LabUsingWiresharktoObservetheTCP3WayHandshake

Topology

Objectives
Part1:PrepareWiresharktoCapturePackets
SelectanappropriateNICinterfacetocapturepackets.

Part2:Capture,Locate,andExaminePackets
Captureawebsessiontowww.google.com.
Locateappropriatepacketsforawebsession.
Examineinformationwithinpackets,includingIPaddresses,TCPportnumbers,andTCPcontrolflags.

Background/Scenario
Inthislab,youwilluseW iresharktocaptureandexaminepacketsgeneratedbetweenthePCbrowserusing
theHyperTextTransferProtocol(HTTP)andawebserver,suchasw ww.google.com.W henanapplication,
suchasHTTPorFileTransferProtocol(FTP)firststartsonahost,TCPusesthethreewayhandshaketo
establishareliableTCPsessionbetweenthetwohosts.Forexample,whenaPCusesawebbrowsertosurf
theInternet,athreewayhandshakeisinitiatedandasessionisestablishedbetweenthePChostandweb
server.APCcanhavemultiple,simultaneous,activeTCPsessionswithvariouswebsites.
Note:ThislabcannotbecompletedusingNetlab.ThislabassumesthatyouhaveInternetaccess.

RequiredResources
1PC(Windows7,Vista,orXPwithacommandpromptaccess,Internetaccess,andW iresharkinstalled)

Part1: PrepareWiresharktoCapturePackets
InPart1,youstarttheW iresharkprogramandselecttheappropriateinterfacetobegincapturingpackets.

Step1: RetrievethePCinterfaceaddresses.
Forthislab,youneedtoretrieveyourPCsIPaddressanditsnetworkinterfacecard(NIC)physicaladdress,
alsocalledtheMACaddress.
a. Openacommandpromptwindow,typeipconfig/allandthenpressEnter.

2013Ciscoand/oritsaffiliates.Allr ightsr eserved.T hisdocumentisCiscoPublic. Page1of6

LabUsingWiresharktoObservetheTCP3WayHandshake

b. WritedowntheIPandMACaddressesassociatedwiththeselectedEthernetadapter,becausethatisthe
sourceaddresstolookforwhenexaminingcapturedpackets.
ThePChostIPaddress:
___192.168.1.130_____________________________________________________
ThePChostMACaddress:
____c80aa9fade0d_________________________________________________

Step2: StartWiresharkandselecttheappropriateinterface.
a. ClicktheWindowsStartbuttonandonthepopupmenu,doubleclickWireshark.
b. AfterWiresharkstarts,clickInterfaceList.

c. IntheWireshark:CaptureInterfaceswindow,clickthechecktheboxnexttotheinterfaceconnectedto
yourLAN.

2013Ciscoand/oritsaffiliates.Allr ightsr eserved.T hisdocumentisCiscoPublic. Page2of6

LabUsingWiresharktoObservetheTCP3WayHandshake

Note:Ifmultipleinterfacesarelistedandyouareunsurewhichinterfacetocheck,clickDetails.Clickthe
802.3(Ethernet)tab,andverifythattheMACaddressmatcheswhatyouwrotedowninStep1b.Closethe
InterfaceDetailswindowafterverification.

Part2: Capture,Locate,andExaminePackets

Step1: ClicktheStartbuttontostartthedatacapture.
a. Gotowww.google.com.MinimizetheGooglewindow,andreturntoWireshark.Stopthedatacapture.You
shouldseecapturedtrafficsimilartothatshownbelowinstepb.
Note:Yourinstructormayprovideyouwithadifferentwebsite.Ifso,enterthewebsitenameoraddress
here:
____________________________________________________________________________________
b. Thecapturewindowisnowactive.LocatetheSource,Destination,andProtocolcolumns.

Step2: Locateappropriatepacketsforthewebsession.
IfthecomputerwasrecentlystartedandtherehasbeennoactivityinaccessingtheInternet,youcanseethe
entireprocessinthecapturedoutput,includingtheAddressResolutionProtocol(ARP),DomainNameSystem
(DNS),andtheTCPthreewayhandshake.ThecapturescreeninPart2,Step1showsallthepacketsthe
2013Ciscoand/oritsaffiliates.Allr ightsr eserved.T hisdocumentisCiscoPublic. Page3of6
LabUsingWiresharktoObservetheTCP3WayHandshake

computermustgettowww.google.com.Inthiscase,thePCalreadyhadanARPentryforthedefault
gatewaytherefore,itstartedwiththeDNSquerytoresolvewww.google.com.
a. Frame11showstheDNSqueryfromthePCtotheDNSserver,attemptingtoresolvethedomainname,
www.google.comtotheIPaddressofthewebserver.ThePCmusthavetheIPaddressbeforeitcansend
thefirstpackettothewebserver.
WhatistheIPaddressoftheDNSserverthatthecomputerqueried?_192.168.111___________________
b. Frame12istheresponsefromtheDNSserverwiththeIPaddressofwww.google.com.
c. Findtheappropriatepacketforthestartofyourthreewayhandshake.Inthisexample,frame15isthestart
oftheTCPthreewayhandshake.
WhatistheIPaddressoftheGooglewebserver?___192.168.1.130_______________________________
d. IfyouhavemanypacketsthatareunrelatedtotheTCPconnection,itmaybenecessarytousethe
Wiresharkfiltercapability.EntertcpinthefilterentryareawithinW iresharkandpressEnter.

Step3: ExamineinformationwithinpacketsincludingIPaddresses,TCPportnumbers,and
TCPcontrolflags.
a. Inourexample,frame15isthestartofthethreewayhandshakebetweenthePCandtheGoogleweb
server.Inthepacketlistpane(topsectionofthemainwindow),selecttheframe.Thishighlightstheline
anddisplaysthedecodedinformationfromthatpacketinthetwolowerpanes.ExaminetheTCP
informationinthepacketdetailspane(middlesectionofthemainwindow).
b. Clickthe+icontotheleftoftheTransmissionControlProtocolinthepacketdetailspanetoexpandthe
viewoftheTCPinformation.
c. Clickthe+icontotheleftoftheFlags.Lookatthesourceanddestinationportsandtheflagsthatareset.
Note:YoumayhavetoadjustthetopandmiddlewindowssizeswithinW iresharktodisplaythenecessary
information.

2013Ciscoand/oritsaffiliates.Allr ightsr eserved.T hisdocumentisCiscoPublic. Page4of6

LabUsingWiresharktoObservetheTCP3WayHandshake

WhatistheTCPsourceportnumber?_49523_________________________
Howwouldyouclassifythesourceport?____random____________________
WhatistheTCPdestinationportnumber?__http(80)_____________________
Howwouldyouclassifythedestinationport?____http_________________
Whichflag(orflags)isset?_____noflagsareset___________________
Whatistherelativesequencenumbersetto?__0__________________
d. Toselectthenextframeinthethreewayhandshake,selectG
oontheW iresharkmenuandselectNext
PacketInConversation.Inthisexample,thisisframe16.ThisistheGooglewebserverreplytotheinitial
requesttostartasession.

2013Ciscoand/oritsaffiliates.Allr ightsr eserved.T hisdocumentisCiscoPublic. Page5of6

LabUsingWiresharktoObservetheTCP3WayHandshake

Whatarethevaluesofthesourceanddestinationports?______________________________________
Whichflagsareset?
_____acknowlagement______________________________________________________________
Whataretherelativesequenceandacknowledgementnumberssetto?
_______________0_____________________________________________________________________
e. Finally,examinethethirdpacketofthethreewayhandshakeintheexample.Clickingframe17inthetop
windowdisplaysthefollowinginformationinthisexample:

Examinethethirdandfinalpacketofthehandshake.
Whichflag(orflags)isset?
_acknowledgment____________________________________________________________
Therelativesequenceandacknowledgementnumbersaresetto1asastartingpoint.TheTCPconnection
isnowestablished,andcommunicationbetweenthesourcecomputerandthewebservercanbegin.
f. ClosetheW iresharkprogram.

Reflection
1. TherearehundredsoffiltersavailableinWireshark.Alargenetworkcouldhavenumerousfiltersandmany
differenttypesoftraffic.W hichthreefiltersinthelistmightbethemostusefultoanetworkadministrator?
_______________________________________________________________________________________
2. WhatotherwayscouldWiresharkbeusedinaproductionnetwork?
_______________________________________________________________________________________
_______________________________________________________________________________________

2013Ciscoand/oritsaffiliates.Allr ightsr eserved.T hisdocumentisCiscoPublic. Page6of6