Experiment Conditions:

Location: *
Equipment: Fujitsu Laptop running Win 8.1 (64bit)
Browser : Chrome
Local IP address : 192.168.2.74

Task I
The first task was to capture all TCP traffic to/from Facebook while logging into a
Facebook Account and then analyze the Data.
A filter to record only TCP traffic to and from 31.13.71.96 (The IP address of
Facebook) was set and the capture was saved to Facebook 31.13.71.96.pcapng.
This was accomplished using the Capture Filter:
tcp and host 31.13.71.96
The login process was completed and the capture was stopped. A total of 315
Packets were captured over the 15 seconds that the process took to complete.
Display filters to filter these packets by destinations were used to trace the
ip.dst==31.13.71.96
ip.dst==192.168.2.74
number of packets to and from Facebook and we determined that we received
212 packets from Facebook while we sent 103 packets to it. Close to a 2:1 ratio
for the number of packets received to that sent.
Display filters were then written to analyze the flags set in the captured packets.
The following provides a summary of the Filter expressions used and the data that
was gathered from the results.

A.) SYN Flag

To Determine number of TCP packets with flag SYN set:
Display Filter =
tcp.flags.syn==1
Number of packets with SYN flag set = 4

To Determine number of TCP packets with SYN flag not set:

Display Filter =
tcp.flags.syn==0
Packets with SYN flag not set = 311
To Determine number of TCP packets with SYN set and sent to host:
Display Filter =
tcp.flags.syn==1 && ip.dst==192.168.2.74
Packets Received With SYN flag set = 2

To Determine number of TCP packets with SYN flag set and sent to
Facebook:
Display Filter =
tcp.flags.syn==1 && ip.dst==31.13.71.96
Packets Sent With SYN flag set = 2

B.) PSH Flag

To Determine number of TCP packets with PSH Flag set:
Display Filter =
tcp.flags.push==1
Packets with PSH flag set = 113

To Determine number of TCP packets with PSH Flag not set:

Display Filter =
tcp.flags.push==0
Packets with PSH flag not set = 202

To Determine number of TCP packets with PSH Flag set and sent to host:
Display Filter =
tcp.flags.push==1 && ip.dst==192.168.2.74
Packets Received With PSH flag set = 85

To Determine number of TCP packets with PSH flag set and sent to
Facebook:
Display Filter =
tcp.flags.push==1 && ip.dst==31.13.71.96
Packets Sent With PSH flag set = 28

C.) PSH & SYN Flags

To Determine number of TCP packets with PSH or SYN Flags set and sent to
host:
Display Filter =
(tcp.flags.push==1||tcp.flags.syn==1) &&
ip.dst==192.168.2.74
Packets Received With SYN flag set = 87

To Determine number of TCP packets with PSH or SYN flags set and sent to
Facebook:
Display Filter =
(tcp.flags.push==1||tcp.flags.syn==1) &&
ip.dst==31.13.71.96
Packets Sent With SYN flag set = 30

D.) RST Flag

To Determine number of TCP packets with RST Flag set:
Display Filter =
tcp.flags.reset==1
Packets with RST flag set = 0
To Determine number of TCP packets with RST Flag not set:
Display Filter =
tcp.flags.reset==0
Packets with RST flag not set = 315

These results are summed up in the following table.

Captured TCP Packets Flags Statistics
Task: Capture all TCP traffic to/from Facebook, during the time when you log in to your Facebook account
Total Captured Packets
315
Packets Sent to Facebook
103
Packets Received from Facebook
212
Packets Sent to Facebook with SYN flag set
2
Packets Sent to Facebook with PSH flag set
28
Packets Received from Facebook with SYN flag set
2
Packets Received from Facebook with PSH flag set
85
Packets Sent to Facebook with SYN & PSH flags set
30
Packets Received from Facebook with SYN & PSH flags set
87
Total Packets With SYN flag set
4
Total Packets With PSH flag set
113
Total Packets With RST flag set
0
Total Packets With ACK flag set
313
Total Packets With CWR flag set
0
Total Packets With SYN and PSH flags set
0

Summary of Analysis
From A, we can see that the percentage of Packets with SYN set is 1.3%, with 4 in
315 packets having SYN set. Two of these packets were sent to Facebook while
two were received. So these are the two packets initially broadcasted when the
connection is setup and the two response acknowledgement packets sent from
Facebook.
From B, we can see that the percentage of Packets with PSH set is 35.9% with 113
in 202 packets having PSH set. 28 of these were sent to Facebook and 85 were
received, implying that a total of 28 Data segments were Sent to Facebook and 85
segments were received.
From C, we can see that a total of 87 Packets were sent with SYN or PSH set were
received and a total of 30 Packets were received.
From D, We see that no reset was triggered and that the connection remained the
same for the entire duration of the capture.

Task II
The next task was to capture all HTTP traffic to and from Facebook while logging
into an Account.
For this a Capture Filter was used to isolate TCP data headed to port 80 at
Facebooks IP:
tcp port 80 and host 31.13.71.96
The login process was completed and the capture was saved to raw.pcapng. 14
HTTP packets were captured over the duration of 20 seconds.
The number of Packets sent to Facebook was determined using the filter
ip.dst==31.13.71.96
A total of 8 Packets were sent to Facebook. i.e. 8/14 Packets
The number of Packets received from Facebook was determined by using the
filter:
ip.dst==192.168.2.74
A total of 6 Packets were received. i.e. 6/14 Packets.

Task III
The last task was to capture all traffic to and from YouTube while playing a
popular video.
For this task we picked The Flash - Extended Trailer
https://www.youtube.com/watch?v=Yj0l7iGKh8g).

(URL

No capture filters were utilized as YouTube servers may change during streaming.
The capture was saved to flashmovietrailer.pcapng. A total of 16889 Packets
were received, within the 5.76 minutes of capture.
Large amounts of traffic have been observed to IP 173.194.130.18, but
communication to YouTube isnt limited to this single server. For the sake of

calculation, we consider only this IP for the sake of calculating volume of

transmitted traffic, but for other calculations (flags, etc) the entire traffic is
considered.
To isolate the packets sent by host and received at YouTube, the display filter,
ip.src==192.168.2.74 and ip.dst==173.194.130.18
was used. A total of 4264 Packets were sent to YouTube. i.e. 4264/16889 Packets
To isolate the packets sent by YouTube and Received by host, the display filter,
ip.src==173.194.130.18 and ip.dst==192.168.2.74
was used. A total of 10786 Packets were received from YouTube. i.e.
10786/16889 Packets.
The number of packets that had SYN set was determined using the filter
tcp.flags.syn==1
A total of 61 Packets had had SYN flag set. So, we can say that several connections
were reestablished over the course of the capture.
The number of packets that had PSH set was determined using the filter
tcp.flags.push==1
A total of 604 Packets had PSH flag set. That is, a total of 604 data segments were
transmitted over the entire duration
The number of packets with RST was determined using the filter
tcp.flags.reset==1
A total of 26 Packets had RST flag set. This implies that the connection was reset
26 times over the course of the capture.
For our capture, the primary server for streaming the video seems to have
remained a constant with 15050/16889 packets coming from the same server,
and the rest spread amongst several servers.
The capture file was exported as a .csv file and excel was used to perform deep
analysis and the following plots of SYN and PSH instances were obtained.

A.) Occurrence of SYN=1 flags plotted against time

NO OF PACKETS WITH SYN FLAG SET

Histogram
12
10
8

6
4
2
0

20

40

60

80

100 120 140 160 180 200 220 240 260 280 300 320 340
TIME (seconds)

B.)Occurrence of PSH=1 flags plotted against time

Histogram
NO OF PACKET WITH PSH FLAG SET

160
140
120
100
80
60

40
20
0
0

20

40

60

80 100 120 140 160 180 200 220 240 260 280 300 320 340
TIME (seconds)

When A and B are observed, a correlation can be found between the number of
push instances and sync instances for majority of the transmission, it could be
related to a reestablishment of connection after a segment is transmitted, since
more push instances mean more data segments are transmitted.

C.) Histogram of Packet sizes

Histogram
11000

NO OF PACKETS

9000
7000
5000
3000

1000
-1000

SIZE RANGES

We can see from C that close to 1/3rd of all transmissions take place with very
small Packet sizes and 2/3rd of all transmissions take place with very large packet
sizes and only an ignorable fraction of packets are of sizes in between.

References:
http://www.ece.rutgers.edu/~marsic/books/CN/projects/wireshark/ws-project-1.html
https://ask.wireshark.org
https://www.wireshark.org
http://wiki.wireshark.org/CaptureFilters#Default_Capture_Filters
http://www.howtogeek.com/104278/how-to-use-wireshark-to-capture-filter-and-inspect-packets/
http://www.webyield.net/ip/index.php
https://www.youtube.com/watch?v=RyxPp22x9PU
http://www.youtube.com/watch?v=Yj0l7iGKh8g
http://packetlife.net/library/cheat-sheets/