wireshark tcp trace
TRANSCRIPT
1 | P a g e
Wireshark Assignment: TCP
Submitted By: Paras Raj Pahari
1. What is the IP address and TCP port number used by the client computer (source) that is
transferring the file to gaia.cs.umass.edu? To answer this question, it’s probably easiest to
select an HTTP message and explore the details of the TCP packet used to carry this HTTP
message, using the “details of the selected packet header window” (refer to Figure 2 in the
“Getting Started with Wireshark” Lab if you’re uncertain about the Wireshark windows.
Solution:
31 3.113504 192.168.1.72 128.119.245.12 TCP 1514 [TCP segment of a reassembled PDU] Frame 31: 1514 bytes on wire (12112 bits), 1514 bytes captured (12112 bits) on interface 0 Ethernet II, Src: IntelCor_67:84:f0 (4c:80:93:67:84:f0), Dst: Sagemcom_7b:4d:da (b0:b2:8f:7b:4d:da) Internet Protocol Version 4, Src: 192.168.1.72, Dst: 128.119.245.12 Transmission Control Protocol, Src Port: 50443, Dst Port: 80, Seq: 2122, Ack: 1, Len: 1460
IP address of source: 192.168.1.72
Source TCP port Number: 50443
2 | P a g e
2. What is the IP address of gaia.cs.umass.edu? On what port number is it sending and
receiving TCP segments for this connection?
Solution:
31 3.113504 192.168.1.72 128.119.245.12 TCP 1514 [TCP segment of a reassembled PDU] Frame 31: 1514 bytes on wire (12112 bits), 1514 bytes captured (12112 bits) on interface 0 Ethernet II, Src: IntelCor_67:84:f0 (4c:80:93:67:84:f0), Dst: Sagemcom_7b:4d:da (b0:b2:8f:7b:4d:da) Internet Protocol Version 4, Src: 192.168.1.72, Dst: 128.119.245.12 Transmission Control Protocol, Src Port: 50443, Dst Port: 80, Seq: 2122, Ack: 1, Len: 1460
IP address of gaia.cs.umass.edu: 128.119.245.12
TCP port number used by gaia.cs.umass.edu: 80
3 | P a g e
3. What is the IP address and TCP port number used by your client computer (source) to
transfer the file to gaia.cs.umass.edu?
Solution:
31 3.113504 192.168.1.72 128.119.245.12 TCP 1514 [TCP segment of a reassembled PDU] Frame 31: 1514 bytes on wire (12112 bits), 1514 bytes captured (12112 bits) on interface 0 Ethernet II, Src: IntelCor_67:84:f0 (4c:80:93:67:84:f0), Dst: Sagemcom_7b:4d:da (b0:b2:8f:7b:4d:da) Internet Protocol Version 4, Src: 192.168.1.72, Dst: 128.119.245.12 Transmission Control Protocol, Src Port: 50443, Dst Port: 80, Seq: 2122, Ack: 1, Len: 1460
IP address of source: 192.168.1.72
Source TCP port Number: 50443
4 | P a g e
TCP Basics
Answer the following questions for the TCP segments:
4. What is the sequence number of the TCP SYN segment that is used to initiate the TCP
connection between the client computer and gaia.cs.umass.edu? What is it in the segment
that identifies the segment as a SYN segment?
Solution:
21 2.973840 192.168.1.72 128.119.245.12 TCP 66 50443 → 80 [SYN] Seq=0 Win=8192 Len=0 MSS=1460 WS=4 SACK_PERM=1 Frame 21: 66 bytes on wire (528 bits), 66 bytes captured (528 bits) on interface 0 Ethernet II, Src: IntelCor_67:84:f0 (4c:80:93:67:84:f0), Dst: Sagemcom_7b:4d:da (b0:b2:8f:7b:4d:da) Internet Protocol Version 4, Src: 192.168.1.72, Dst: 128.119.245.12 Transmission Control Protocol, Src Port: 50443, Dst Port: 80, Seq: 0, Len: 0
Source Port: 50443 Destination Port: 80 [Stream index: 10] [TCP Segment Len: 0] Sequence number: 0 (relative sequence number) Acknowledgment number: 0 Header Length: 32 bytes Flags: 0x002 (SYN) 000. .... .... = Reserved: Not set ...0 .... .... = Nonce: Not set .... 0... .... = Congestion Window Reduced (CWR): Not set .... .0.. .... = ECN-Echo: Not set .... ..0. .... = Urgent: Not set .... ...0 .... = Acknowledgment: Not set .... .... 0... = Push: Not set .... .... .0.. = Reset: Not set .... .... ..1. = Syn: Set [Expert Info (Chat/Sequence): Connection establish request (SYN): server port 80] [Connection establish request (SYN): server port 80] [Severity level: Chat] [Group: Sequence] .... .... ...0 = Fin: Not set
5 | P a g e
The sequence number of the TCP SYN segment that is used to initiate the TCP connection
between the client computer and gaia.cs.umass.edu is 0.
In the segment, the Syn flag is set to 1 that identifies this segment as SYN Segment.
6 | P a g e
5. What is the sequence number of the SYNACK segment sent by gaia.cs.umass.edu to the
client computer in reply to the SYN? What is the value of the Acknowledgement field in
the SYNACK segment? How did gaia.cs.umass.edu determine that value? What is it in the
segment that identifies the segment as a SYNACK segment?
Solution:
22 3.035304 128.119.245.12 192.168.1.72 TCP 66 80 → 50443 [SYN, ACK] Seq=0 Ack=1 Win=29200 Len=0 MSS=1460 SACK_PERM=1 WS=128 Frame 22: 66 bytes on wire (528 bits), 66 bytes captured (528 bits) on interface 0 Ethernet II, Src: Sagemcom_7b:4d:da (b0:b2:8f:7b:4d:da), Dst: IntelCor_67:84:f0 (4c:80:93:67:84:f0) Internet Protocol Version 4, Src: 128.119.245.12, Dst: 192.168.1.72 Transmission Control Protocol, Src Port: 80, Dst Port: 50443, Seq: 0, Ack: 1, Len: 0 Source Port: 80 Destination Port: 50443 [Stream index: 10] [TCP Segment Len: 0] Sequence number: 0 (relative sequence number) Acknowledgment number: 1 (relative ack number) Header Length: 32 bytes Flags: 0x012 (SYN, ACK)
000. .... .... = Reserved: Not set ...0 .... .... = Nonce: Not set .... 0... .... = Congestion Window Reduced (CWR): Not set .... .0.. .... = ECN-Echo: Not set .... ..0. .... = Urgent: Not set .... ...1 .... = Acknowledgment: Set .... .... 0... = Push: Not set .... .... .0.. = Reset: Not set .... .... ..1. = Syn: Set
[Expert Info (Chat/Sequence): Connection establish acknowledge (SYN+ACK): server port 80] [Connection establish acknowledge (SYN+ACK): server port 80] [Severity level: Chat] [Group: Sequence]
.... .... ...0 = Fin: Not set
7 | P a g e
The sequence number of the SYNACK segment sent by gaia.cs.umass.edu to the client
computer in reply to the SYN: 0
Value of acknowledgement field in the SYNACK segment is 1
The server gaia.cs.umass.edu increments 1 to the initial sequence number of SYN segment
from client. It means server is acknowledging that it has received the sequence 0 and further
waiting for next sequence 1 from client.
SYNACK segment is identified in segment as both SYN and Acknowledgement flag are set to 1.
8 | P a g e
6. What is the sequence number of the TCP segment containing the HTTP POST command?
Note: that in order to find the POST command, you’ll need to dig into the packet content
field at the bottom of the Wireshark window, looking for a segment with a “POST” within
its DATA field.
As shown in figure, we can see the POST command in packet content field. Thus sequence
number containing the HTTP POST command is 1.
9 | P a g e
7. Consider the TCP segment containing the HTTP POST as the first segment in the TCP
connection. What are the sequence numbers of the first six segments in the TCP connection
(including the segment containing the HTTP POST)? At what time was each segment sent?
When was the ACK for each segment received? Given the difference between when each
TCP segment was sent, and when its acknowledgement was received, what is the RTT value
for each of the six segments? What is the EstimatedRTT value (see Section 3.5.3, page 239
in text) after the receipt of each ACK? Assume that the value of the EstimatedRTT is equal
to the measured RTT for the first segment, and then is computed using the EstimatedRTT
equation on page 239 for all subsequent segments.
Note: Wireshark has a nice feature that allows you to plot the RTT for each of the TCP
segments sent. Select a TCP segment in the “listing of captured packets” window that is being
sent from the client to the gaia.cs.umass.edu server. Then select: Statistics->TCP Stream
Graph->Round Trip Time Graph
Solution:
10 | P a g e
24 3.037245 192.168.1.72 128.119.245.12 TCP 715 50443 → 80 [PSH, ACK] Seq=1 Ack=1 Win=65700 Len=661 25 3.037798 192.168.1.72 128.119.245.12 TCP 1514 50443 → 80 [ACK] Seq=662 Ack=1 Win=65700 Len=1460 26 3.038396 128.119.245.12 192.168.1.72 TCP 60 80 → 50406 [ACK] Seq=1 Ack=2 Win=229 Len=0
27 3.038499 128.119.245.12 192.168.1.72 TCP 60 80 → 50408 [ACK] Seq=1 Ack=2 Win=229 Len=0
28 3.038547 128.119.245.12 192.168.1.72 TCP 54 80 → 50407 [RST] Seq=1 Win=0 Len=0
30 3.113406 128.119.245.12 192.168.1.72 TCP 54 80 → 50443 [ACK] Seq=1 Ack=662 Win=30592 Len=0 31 3.113504 192.168.1.72 128.119.245.12 TCP 1514 50443 → 80 [ACK] Seq=2122 Ack=1 Win=65700 Len=1460 32 3.113743 128.119.245.12 192.168.1.72 TCP 54 80 → 50443 [ACK] Seq=1 Ack=2122 Win=33536 Len=0 33 3.113788 192.168.1.72 128.119.245.12 TCP 1514 50443 → 80 [ACK] Seq=3582 Ack=1 Win=65700 Len=1460 34 3.113798 192.168.1.72 128.119.245.12 TCP 1514 50443 → 80 [ACK] Seq=5042 Ack=1 Win=65700 Len=1460 35 3.183655 128.119.245.12 192.168.1.72 TCP 60 80 → 50443 [ACK] Seq=1 Ack=3582 Win=36480 Len=0 36 3.183743 192.168.1.72 128.119.245.12 TCP 1514 50443 → 80 [ACK] Seq=6502 Ack=1 Win=65700 Len=1460 37 3.183757 192.168.1.72 128.119.245.12 TCP 1514 50443 → 80 [ACK] Seq=7962 Ack=1 Win=65700 Len=1460 38 3.190782 128.119.245.12 192.168.1.72 TCP 60 80 → 50443 [ACK] Seq=1 Ack=6502 Win=42240 Len=0 39 3.190846 192.168.1.72 128.119.245.12 TCP 1514 50443 → 80 [ACK] Seq=9422 Ack=1 Win=65700 Len=1460 40 3.190858 192.168.1.72 128.119.245.12 TCP 1514 50443 → 80 [ACK] Seq=10882 Ack=1 Win=65700 Len=1460 41 3.190868 192.168.1.72 128.119.245.12 TCP 1514 50443 → 80 [ACK] Seq=12342 Ack=1 Win=65700 Len=1460 42 3.190873 192.168.1.72 128.119.245.12 TCP 1514 50443 → 80 [ACK] Seq=13802 Ack=1 Win=65700 Len=1460 43 3.271689 128.119.245.12 192.168.1.72 TCP 60 80 → 50443 [ACK] Seq=1 Ack=9422 Win=48128 Len=0 44 3.271769 192.168.1.72 128.119.245.12 TCP 1514 50443 → 80 [ACK] Seq=15262 Ack=1 Win=65700 Len=1460 45 3.271783 192.168.1.72 128.119.245.12 TCP 1514 50443 → 80 [PSH, ACK] Seq=16722 Ack=1 Win=65700 Len=1460
Packet No 24, 25, 31,33,34,36 are first six segments in TCP connection including segment
containing HTTP POST
Packet No 30, 32, 35, 38, 43 are the Ack received
11 | P a g e
Packet No
Segments Sequence Number
Sent Time Ack Received Time
RTT (sec) Estimated RTT after ACK of segment Received(Sec)
24 Segment 1 1 3.037245 3.113406 (ACK 662) 0.076161 0.076161
25 Segment 2 662 3.037245 3.113743 (ACK 2122) 0.076498 0.076203125
31 Segment 3 2122 3.113504 3.183655 (Ack 3582) 0.070151 0.075446609
33 Segment 4 3582 3.113788 3.190782 (ACK 6502) 0.076994 0.075640033
34 Segment 5 5042 3.113798 3.190782 (ACK 6502) 0.076984 0.075808029
36 Segment 6 6502 3.183743 3.271689 (ACK 9422) 0.087946 0.077325275
According to Formulae given below, we calculated the Estimated RTT
Estimated RTT = 0.875*Estimated RTT +0.125*Sample RTT
Estimated RTT after ACK of Segment 1= 0.076161 sec
Estimated RTT after ACK of Segment 2= 0.875*0.076161+0.125*0.076498=0.076203125 sec
Estimated RTT after ACK of Segment 3= 0.875*0.076203125+0.125*0.070151=0.075446609 sec
Estimated RTT after ACK of Segment 4= 0.875*0.075446609+0.125*0.076994=0.075640033 sec
Estimated RTT after ACK of Segment 5= 0.875*0.075640033+0.125*0.076984=0.075808029 sec
Estimated RTT after ACK of Segment 6= 0.875*0.075808029+0.125*0.087946=0.077325275 sec
ROUND TRIP TIME GRAPH
12 | P a g e
8. What is the length of each of the first six TCP segments?
Solution:
24 3.037245 192.168.1.72 128.119.245.12 TCP 715 50443 → 80 [PSH, ACK] Seq=1 Ack=1 Win=65700 Len=661 25 3.037798 192.168.1.72 128.119.245.12 TCP 1514 50443 → 80 [ACK] Seq=662 Ack=1 Win=65700 Len=1460 26 3.038396 128.119.245.12 192.168.1.72 TCP 60 80 → 50406 [ACK] Seq=1 Ack=2 Win=229 Len=0
27 3.038499 128.119.245.12 192.168.1.72 TCP 60 80 → 50408 [ACK] Seq=1 Ack=2 Win=229 Len=0
28 3.038547 128.119.245.12 192.168.1.72 TCP 54 80 → 50407 [RST] Seq=1 Win=0 Len=0
30 3.113406 128.119.245.12 192.168.1.72 TCP 54 80 → 50443 [ACK] Seq=1 Ack=662 Win=30592 Len=0 31 3.113504 192.168.1.72 128.119.245.12 TCP 1514 50443 → 80 [ACK] Seq=2122 Ack=1 Win=65700 Len=1460 32 3.113743 128.119.245.12 192.168.1.72 TCP 54 80 → 50443 [ACK] Seq=1 Ack=2122 Win=33536 Len=0 33 3.113788 192.168.1.72 128.119.245.12 TCP 1514 50443 → 80 [ACK] Seq=3582 Ack=1 Win=65700 Len=1460 34 3.113798 192.168.1.72 128.119.245.12 TCP 1514 50443 → 80 [ACK] Seq=5042 Ack=1 Win=65700 Len=1460 35 3.183655 128.119.245.12 192.168.1.72 TCP 60 80 → 50443 [ACK] Seq=1 Ack=3582 Win=36480 Len=0 36 3.183743 192.168.1.72 128.119.245.12 TCP 1514 50443 → 80 [ACK] Seq=6502 Ack=1 Win=65700 Len=1460
Segments Sequence Number Length in Bytes
Segment 1 1 661
Segment 2 662 1460
Segment 3 2122 1460
Segment 4 3582 1460
Segment 5 5042 1460
Segment 6 6502 1460
13 | P a g e
9. What is the minimum amount of available buffer space advertised at the receiver for the
entire trace?
Solution:
21 2.973840 192.168.1.72 128.119.245.12 TCP 66 50443 → 80 [SYN] Seq=0 Win=8192 Len=0 MSS=1460 WS=4 SACK_PERM=1 22 3.035304 128.119.245.12 192.168.1.72 TCP 66 80 → 50443 [SYN, ACK] Seq=0 Ack=1 Win=29200 Len=0 MSS=1460 SACK_PERM=1 WS=128 23 3.035466 192.168.1.72 128.119.245.12 TCP 54 50443 → 80 [ACK] Seq=1 Ack=1 Win=65700 Len=0 24 3.037245 192.168.1.72 128.119.245.12 TCP 715 50443 → 80 [PSH, ACK] Seq=1 Ack=1 Win=65700 Len=661 25 3.037798 192.168.1.72 128.119.245.12 TCP 1514 50443 → 80 [ACK] Seq=662 Ack=1 Win=65700 Len=1460
The minimum amount of available buffer space advertised at the receiver for the entire trace
is indicated in the first SYNACK segment. It is 29200 bytes.
14 | P a g e
10. Are there any retransmitted segments in the trace file? What did you check for (in the
trace) in order to answer this question?
Solution:
No, there weren’t any retransmitted segments in the trace file. I checked for repeated entry for
segment with the same sequence number, but there was no such repetition.
15 | P a g e
4. TCP congestion control in action (For your reference)
We can see the action of TCP congestion control from Wireshark.
Select a TCP segment in the Wireshark’s “listing of captured-packets” window. Then select the
menu: Statistics->TCP Stream Graph-> Time-Sequence-Graph (Stevens). You should see a plot
that looks similar to the following plot, which was created from the captured packets in the
packet trace tcp-ethereal-trace-1 in http://gaia.cs.umass.edu/wireshark-labs/wireshark-trace.zip.
Here, each dot represents a TCP segment sent, plotting the sequence number of the segment versus the time at
which it was sent. Note that a set of dots stacked above each other represents a series of packets that were sent
back-to-back by the sender.
16 | P a g e
Time Sequence Graph (Stevens) from the captured packets of my experiment.