6.4 of your text. Review that section before doing this lab.

目的

查看UDP（用户数据报协议）的详细信息。UDP是一种传输协议，在不需要可靠性的情况下，作为TCP的替代品，在整个Internet上使用。这在你的文本§6.4中有介绍。在做这个实验之前复习一下那个部分。

Requirements

Wireshark: This lab uses the Wireshark software tool to capture and examine a packet trace. A packet trace is a record of traffic at a location on the network, as if a snapshot was taken of all the bits that passed across a particular wire.  The packet trace records a timestamp for each packet, along with the bits that make up the packet, from the lower-layer headers to the higher-layer contents. Wireshark runs on most operating systems, including Windows, Mac and Linux. It provides a graphical UI that shows the sequence of packets and the meaning of the bits when interpreted as protocol headers and data. It color-codes packets by their type, and has various ways to filter and analyze packets to let you investigate the behavior of network protocols. Wireshark is widely used to troubleshoot networks. You can download it from www.wireshark.org if it is not already installed on your computer. We highly recommend that you watch the short, 5 minute video “Introduction to Wireshark” that is on the site.  

ifconfig / ipconfig: This lab uses the “ipconfig” (Windows) or “ifconfig” (Mac/Linux) command-line utility to inspect the state of your computer’s network interface. ifconfig/ipconfig is installed as part of the operating system on Windows, Linux, and Mac computers.

Browser: This lab uses a web browser to find or fetch pages as a workload. Any web browser will do.

要求

Wireshark：这个实验室使用Wireshark软件工具来捕获和检查包跟踪。数据包跟踪是网络上某个位置的流量记录，就好像是对通过某条特定线路的所有位进行快照一样。包跟踪记录每个包的时间戳，以及组成包的位，从低层头到高层内容。大多数操作系统，包括Wireshark和Windows。它提供了一个图形化的用户界面，当被解释为协议头和数据时，它显示了数据包的序列和位的含义。它根据数据包的类型对其进行颜色编码，并有各种方法来过滤和分析数据包，以便您研究网络协议的行为。Wireshark被广泛用于网络故障排除。你可以从www.wireshark.org如果您的计算机上尚未安装。我们强烈建议您观看网站上的5分钟短片“Wireshark简介”

ifconfig/ipconfig：这个实验室使用“ipconfig”（Windows）或“ifconfig”（Mac/Linux）命令行实用程序来检查计算机网络接口的状态。ifconfig/ipconfig作为操作系统的一部分安装在Windows、Linux和Mac计算机上。

浏览器：这个实验室使用web浏览器作为工作负载来查找或获取页面。任何网络浏览器都可以。

Step 1: Capture a Trace

There are many ways to cause your computer to send and receive UDP messages since UDP is widely used as a transport protocol. The easiest options are to:

• Do nothing but wait for a while. UDP is used for many “system protocols” that typically run in the background and produce small amounts of traffic, e.g., DHCP for IP address assignment and NTP for time synchronization.
• Use your browser to visit sites. UDP is used by DNS for resolving domain names to IP addresses, so visiting fresh sites will cause DNS traffic to be sent. Be careful not to visit unsafe sites; pick recommended sites or sites you know about but have not visited recently. Simply browsing the web is likely to cause a steady stream of DNS traffic.
• Start up a voice-over-IP call with your favorite client. UDP is used by RTP, which is the protocol commonly used to carry media samples in a voice or video call over the Internet.

Proceed as follows to capture a trace of UDP traffic; alternatively, you may use a supplied trace:

1. Launch Wireshark and start a capture with a filter of “udp“. Press ctrl+k to set up capture options. Your option window should be similar to the one pictured below. Select the interface from which to capture as the main wired or wireless interface used by your computer to connect to the Internet. If unsure, guess and revisit this step later if your capture is not successful. Switch “capture packets in promiscuous mode（混杂模式）” to off. This mode is useful to overhear packets sent to/from other computers on broadcast networks. We only want to record packets sent to/from your computer. Leave other options at their default values. The capture filter, if present, is used to prevent the capture of other traffic your computer may send or receive.
2. When the capture is started, perform some activities that will generate UDP traffic. We described several options above, e.g., browse the web.
3. Wait a little while (say 60 seconds) after you have stopped your activity to also observe any background UDP traffic. It is likely that you will observe a trickle of UDP traffic because system activity often uses UDP to communicate. We want to see some of this activity.
4.  Use the Wireshark menus or buttons to stop the capture. You should now have a trace with possibly many UDP packets. Our example is shown below. We have selected a packet and expanded the detail of the UDP header.

步骤1：捕获跟踪

由于UDP被广泛用作传输协议，有许多方法可以使您的计算机发送和接收UDP消息。最简单的选择是：

什么也不做，只是等一会儿。UDP用于许多通常在后台运行并产生少量流量的“系统协议”，例如用于IP地址分配的DHCP和用于时间同步的NTP。

使用浏览器访问网站。UDP被DNS用于将域名解析为IP地址，因此访问新站点将导致DNS流量被发送。注意不要访问不安全的站点；选择推荐的站点或者您知道但最近没有访问过的站点。简单地浏览网页可能会导致稳定的DNS流量。

使用您最喜欢的客户端启动IP语音通话。UDP由RTP使用，RTP是一种常用于在因特网上进行语音或视频呼叫的媒体样本的协议。

按照以下步骤继续捕获UDP流量的跟踪；或者，您可以使用提供的跟踪：

启动Wireshark并使用“udp”过滤器启动捕获。按ctrl+k设置捕获选项。下面的一个窗口应该是类似的。选择要从中捕获的接口作为计算机连接到Internet时使用的主要有线或无线接口。如果不确定，请猜测并在捕获失败后再次访问此步骤。将“在混杂模式下捕获数据包（混杂模方式）”切换到关闭状态。此模式用于偷听广播网络上发送到/来自其他计算机的数据包。我们只想记录发送到/来自您计算机的数据包。保留其他选项的默认值。捕获筛选器（如果存在）用于阻止捕获计算机可能发送或接收的其他流量。

当捕获开始时，执行一些会产生UDP流量的活动。我们在上面描述了几个选项，例如浏览web。

停止活动后，请稍等片刻（比如60秒），以观察任何后台UDP流量。很可能您会观察到少量的UDP通信，因为系统活动经常使用UDP进行通信。我们想看看这些活动。

使用Wireshark菜单或按钮停止捕获。您现在应该有一个可能包含多个UDP数据包的跟踪。我们的例子如下所示。我们选择了一个包并扩展了UDP报头的细节。

Step 2: Inspect the Trace

Different computers are likely to capture different kinds of UDP traffic depending on the network setup and local activity. Observe that the protocol column is likely to show multiple protocols, none of which is UDP. This is because the listed protocol is an application protocol layered on top of UDP. Wireshark gives the name of the application protocol, not the (UDP) transport protocol unless Wireshark cannot determine the application protocol. However, even if the packets are listed as an application protocol, they will have a UDP protocol header for us to study, following the IP and lower-layer protocol headers.

Select different packets in the trace (in the top panel) and browse the expanded UDP header (in the middle panel). You will see that it contains the following fields:

• Source Port, the port from which the UDP message is sent. It is given as a number and possibly a text name; names are given to port values that are registered for use with a specific application.
• Destination Port. This is the port number and possibly name to which the UDP message is destined. Ports are the only form of addressing in UDP. There computer is identified using the IP address in the lower IP layer.
• Length. The length of the UDP message.
• Checksum. A checksum over the message that is used to validate its contents. Is your checksum carrying 0 and flagged as incorrect for UDP messages sent from your computer? On some computers, the operating system software leaves the checksum blank (zero) for the NIC to compute and fill in as the packet is sent. This is called protocol offloading. It happens after Wireshark sees the packet, which causes Wireshark to believe that the checksum is wrong and flag it with a different color to signal a problem. You can remove these false errors if they are occurring by telling Wireshark not to validate the checksums. Select “Preferences” from the Wireshark menus and expand the “Protocols” area. Look under the list until you come to UDP. Uncheck “Validate checksum if possible”. 

That is it.  The UDP header has different values for different messages, but as you can see, it is short and sweet. The remainder of the message is the UDP payload that is normally identified the higher-layer protocol that it carries, e.g., DNS, or RTP.

第二步：检查痕迹

根据网络设置和本地活动，不同的计算机可能捕获不同种类的UDP通信。请注意，protocol列可能显示多个协议，其中没有一个是UDP。这是因为列出的协议是一个基于UDP的应用程序协议。Wireshark提供应用程序协议的名称，而不是（UDP）传输协议的名称，除非Wireshark无法确定应用程序协议。然而，即使这些数据包被列为一个应用协议，它们也会有一个UDP协议头供我们研究，在IP和底层协议头之后。

在跟踪中选择不同的数据包（在顶部面板中）并浏览展开的UDP报头（在中间面板中）。您将看到它包含以下字段：

源端口，发送UDP消息的端口。它以数字和可能的文本名的形式给出；名称是为注册用于特定应用程序的端口值指定的。

目的港。这是UDP消息目的地的端口号和可能的名称。端口是UDP中唯一的寻址形式。在较低的IP层使用IP地址标识计算机。

长度。UDP消息的长度。

校验和。用于验证消息内容的校验和。您的校验和是否携带0，并被标记为对从计算机发送的UDP消息不正确？在某些计算机上，操作系统软件将校验和留空（零），以便NIC在发送数据包时进行计算和填充。这称为协议卸载。它发生在Wireshark看到包之后，这使得Wireshark相信校验和是错误的，并用不同的颜色标记它以表示问题。如果这些错误正在发生，您可以通过告诉Wireshark不要验证校验和来删除它们。从Wireshark菜单中选择“首选项”，然后展开“协议”区域。在列表下面查找，直到您使用UDP。取消选中“如果可能，验证校验和”

就这样。UDP报头对于不同的消息有不同的值，但是正如您所看到的，它很短很好。消息的其余部分是UDP有效负载，通常由它所承载的更高层协议（例如DNS或RTP）标识。

Step 3: UDP Message Structure

To check your understanding of UDP, sketch a figure of the UDP message structure as you observed. It should show the position of the IP header, UDP header, and UDP payload. Within the UDP header, show the position and size of each UDP field you can observe using Wireshark. Your figure can simply show the message as a long, thin rectangle.

Try not to look at the figure of a UDP segment in your text; check it afterwards to note and investigate any differences. To work out sizes, observe that when you click on a protocol block in the middle panel (the block itself) then Wireshark will highlight the bytes it corresponds to in the packet in the lower panel and display the length at the bottom of the window.

By looking at the details of the UDP messages in your trace, answer these questions:

1. What does the Length field include? The UDP payload, UDP payload and UDP header, or UDP payload, UDP header, and lower layer headers?
2. How long in bits is the UDP checksum?
3. How long in bytes is the entire UDP header?

Turn-in: Hand in your drawing of a UDP message and the answers to the questions above.

第三步：UDP消息结构

为了检查您对UDP的理解，请根据您观察到的UDP消息结构绘制一个图。它应该显示IP报头、UDP报头和UDP有效负载的位置。在UDP头中，显示可以使用Wireshark观察到的每个UDP字段的位置和大小。您的图形可以简单地将消息显示为一个细长的矩形。

尽量不要在你的文本中看UDP段的图形；之后检查它，注意并调查任何差异。要计算大小，请注意，当您单击中间面板（块本身）中的协议块时，Wireshark将在下面的面板中突出显示其对应的字节，并在窗口底部显示长度。

通过查看跟踪中UDP消息的详细信息，请回答以下问题：

1.长度字段包括哪些内容？UDP有效载荷、UDP有效载荷和UDP报头，还是UDP有效载荷、UDP报头和下层报头？

2.UDP校验和2的长度是多少？

3.整个UDP报头的字节数是多少？

上交：把你的UDP消息图和上面问题的答案交上来。

Step 4: UDP Usage

To complete our understanding of UDP, we will look at how UDP is used in practice as a transport by applications. Beginning with IP, the next lower protocol layer, there are several issues we can consider. A first issue is how IP knows that the next higher protocol layer is UDP. The answer is that there is a Protocol field in the IP header that contains this information.

第4步：UDP使用

为了完成对UDP的理解，我们将了解UDP在实际中如何作为应用程序的传输。从IP，下一个较低的协议层开始，我们可以考虑几个问题。第一个问题是IP如何知道下一个更高的协议层是UDP。答案是在IP报头中有一个包含此信息的协议字段。

1. Give the value of the IP Protocol field that identifies the upper layer protocol as UDP.

1.给出将上层协议标识为UDP的IP协议字段的值。

A second issue is how UDP messages are typically addressed at the IP layer. You might be surprised to find UDP messages in your trace that neither come from your computer or are sent only to your computer. You can see this by sorting on the Source and Destination columns. The source and destinations will be domain names, if Network layer name resolution is turned, and otherwise IP addresses. (You can toggle this setting using the View menu and selecting Name resolution.) You can find out the IP address of your computer using the “ipconfig” command (Windows) or “ifconfig” command (Mac/Linux). Simply type this command into a terminal window and look for the IPv4 address of the main interface. We have given examples below.

第二个问题是UDP消息通常如何在IP层寻址。您可能会惊讶地发现跟踪中既没有来自您的计算机，也没有只发送到您的计算机的UDP消息。通过对源列和目标列进行排序可以看到这一点。如果启用了网络层名称解析，则源和目标将是域名，否则为IP地址。（您可以使用“查看”菜单并选择“名称解析”来切换此设置。）可以使用“ipconfig”命令（Windows）或“ifconfig”命令（Mac/Linux）查找计算机的IP地址。只需在终端窗口中输入此命令并查找主接口的IPv4地址。我们给出了下面的例子。

The reason you may find UDP messages without your computer’s IP address as either the source or destination IP address is that UDP is widely used as part of system protocols.

These protocols often send messages to all local computers who are interested in them using broadcast and multicast addresses.

In our traces, we find DNS (the domain name system), MDNS (DNS traffic that uses IP multicast), NTP (for time synchronization), NBNS (NetBIOS traffic), DHCP (for IP address assignment), SSDP (a service discovery protocol), STUN (a NAT traversal protocol), RTP (for carrying audio and video samples), and more. Your trace may have other protocols you have not heard about; it is OK, as there are a lot of protocols out there.

You can look them up on the web for fun.

您可能会发现UDP消息没有将计算机的IP地址作为源或目标IP地址，原因是UDP被广泛用作系统协议的一部分。

这些协议通常使用广播和多播地址将消息发送到对它们感兴趣的所有本地计算机。

在我们的跟踪中，我们发现了DNS（域名系统）、MDN（使用IP多播的DNS流量）、NTP（用于时间同步）、NBNS（NetBIOS流量）、DHCP（用于IP地址分配）、SSDP（一种服务发现协议）、STUN（NAT穿越协议）、RTP（用于携带音频和视频样本）等等。

你的跟踪可能有其他你没听说过的协议；没关系，因为有很多协议。

你可以在网上找他们找乐子。

2.Examine the UDP messages and give the destination IP addresses that are used when your computer is neither the source IP address nor the destination IP address. (If you have only your computer as the source or destination IP address then you may use the supplied trace.)

2.检查UDP消息，并给出当您的计算机既不是源IP地址也不是目标IP地址时使用的目标IP地址（如果只有您的计算机作为源IP地址或目标IP地址，则可以使用提供的跟踪。）

Finally, let us look at the lengths of typical UDP messages. We know that UDP messages can be as large as roughly 64Kbytes. But as you browse you should see that most UDP messages are much shorter than this maximum, so that UDP messages fit in a single packet.

最后，让我们看看典型UDP消息的长度。我们知道UDP消息可以大到大约64Kbytes。但是，当您浏览时，您应该看到大多数UDP消息都比这个最大值短得多，因此UDP消息可以放在一个包中。

3.What is the typical size of UDP messages in your trace?

3.跟踪中UDP消息的典型大小是多少？

Turn-in: Hand in your answers to the questions above.

上交：把你对以上问题的答案交上来。

Explore on your own

We encourage you to keep exploring on your own, but there is not much more to UDP.

Instead, you might examine the traffic of UDP-based applications to look at packet sizes and loss rates.

Voice-over-IP and its companion protocols like RTP (Real-Time Protocol) are good candidates.

Similarly, you might explore streaming and real-time applications to see which use UDP and which use TCP as a transport.

独自探索

我们鼓励您继续自己探索，但是UDP没有更多的内容。

相反，您可以检查基于UDP的应用程序的流量，以查看数据包大小和丢失率。

IP语音及其配套协议如RTP（实时协议）是很好的候选协议。

类似地，您可能会研究流和实时应用程序，以查看哪些使用UDP，哪些使用TCP作为传输。