Build a TCP/IP Stack from Scratch · Module 01

Mini-Quiz & Exercises

Mini-Quiz & Exercises

Before we dive into writing any code, let's make sure the concepts from this setup have really clicked. These questions aren't about memorization — they're here to help you reason about what you just built.

Quick Quiz

What role does the Docker bridge play in your setup?

Think of it like network hardware — what physical device does it mimic?

Answer

The Docker bridge acts like a virtual Ethernet switch. It forwards packets between containers connected to the same network, just like a physical switch forwards frames between computers on a LAN.

Why do you see ARP packets before ICMP ones when you ping for the first time?

What problem is ARP solving that ping alone can't?

Answer

ARP resolves IP addresses to MAC addresses. Before the client can send an IP packet to 10.10.0.4, it needs to know the MAC address to put in the Ethernet header. ARP asks "Who has 10.10.0.4?" and gets back "I do, my MAC is 02:42:0a:0a:00:04."

Which layer were you observing when you ran tcpdump -ni eth0 inside the container?

(Hint: is it Ethernet, IP, or something higher?)

Answer

You were observing at the Link Layer (Layer 2) — seeing raw Ethernet frames. tcpdump captures at the network interface level, so you see the complete frame including Ethernet headers, not just the IP payload.

In the IP header, the total length field was 84 bytes. Can you explain what's included in that number — and what isn't?

Answer

The IP total length (84 bytes) includes:

  • IP header: 20 bytes
  • ICMP header: 8 bytes
  • ICMP payload: 56 bytes

It does NOT include the Ethernet header (14 bytes). The full Ethernet frame is 98 bytes total.

Practical Exercises

Exercise 1: Change the subnet

In your docker-compose.yml, edit the subnet under ipam: to 10.20.0.0/24, rebuild the containers, and verify they can still ping each other.

Did you notice the IPs and MACs changing?

docker compose down
# Edit docker-compose.yml
docker compose up -d --build
docker compose exec client ping -c 1 10.20.0.4

Exercise 2: Watch ARP caching in action

Run a single ping, then check the ARP cache in the client:

docker compose exec client arp -n

Then ping again — notice that there's no ARP broadcast this time?

That's because the mapping was cached. There is another entry in the ARP table — can you tell to which device/host it corresponds?

Note: If arp command is not available, you can either install it with:

docker compose exec client bash
apt update && apt install -y net-tools

or just use:

docker compose exec client ip neigh

Exercise 3: Capture only replies

Use tcpdump -ni eth0 'icmp and icmp[0]=0' on the stack container to show only echo replies.

Can you tell which field identifies the ICMP type?

# Terminal 1: Start capture
docker compose exec stack tcpdump -ni eth0 'icmp and icmp[0]=0'
 
# Terminal 2: Send pings
docker compose exec client ping -c 3 10.10.0.4

Success Criteria

If you can explain each of these steps and predict what tcpdump will show before you run it, you've officially mastered your lab environment — you're now ready to start building your own network stack inside it.

Course